facebook-pixel

QR Code Phishing Scams: How to Stay Safe in 2026

L
Lunyb Security Team
··10 min read

QR codes have quietly become one of the most trusted shortcuts in daily life. We scan them on restaurant tables, parking meters, packaging, business cards, TV ads, and even utility bills. That trust is exactly why attackers love them. A new category of fraud — commonly called QR code phishing scams, or quishing — has exploded, tricking people into handing over passwords, payment details, and even full control of their devices.

This guide explains how QR code phishing works, the tactics scammers use in 2026, and the practical steps you can take to stay safe whether you are an everyday user, a business owner, or an IT admin.

What Are QR Code Phishing Scams?

QR code phishing scams are attacks in which criminals use a QR code to redirect victims to a malicious website, download harmful software, or trigger a fraudulent payment. Because QR codes are just machine-readable links, users cannot see the destination until they scan — and by then it is often too late.

The term "quishing" is a blend of QR and phishing. It works on the same psychological principles as email phishing: urgency, authority, curiosity, and trust in familiar brands. The difference is the delivery method. Instead of a suspicious link in an email, the bait is a small black-and-white square printed on a sticker, poster, invoice, or PDF.

Why QR Codes Are So Effective for Attackers

  • No visible URL: Users cannot preview the destination before scanning.
  • Mobile-first exploitation: Phones often have smaller screens, fewer security tools, and users are less cautious than on desktops.
  • Physical trust: A printed code on a parking meter or restaurant menu feels legitimate.
  • Email filter bypass: QR codes embedded as images slip past many traditional email security scanners that look for suspicious links in text.
  • Cheap to deploy: Attackers can print a sticker for pennies and place it over a legitimate code.

How QR Code Phishing Attacks Actually Work

Most quishing campaigns follow a predictable lifecycle. Understanding the steps helps you recognize an attack in progress.

  1. Bait creation: The attacker generates a QR code linking to a malicious domain, often one that mimics a real brand (e.g., micros0ft-login.com or paypa1-secure.net).
  2. Delivery: The code is distributed via email attachments, PDFs, printed stickers placed over legitimate codes, flyers, or fake letters that look like they come from banks or government agencies.
  3. The scan: The victim scans the code with their phone camera and is redirected to a convincing fake login page, payment form, or app download screen.
  4. Data or money theft: The victim enters credentials, card details, or authorizes a payment. Some attacks silently install malware or steal authentication tokens.
  5. Monetization: Stolen data is sold on dark-web markets, used to drain bank accounts, or leveraged in follow-up attacks against the victim's contacts or employer.

The Most Common QR Code Phishing Scams in 2026

1. Fake Parking Meter and EV Charger Codes

One of the fastest-growing attacks. Criminals paste fraudulent stickers over legitimate QR codes on parking meters or electric-vehicle charging stations. Victims scan, land on a fake payment page, and enter their credit card. The result: a small "parking" charge plus a stolen card sold within hours.

2. Restaurant Menu Quishing

Attackers replace or overlay the QR code on a table tent. Instead of viewing the menu, victims are asked to "log in" with Google or Apple to see prices — handing credentials straight to the attacker.

3. Fake Delivery Notifications

A printed "missed delivery" slip in your mailbox includes a QR code. Scanning it takes you to a fake courier site demanding a small redelivery fee and your personal information.

4. Corporate Email Quishing (MFA Bypass)

Employees receive an email that looks like it is from IT: "Your Microsoft 365 password expires today. Scan the QR code with your phone to re-authenticate." The code leads to a phishing site that captures both the password and the multi-factor authentication token.

5. Fake Charity and Donation Codes

Especially common after natural disasters. Fraudulent posters in public spaces or social media images push victims to fake donation portals.

6. Cryptocurrency Wallet Draining

A QR code promises a free NFT or airdrop. Scanning it opens a wallet app and prompts the user to sign a transaction that transfers all their assets to the attacker.

7. Government and Tax Impersonation

Letters that look like they come from the tax authority include a QR code to "verify your identity" or "claim a refund." The destination is a data-harvesting form.

Warning Signs of a Malicious QR Code

Before and after scanning, watch for these red flags:

  • A sticker QR code that appears to be pasted over another code.
  • QR codes in unsolicited emails, especially those urging urgency ("expires in 24 hours").
  • Codes on posters or flyers with no clear brand ownership or contact details.
  • URLs that use lookalike characters, extra hyphens, or unusual top-level domains (.zip, .top, .xyz).
  • Destination pages that immediately request login credentials, payment info, or app installation.
  • Shortened links you cannot preview — always prefer scanners that show the full URL first.
  • Pages that display security warnings from your browser (invalid certificate, deceptive site).

How to Stay Safe: 10 Practical Rules

  1. Preview the URL before opening. Modern iPhone and Android cameras show the full link before you tap. Read it carefully.
  2. Inspect physical codes for tampering. If a sticker looks pasted on top of another, do not scan it. Report it to the venue.
  3. Never log in through a QR code. If a QR code asks for your password, close the page and navigate to the service manually via your browser or app.
  4. Type sensitive URLs manually. For banking, tax, and government sites, always type the address yourself.
  5. Use a secure QR scanner app that checks the destination against known phishing databases before opening it.
  6. Enable phishing protection in your browser. Chrome, Safari, Firefox, and Edge all offer built-in safe-browsing protections — keep them on.
  7. Use hardware security keys or passkeys for critical accounts. They cannot be phished by a fake login page.
  8. Keep your phone's OS updated. Many quishing attacks rely on unpatched mobile browser vulnerabilities.
  9. Verify payments through the official app. Do not pay parking, tolls, or delivery fees through a scanned code — open the provider's app directly.
  10. Trust your instincts. If a QR-driven request feels rushed, emotional, or too good to be true, it almost certainly is.

QR Code Phishing vs. Traditional Phishing

Both aim to steal credentials or money, but the attack surface is different. Here is how they compare:

Attribute Email/SMS Phishing QR Code Phishing (Quishing)
Delivery channelEmail, SMS, chat appsPrinted materials, images, PDFs, posters
URL visibilityVisible in the messageHidden until scan
Detected by email filtersUsually yesOften no (image-based)
Primary target deviceAnyMobile phones
User suspicion levelHigher (trained)Lower (novel format)
Common goalCredentials, malwareCredentials, payments, MFA tokens

How Businesses Should Defend Against Quishing

Organizations face a unique risk: a single employee scanning a malicious code with a personal phone can compromise the entire corporate network via stolen credentials or session tokens.

Recommended Controls

  • Update security awareness training to include QR-based attacks with realistic examples.
  • Deploy email gateways that scan images and extract QR content for URL reputation checks.
  • Enforce phishing-resistant MFA (passkeys, FIDO2 hardware keys) instead of SMS or push-based codes.
  • Use trusted branded links. When your organization publishes QR codes, use a reputable short-link platform with analytics and link auditing — see our 2026 buyer's guide to URL shorteners for options.
  • Publish a public directory of official QR campaigns so customers can verify codes before scanning.
  • Monitor for brand impersonation across social media and dark-web marketplaces.
  • Segment mobile devices from sensitive systems using conditional access policies.

How Trustworthy Link Shorteners Fit In

Not every short link is a scam — in fact, reputable link shorteners actively fight phishing by scanning destinations, blocking known malicious domains, and providing branded, verifiable short URLs. When you generate QR codes through a trusted platform like Lunyb, the resulting link is tied to a monitored short domain with abuse controls in place. That means your customers see a recognizable brand rather than a suspicious redirect, and the platform can disable a compromised link instantly if abuse is reported.

If you want a deeper look at how Lunyb handles security and moderation, our honest review of Lunyb walks through the platform in detail. For paid alternatives with enterprise link management, our Rebrandly review is also worth reading.

What to Do If You've Already Scanned a Malicious QR Code

If you suspect you've been quished, act fast. The first hours matter most.

  1. Do not enter any information if you are still on the page. Close the tab or browser.
  2. Disconnect from Wi-Fi and mobile data if you downloaded anything or believe malware installed.
  3. Change passwords for any account you may have exposed — starting with email, banking, and work accounts.
  4. Revoke active sessions and API tokens in your account security settings.
  5. Contact your bank to freeze cards or dispute unauthorized transactions.
  6. Enable or reset multi-factor authentication, ideally moving to passkeys or hardware keys.
  7. Run a mobile security scan using a reputable app; consider a factory reset if malware installation is likely.
  8. Report the incident to your IT/security team (if work-related), the impersonated brand, and your national cybercrime authority.

The Future of QR Code Fraud

Expect quishing to grow more sophisticated in 2026 and beyond. AI-generated fake brand pages are nearly indistinguishable from real ones. Attackers are experimenting with dynamic QR codes that change destination based on the user's location, device, or time of day — allowing them to evade security scans while still hitting real victims. Regulators are catching up, but enforcement is uneven across jurisdictions, so individual vigilance remains the strongest defense.

The good news: the basic countermeasures still work. Preview URLs, never log in via a scanned code, use phishing-resistant authentication, and treat every unexpected QR code with the same skepticism you'd apply to an unexpected email attachment.

Frequently Asked Questions

Can simply scanning a QR code infect my phone?

In most cases, no. Scanning a QR code just reveals a URL — it is what happens next (opening the site, downloading an app, entering credentials) that causes harm. However, a malicious page can attempt to exploit browser vulnerabilities, so always keep your phone's operating system and browser fully updated.

How can I tell if a QR code is safe before I scan it?

You often can't tell from the code itself, but you can inspect the surrounding context. Look for signs of tampering (stickers on top of other stickers), verify the code comes from a known source, and use a scanner or camera that previews the destination URL before opening it. If the URL looks suspicious, do not tap it.

Are QR codes on restaurant menus generally safe?

Most are, but attackers have targeted restaurants because customers scan without thinking. Check that the code is printed directly on the menu or table, not a sticker. If the code redirects you to a login page instead of a menu, close it immediately.

What is the safest way to pay for parking or tolls?

Use the official app from the parking or toll authority, downloaded from the App Store or Google Play. Avoid paying through a QR code on the meter itself unless you can verify the destination URL matches the official operator's domain.

Should businesses stop using QR codes because of quishing?

No — QR codes remain a valuable tool. Instead, businesses should use trusted branded short-link platforms, publish official QR campaigns in a verifiable location, train employees and customers on quishing, and monitor for impersonation. The goal is to make legitimate codes easier to recognize, not to abandon the technology.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles