facebook-pixel

QR Code Phishing Scams: How to Stay Safe from Quishing Attacks

L
Lunyb Security Team
··10 min read

QR codes have quietly become part of daily life — you scan them at restaurants, on parking meters, at bus stops, on packaging, and even on utility bills. Unfortunately, criminals noticed too. A new wave of attacks known as QR code phishing scams, or "quishing," is tricking people into handing over passwords, payment information, and access to corporate accounts. This guide explains how these scams work, how to spot them, and how to stay safe whether you're a casual user or a security-conscious business.

What Are QR Code Phishing Scams?

QR code phishing scams — also called quishing — are attacks in which criminals use QR codes to send victims to malicious websites, trigger unauthorized payments, or install malware. Instead of a suspicious link in an email, the attacker hides the harmful URL inside a scannable square that looks completely harmless to the human eye.

Because a QR code is just a machine-readable pattern, you cannot tell by looking at it whether it leads to your bank's real login page or to a lookalike phishing site. That's exactly what makes quishing effective: it bypasses the visual instincts most people rely on to detect scams.

Why Quishing Is Growing Fast

  • Post-pandemic habits: Consumers now scan QR codes without a second thought.
  • Email filter evasion: A QR code is an image, so many security tools that scan text-based links miss it entirely.
  • Mobile-first attack surface: Scans usually happen on phones, where warning signs (full URLs, browser padlocks) are harder to see.
  • Low cost to attackers: Printing a sticker and pasting it over a real QR code costs almost nothing.

How QR Code Phishing Attacks Actually Work

Most quishing attacks follow a predictable pattern. Understanding the steps makes them much easier to spot.

  1. Bait creation: The attacker designs a convincing lure — a fake parking notice, a delivery failure email, a "scan to verify your account" message, or a physical sticker.
  2. QR code embedding: A QR code is generated that points to a malicious domain, often one that closely resembles a real brand (e.g., paypa1-secure.com).
  3. Distribution: The code is placed where victims will encounter it — pasted on top of legitimate signage, printed on flyers, embedded in PDFs, or attached to phishing emails.
  4. Scan and redirect: The victim scans with their phone, which quietly opens the browser and loads the fraudulent page.
  5. Credential or payment theft: The fake site prompts for login details, card numbers, one-time passcodes, or asks the user to install a "required" app that is actually malware.

Common Quishing Scenarios

  • Parking meter stickers: Fake QR codes placed over real ones in cities across the US, UK, and Europe direct drivers to fraudulent "payment" portals.
  • Restaurant menu tampering: Stickers on tables send diners to sites that harvest card details under the guise of a payment page.
  • Fake delivery notices: Postcards claiming a missed package ask recipients to scan and pay a small "redelivery fee."
  • Corporate email quishing: Employees receive PDFs asking them to scan a code to "reauthenticate" their Microsoft 365 or Google Workspace account.
  • Charity and donation fraud: Posters in public spaces use QR codes that route funds to attacker-controlled wallets.
  • Cryptocurrency scams: Codes that appear to point to a wallet address instead redirect to a lookalike that swaps in the attacker's address.

Warning Signs of a Malicious QR Code

Not every scan is dangerous, but there are clear red flags that should make you stop before tapping "Open."

  • Physical tampering: A sticker placed over another QR code, misaligned edges, or a code that doesn't match the surrounding branding.
  • Unsolicited context: An unexpected email, letter, or text asking you to scan to "verify," "reactivate," or "claim" something.
  • Urgency or fear: "Your account will be closed in 24 hours" or "Immediate payment required."
  • Suspicious preview URL: When your camera shows the destination, it uses odd domains, extra hyphens, misspellings, or unfamiliar top-level domains.
  • Requests for sensitive data right after scanning: Legitimate businesses rarely ask you to enter your full password or card details immediately after a scan.
  • Prompts to download an app or profile: Especially outside the official app stores.

Quishing vs. Traditional Phishing: A Quick Comparison

Aspect Traditional Phishing QR Code Phishing (Quishing)
Primary delivery Clickable links in email, SMS, chat QR codes in emails, PDFs, or physical locations
Device targeted Mostly desktops and laptops Almost always mobile phones
Detection by filters High — URLs are text and scannable Low — URLs are hidden inside images
User visibility of URL Visible on hover or long-press Only shown briefly in the camera preview
Common lure Password reset, invoice, shipping Parking, menus, MFA reset, package redelivery
Ease of attack Requires sending mass emails Can be as simple as placing a sticker

How to Stay Safe from QR Code Phishing Scams

You don't need to stop using QR codes — you just need a few reliable habits. Follow these steps every time you scan.

  1. Always preview the URL before opening. Modern iOS and Android camera apps show the destination link before loading it. Read it carefully.
  2. Check for domain lookalikes. Watch for character swaps (rn vs. m), extra words, or wrong TLDs like .top, .xyz, or .click when a brand normally uses .com.
  3. Inspect physical codes. If it's a sticker on a menu, meter, or poster, peel a corner to see if it's covering an original code.
  4. Never enter credentials right after a scan. Instead, open the app or website manually using a bookmark or typed URL.
  5. Avoid scanning codes from unsolicited emails. Especially those asking you to "reauthenticate" or "verify" a work account.
  6. Use a mobile browser with phishing protection. Chrome, Safari, Firefox, and Brave all block many known malicious domains automatically.
  7. Enable multi-factor authentication (MFA) on financial, email, and work accounts so that a stolen password alone isn't enough.
  8. Keep your phone updated. Security patches close many of the mobile exploits that quishing pages try to abuse.
  9. Prefer typing URLs for payments. For parking, tolls, or donations, go to the official website or app instead of scanning.
  10. Report suspicious codes. Notify the venue, brand, or your IT team so tampered codes can be removed quickly.

Extra Precautions for Businesses and Teams

  • Train employees on quishing specifically — many phishing training programs still focus only on links and attachments.
  • Deploy email security tools that inspect images and extract embedded QR codes for URL analysis.
  • Adopt phishing-resistant MFA such as hardware security keys or passkeys, which cannot be replayed on a fake site.
  • Use branded, monitored short links for any QR codes your company prints or publishes, so customers can trust the destination pattern. Trusted link platforms like Lunyb let you generate QR codes tied to verified short URLs you control and can revoke instantly if abused.
  • Audit physical locations where you display QR codes (posters, packaging, receipts) on a regular schedule to check for tampering.

Safer Ways to Use and Share QR Codes

QR codes themselves aren't the problem — the ecosystem around them is. If you create QR codes for a business, a nonprofit, or even a personal project, a few practices dramatically reduce the risk that your audience gets scammed.

  • Use a reputable link management platform that supports HTTPS, custom domains, analytics, and the ability to disable a link if it's compromised. Our 2026 buyer's guide to URL shorteners compares the top options.
  • Prefer a branded short domain so users learn to expect your specific pattern (e.g., go.yourbrand.com). Established providers like those covered in our Rebrandly review specialize in this.
  • Print codes with clear brand context around them — logo, colors, a short human-readable URL beneath — so tampering is more obvious.
  • Laminate or seal codes in tamper-evident ways for physical installations like menus, meters, and signage.
  • Rotate and monitor codes. If you notice unusual traffic patterns, disable the link immediately.
  • Publish a support channel. Give users an obvious way to report a suspicious code they encountered under your brand.

If you're evaluating whether a shortener fits these needs, our honest look at whether Lunyb is legit covers the safety features to look for in any provider.

What to Do If You've Already Scanned a Malicious QR Code

If you suspect you've fallen for a quishing attempt, quick action can limit the damage. Work through these steps in order:

  1. Disconnect from the network if you downloaded anything unusual — turn off Wi-Fi and mobile data for a few minutes.
  2. Do not enter any more information on the site, and close the browser tab immediately.
  3. Change passwords for any account whose credentials you may have entered, starting with email and banking.
  4. Enable or reset MFA on affected accounts. If possible, switch to hardware keys or passkeys.
  5. Contact your bank or card issuer if you entered payment information. Ask them to flag the card and reissue it.
  6. Scan your device for malware using a reputable mobile security app, and remove any apps or configuration profiles you don't recognize.
  7. Report the incident to your national cybercrime authority (such as the FBI's IC3, the UK's Action Fraud, or your local equivalent), and to the impersonated brand.
  8. Monitor your accounts and credit reports for at least 90 days for unusual activity.

The Future of QR Code Security

QR code phishing is likely to grow before it shrinks. Attackers are already experimenting with dynamic codes that change destinations based on the scanner's location, and with AI-generated lookalike sites that render perfectly on any screen size. On the defensive side, expect three trends to accelerate:

  • Native OS warnings that inspect QR destinations before opening them, similar to how browsers warn about unsafe downloads today.
  • Signed or verified QR codes where legitimate brands cryptographically sign their codes so scanners can display a trust indicator.
  • Enterprise QR gateways that route corporate scans through a security proxy that checks destinations in real time.

Until those tools are universal, the best defense is a healthy pause before every scan and a habit of verifying URLs manually when anything sensitive is at stake.

Frequently Asked Questions

Can just scanning a QR code infect my phone?

In almost all cases, scanning alone does not install malware. The danger comes from what happens next — opening the URL, entering credentials, downloading an app, or approving a configuration profile. Always preview the link and stop before taking further action if anything looks off.

How can I tell if a QR code has been tampered with?

Look for stickers placed over other codes, misaligned edges, mismatched colors compared to surrounding branding, or codes that appear in unusual locations (like taped to a gas pump). If the code is on a menu, poster, or meter, gently check whether it's a sticker over the original.

Are QR codes in emails more dangerous than links?

They can be, because many email security filters scan text URLs but treat QR codes as ordinary images. Attackers exploit this gap to sneak malicious destinations past corporate defenses. Treat any unexpected QR code in an email — especially one asking you to "verify" or "reauthenticate" — as suspicious until proven otherwise.

What's the safest way to pay for parking or tolls using a QR code?

Whenever possible, use the operator's official app that you installed from the App Store or Google Play, or type the URL printed on the sign directly into your browser. If you must scan, carefully read the previewed URL and never enter card details on a page you're not certain is authentic.

Should businesses stop using QR codes because of quishing?

No — QR codes remain a useful and convenient tool. Instead, businesses should use branded short links, monitor and rotate them, print clear human-readable URLs alongside codes, and educate customers about what a legitimate scan looks like. Combined with tamper-evident physical placement, these steps make quishing much harder to pull off against your brand.

Final Thoughts

QR code phishing scams thrive on speed and trust — the same qualities that make QR codes so convenient. The good news is that the defenses are simple: preview every URL, be skeptical of unsolicited scans, never enter credentials immediately after scanning, and use branded, monitored links if you're the one publishing codes. A few seconds of caution before each scan is all it takes to keep quishing attackers out of your accounts and away from your customers.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles