QR Code Phishing Scams: How to Stay Safe in 2026
QR codes have quietly become one of the most trusted shortcuts in our daily lives. We scan them on restaurant menus, parking meters, product packaging, event tickets, and payment terminals without a second thought. That trust is exactly what cybercriminals are now exploiting through a fast-growing attack known as QR code phishing, or "quishing."
According to multiple cybersecurity reports, QR-based phishing attacks rose by more than 400% between 2023 and 2025, and the trend has only accelerated. This guide explains how QR code phishing scams work, the most common variants, real-world examples, and practical steps you can take to stay safe.
What Are QR Code Phishing Scams?
QR code phishing scams are social engineering attacks in which criminals embed malicious URLs inside QR codes to trick victims into visiting fake websites, downloading malware, or handing over sensitive information. Because a QR code is just a machine-readable image, the destination is invisible to the human eye until the code is scanned.
The term "quishing" is a blend of "QR" and "phishing." Unlike traditional email phishing, quishing bypasses many enterprise email filters because the malicious link is hidden inside an image rather than written as plain text. When a user scans the code with their phone, the attack also shifts from a monitored corporate device to a personal one, which is typically less protected.
Why QR Code Attacks Work So Well
- Trust by default: Most people assume QR codes are legitimate, especially in physical environments like restaurants or parking lots.
- No visible URL: You cannot hover over a QR code to preview the link the way you can with a hyperlink in an email.
- Mobile-first delivery: Phones often lack the security tools desktop computers have, and small screens make spoofed login pages harder to spot.
- Easy to deploy: Anyone can generate a QR code in seconds and print it on a sticker.
How QR Code Phishing Attacks Work
Most quishing attacks follow a predictable five-step pattern. Understanding the workflow makes it much easier to spot one before you become a victim.
- Attacker creates a malicious landing page that mimics a trusted brand, such as a bank login, Microsoft 365 sign-in, parking payment portal, or package delivery notice.
- The malicious URL is encoded into a QR code, often shortened first to make tracing harder.
- The QR code is distributed via email attachments (PDF, PNG), printed flyers, fake parking tickets, stickers placed over legitimate codes, or even direct mail.
- The victim scans the code with their phone camera, which opens the spoofed website in a mobile browser.
- The victim enters credentials, payment data, or downloads a malicious app, handing the attacker exactly what they want.
Common Types of QR Code Phishing Scams
1. Parking Meter and EV Charger Scams
Criminals print stickers with malicious QR codes and place them directly over legitimate codes on parking meters, electric vehicle chargers, and pay-and-display machines. Drivers scan, enter their card details on a fake payment page, and lose money along with their card data. This scam has been reported widely across the US, UK, and Europe.
2. Email-Based Quishing
An email arrives claiming your password is about to expire, a document is waiting in a shared drive, or your multi-factor authentication needs to be re-enrolled. Instead of a link, the email contains a QR code asking you to scan it with your phone. This bypasses most corporate email security tools that scan text-based URLs.
3. Fake Restaurant Menus
Scammers place fake QR codes on tables in busy restaurants. Instead of leading to a menu, the code opens a phishing site asking for "Wi-Fi login" or a small payment to view the menu.
4. Crypto Wallet and Payment Hijacks
Fraudsters share QR codes on social media or messaging apps that supposedly lead to crypto giveaways, payment confirmations, or wallet recoveries. The codes actually trigger transactions from the victim's wallet to the attacker's address.
5. Fake Delivery Notices
A card is left on your door claiming a package could not be delivered. Scanning the QR code takes you to a fake courier site asking for a small "redelivery fee" along with your full address and card details.
6. Counterfeit Government Notices
Letters posing as tax authorities, motor vehicle departments, or utility companies contain QR codes that lead to convincing spoofed government portals designed to steal personal data and payment information.
Real-World Examples of Quishing Attacks
Quishing is not theoretical. Here are documented categories of attacks reported by security researchers and law enforcement in recent years:
| Attack Type | Target | Method | Outcome |
|---|---|---|---|
| Microsoft 365 Quishing | Corporate employees | PDF attachments with embedded QR codes | Account takeover, data exfiltration |
| Parking Meter Scam | Drivers in major cities | Stickers over real QR codes | Stolen card details, unauthorized charges |
| Bank Customer Quishing | Retail banking customers | Letters mimicking bank security alerts | Drained accounts, identity theft |
| Crypto Wallet Drain | Cryptocurrency holders | Social media QR "airdrops" | Wallets emptied in seconds |
| Charity Donation Fraud | Generous public | Fake codes on posters after disasters | Donations diverted to criminals |
Warning Signs of a Malicious QR Code
You cannot read a QR code with your eyes, but there are still plenty of contextual clues that should make you stop and think before scanning.
- The code is on a sticker placed over something else, especially in public.
- The surrounding message creates urgency, such as "your account will be locked in 24 hours."
- The code arrives unexpectedly in an email, especially from a sender you do not recognize.
- The landing page asks for credentials, payment information, or multi-factor codes immediately.
- The URL preview looks odd, with misspellings, unusual domains, or excessive subdomains.
- The page asks you to download an app from outside the official App Store or Google Play.
- The QR code is in a low-quality printed letter claiming to be from a government agency or bank.
10 Practical Tips to Stay Safe From QR Code Phishing
1. Always Preview the URL Before Opening It
Modern iPhone and Android cameras show a preview of the destination URL when you scan a QR code. Read it carefully before tapping. If the URL looks suspicious, misspelled, or unrelated to what you expected, do not open it.
2. Be Skeptical of QR Codes in Emails
Legitimate companies almost never ask you to scan a QR code from an email to log in or reset a password. If your IT department or bank suddenly emails you a code, verify by calling them directly through a known number.
3. Inspect Physical QR Codes for Tampering
Before scanning a code at a parking meter, restaurant, or charger, look for signs of a sticker placed on top of the original. Peel back the corner gently if it looks suspicious, or pay another way.
4. Use a Trusted URL Shortener and Scanner
When you create QR codes for your own business, use a reputable platform that lets you track, expire, and replace links. Services like Lunyb let you generate trackable short links and QR codes with analytics, so if a campaign is abused you can disable the destination instantly. For a wider comparison of trusted tools, see our Best URL Shorteners Reviewed and Compared: 2026 Buyer's Guide.
5. Never Enter Credentials From a Page You Reached via QR Code
Treat any login screen reached from a QR scan as untrusted. If you need to log into your bank, email, or work account, open the official app or type the URL manually into your browser instead.
6. Enable Multi-Factor Authentication Everywhere
Even if attackers capture your password, hardware keys or authenticator-app codes can stop them from logging in. Avoid SMS-based 2FA where possible, as it can be intercepted via SIM swap.
7. Keep Your Phone and Browser Updated
Operating system and browser updates patch the vulnerabilities that malicious sites attempt to exploit. Enable automatic updates on both iOS and Android.
8. Use Encrypted DNS and a Secure Browser
Enable encrypted DNS (DNS over HTTPS) in your browser or device settings. Secure browsers like Brave, Firefox, or Safari with strict tracking protection block many known phishing domains automatically.
9. Educate Family Members and Coworkers
Older relatives and non-technical coworkers are prime targets. A quick conversation about how QR codes can be faked goes a long way. For businesses, run quarterly phishing simulations that include QR-based variants.
10. Report Suspicious QR Codes
If you spot a malicious sticker on public infrastructure, report it to the relevant authority or business. If you receive a phishing email, forward it to your IT team and to anti-phishing organizations like reportphishing@apwg.org.
What Businesses Should Do to Protect Customers
Organizations that legitimately use QR codes have a responsibility to make their codes harder to fake and easier to verify.
- Use branded short links on the destination URL so customers know what to expect (for example, pay.yourbrand.com).
- Print codes directly onto surfaces rather than stickers wherever possible, making physical tampering more obvious.
- Display the destination URL in human-readable form next to the QR code.
- Monitor scan analytics for unusual spikes, geographies, or referrer patterns that could indicate abuse.
- Train staff to spot tampered codes during opening and closing checks.
- Provide an alternative payment or login path for customers who are uncomfortable scanning.
If you are evaluating link-management platforms with QR features, our Rebrandly Review 2026 and our honest review of Lunyb are good starting points.
What to Do If You Scanned a Malicious QR Code
If you suspect you have been targeted, act quickly. The first hour matters most.
- Disconnect from the internet immediately if you downloaded anything or installed an app.
- Change passwords for any account you entered credentials into, starting with email and banking.
- Contact your bank to freeze cards if you entered payment details, and request a chargeback for any unauthorized transactions.
- Enable or reset multi-factor authentication on all critical accounts.
- Run a mobile security scan using a reputable mobile antivirus, and remove any unfamiliar apps or profiles.
- Monitor your credit report for new accounts opened in your name, and consider a credit freeze.
- Report the incident to local police, your national cybercrime authority, and the impersonated brand.
The Future of QR Code Phishing
Quishing is going to get worse before it gets better. AI tools now let attackers generate flawless landing pages in minutes, and printable QR stickers cost almost nothing to deploy at scale. Expect more hybrid attacks that combine QR codes with deepfake voice calls, SMS follow-ups, and fake customer service chatbots.
On the defense side, browsers and mobile operating systems are slowly improving URL previews, phishing databases are expanding, and enterprise email gateways are starting to scan images for embedded codes. But the most reliable defense will remain user awareness combined with strong account hygiene.
Frequently Asked Questions
Can a QR code itself contain a virus?
No, a QR code is just an image that encodes text, usually a URL. It cannot contain executable malware by itself. The danger comes from what happens after you scan it: visiting a malicious website, downloading a harmful app, or entering credentials into a fake form.
Is it safe to scan QR codes in restaurants?
Generally yes, but always preview the URL before tapping. Check that the domain matches the restaurant or a known menu provider, and look for stickers placed over original codes. If anything looks off, ask staff for a printed menu instead.
How can I tell if a QR code is fake?
You cannot tell by looking at the code itself, but you can spot fakes by context. Look for stickers covering other codes, unexpected emails containing QR codes, urgent language, requests for credentials, and URL previews that do not match the brand. When in doubt, do not scan.
Do iPhones and Androids protect against malicious QR codes?
Both platforms show a URL preview before opening a scanned link and block some known malicious domains through Safe Browsing lists. However, freshly registered phishing domains often slip through. Treat the preview as a hint, not a guarantee.
Should businesses stop using QR codes because of quishing?
No, QR codes remain extremely useful. Instead, businesses should use branded short links, display the destination URL next to the code, monitor analytics for abuse, and educate customers. A well-managed QR program is far safer than one built on anonymous, untracked links.
Final Thoughts
QR code phishing is the perfect modern scam: cheap to deploy, invisible until it is too late, and aimed at devices we trust most. The good news is that a handful of habits — previewing URLs, never logging in from a scanned page, enabling multi-factor authentication, and using trusted link platforms — will protect you against the vast majority of attacks.
Stay curious, stay skeptical, and treat every QR code like a stranger handing you a folded note. Most of the time it is harmless. But the one time it is not, the few seconds you spent checking could save you thousands.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
QR Code Security for Irish Small Businesses: A 2026 Guide
Quishing attacks are rising across Ireland, from Dublin car parks to Galway cafés. This practical guide shows Irish SMEs how to secure QR code campaigns, stay GDPR-compliant, and respond fast when something goes wrong.
QR Code Security Best Practices for Business: A Complete 2026 Guide
QR codes are a powerful business tool, but quishing attacks and overlay scams are rising fast. This guide covers the essential QR code security best practices every business should adopt in 2026, from dynamic codes and branded domains to incident response and staff training.
Dynamic vs Static QR Codes: Which Should You Use in 2026?
QR codes come in two main flavors: static and dynamic. This guide breaks down how each type works, when to use them, and which option is best for marketing, print, payments, and event campaigns.
QR Codes in Restaurants: Are They Tracking You?
Restaurant QR code menus look harmless, but many quietly collect your location, device data, and dining habits — often sharing it with third parties. Here's exactly what they track and how to protect yourself without giving up the convenience.