facebook-pixel

QR Code Phishing Scams: How to Stay Safe in 2026

L
Lunyb Security Team
··9 min read

QR codes are everywhere in 2026 — on restaurant tables, parking meters, product packaging, event tickets, and even TV commercials. That ubiquity has made them a favorite tool for cybercriminals. QR code phishing scams, often called "quishing," now account for a rapidly growing share of phishing attacks worldwide, with the FBI, UK Action Fraud, and Europol all issuing public warnings in the past year.

This guide explains exactly how QR code phishing scams work, walks through the most common real-world attack scenarios, and gives you a clear checklist to stay safe — whether you're a casual scanner or you manage QR campaigns for a business.

What Are QR Code Phishing Scams?

QR code phishing scams (quishing) are attacks in which criminals use malicious QR codes to trick victims into visiting fake websites, downloading malware, or handing over sensitive information such as login credentials, credit card numbers, or two-factor authentication codes.

Because a QR code is just a visual representation of a URL (or other data), most people cannot tell whether the destination is safe simply by looking at the pattern of black and white squares. Attackers exploit that blind trust — the same way early email phishing exploited the fact that few users checked sender addresses.

Why QR Code Attacks Are Rising Fast

  • Post-pandemic normalization: Consumers now scan QR codes without hesitation for menus, payments, and Wi-Fi.
  • Bypass of email filters: A QR code embedded in an image or PDF often slips past corporate email security tools that scan text links.
  • Mobile-first targeting: Phones typically have weaker endpoint protection than laptops, and small screens make suspicious URLs harder to spot.
  • Cheap to deploy: Generating and printing a malicious QR code costs almost nothing, and stickers can be placed in the physical world in seconds.

How QR Code Phishing Attacks Actually Work

Most quishing attacks follow the same five-stage playbook. Understanding the flow makes it much easier to spot one in the wild.

  1. Bait creation: The attacker generates a QR code that points to a lookalike domain (e.g., paypa1-secure.com instead of paypal.com).
  2. Delivery: The code is placed where victims will scan it — in a phishing email, on a physical sticker over a legitimate code, in a fake parking notice, or on a poster.
  3. Redirect chain: After scanning, the victim is sometimes sent through multiple redirects to evade detection and to fingerprint the device.
  4. Credential harvesting or malware drop: The final page looks identical to a real login screen, or it silently pushes a malicious app or configuration profile.
  5. Exploitation: Stolen credentials are used within minutes — sometimes seconds — to drain accounts, launch further phishing from the victim's contacts, or sell access on dark-web markets.

Common Real-World QR Code Scams

Not every quishing attack looks the same. Here are the scenarios security teams see most often in 2026.

1. Parking Meter and EV Charger Stickers

Fraudsters print QR stickers that mimic official city or charging-network branding and paste them directly over legitimate codes on meters and charging stations. Victims scan, enter card details to "pay for parking," and hand over their financial information. Cities across the US, UK, and Australia have all reported major incidents.

2. Restaurant Menu Swaps

A scammer places a sticker over the QR menu on a table. The fake site loads a menu — but also asks the diner to "verify their table" by entering a phone number or paying a bogus service fee.

3. Fake Delivery Notices

A card is left at your door claiming a package couldn't be delivered. Scan the QR code to reschedule — and you're taken to a spoofed courier site that harvests address and payment details.

4. Email-Based Quishing (Corporate MFA Attacks)

An employee receives an email claiming their Microsoft 365 password expires today. The email contains a QR code "to re-authenticate from your phone." Because the phone is outside the corporate network's protection, the attacker captures both the password and the MFA token.

5. Crypto Wallet "Airdrops"

Posters at conferences or ads on social media promise free tokens if you scan and connect your wallet. Instead, the code triggers a transaction that drains the wallet.

6. Charity and Donation Scams

After natural disasters, fake donation QR codes appear on flyers and social posts, siphoning money away from real relief efforts.

Warning Signs of a Malicious QR Code

Use this quick comparison to distinguish legitimate QR codes from suspicious ones.

Signal Likely Legitimate Likely Malicious
Placement Printed directly on menu, receipt, or official signage Sticker layered over another code or on unofficial paper
Preview URL Matches the brand's known domain Misspellings, extra hyphens, unusual TLDs (.xyz, .top, .zip)
Landing page Loads over HTTPS with valid certificate Requests login, card, or seed phrase immediately
Urgency Informational, no pressure "Act now," "account will be locked," countdown timers
App requests Opens a normal webpage Prompts to install a profile, APK, or unknown app

10 Steps to Stay Safe from QR Code Phishing

  1. Preview the URL before opening. Modern iOS and Android cameras show the destination URL before you tap. Read it carefully — every character matters.
  2. Check for sticker tampering. Run a fingernail across QR codes in public. If there's a sticker over another code, don't scan it.
  3. Never enter passwords after scanning a QR code. Legitimate services rarely require you to log in from a QR-triggered link. Open the app or type the URL manually instead.
  4. Use a QR scanner with built-in link checking. Some scanners flag known-malicious domains before the browser opens.
  5. Enable link previews and safe browsing. Turn on Google Safe Browsing (Chrome) or Fraudulent Website Warning (Safari).
  6. Watch for lookalike domains. rn can look like m, 0 like o. Zoom in if unsure.
  7. Never install profiles or apps from a QR link. Download apps only from the official App Store or Google Play.
  8. Use unique passwords and hardware security keys. If credentials do leak, a phishing-resistant key (like a YubiKey or passkey) stops attackers from logging in.
  9. Report suspicious codes. Notify the business, venue, or platform where you found it, plus your national fraud reporting body (FTC, Action Fraud, Scamwatch, etc.).
  10. Educate your team. For businesses, add quishing scenarios to your annual security awareness training.

How Businesses Can Protect Their QR Campaigns

If your company uses QR codes for marketing, payments, or logistics, you have two responsibilities: keeping your customers safe, and preventing your brand from being spoofed.

Use Trackable, Branded Short Links

Instead of embedding a raw domain in a QR code, route it through a branded short link you control. This gives you three advantages:

  • You can rotate the destination if a campaign is compromised — without reprinting materials.
  • Analytics let you spot unusual scan patterns that may indicate abuse.
  • Customers see a recognizable, branded domain in the preview.

Platforms like Lunyb let you generate short links with QR codes, track scan analytics, and update destinations at any time — a strong defensive layer against quishing impersonation. If you're evaluating options, our 2026 buyer's guide to URL shorteners compares the top platforms feature-by-feature, and our honest Lunyb review covers what to expect in practice.

Print QR Codes Directly, Not as Stickers

Embed codes into the printed material itself so any overlay is obvious. On outdoor signage, laminate over the code to make tampering visually apparent.

Publish an Official QR Landing Domain

Tell customers, "All our QR codes lead to yourbrand.com or go.yourbrand.com." This gives them a simple mental checksum.

Monitor for Impersonation

Set up alerts for newly registered domains that resemble yours, and audit physical locations regularly for sticker overlays.

Quishing vs. Traditional Phishing: Key Differences

Aspect Email Phishing QR Code Phishing (Quishing)
Primary channel Email, SMS Physical world + email attachments
Device targeted Desktop and mobile Almost always mobile
Filter bypass Blocked by URL scanners Often bypasses image-based filters
User verification difficulty Can hover to preview link Must actively check preview on scan
Common goal Credentials, malware Credentials, payments, wallet drains

What to Do If You've Already Scanned a Malicious QR Code

Acting quickly limits the damage. Follow these steps in order:

  1. Close the page immediately and disconnect from Wi-Fi if you suspect malware download.
  2. Do not enter any information. If you already did, assume it's compromised.
  3. Change affected passwords from a different, trusted device.
  4. Enable or rotate multi-factor authentication on impacted accounts.
  5. Contact your bank or card issuer if payment details were entered — most will freeze the card and reverse fraudulent transactions.
  6. Scan your device with a reputable mobile security app and remove any unknown configuration profiles or apps.
  7. Report the incident to the impersonated brand and to your national cybercrime authority.
  8. Monitor your accounts and credit for at least 90 days.

The Future of QR Code Security

QR codes aren't going away — if anything, adoption is accelerating with digital IDs, ticketing, and payments. Expect three shifts over the next 24 months:

  • Signed QR codes: Emerging standards allow cryptographic signing so scanners can verify authenticity before opening the URL.
  • Operating-system warnings: iOS and Android are rolling out stronger heuristics that warn users when a scanned URL matches known phishing patterns.
  • Enterprise QR firewalls: Mobile device management platforms are starting to filter scanned URLs the way email gateways filter links.

Until those defenses are universal, the best protection remains a skeptical user paired with well-managed, branded short links from trusted providers.

Frequently Asked Questions

Can simply scanning a QR code hack my phone?

In almost all cases, no. Scanning a QR code just reveals a URL or text — it doesn't execute code by itself. The danger comes from what you do next: visiting the site, entering credentials, or installing something. That said, if your phone's OS or browser has an unpatched vulnerability, a malicious page could exploit it, so keep your device fully updated.

How can I tell if a QR code has been tampered with?

Look for stickers layered over existing codes, mismatched paper or ink quality, misaligned edges, and codes that appear in unusual places (like a random sticker on a lamppost). When in doubt, ask staff at the venue whether the code is theirs.

Are QR codes in emails more dangerous than links?

Often yes, because QR codes in email images bypass many URL-scanning security tools, and they push you onto a mobile device that has fewer protections than your work laptop. Treat any unexpected QR code in an email as suspicious, especially if it asks you to log in.

Do branded short links prevent QR phishing?

They don't stop attackers from creating their own malicious codes, but they make it much easier for your customers to spot fakes — because your real codes always lead to the same recognizable branded domain. Combined with analytics and the ability to swap destinations if abuse is detected, branded short links are one of the strongest defensive tools for organizations running QR campaigns.

What's the safest QR scanner app to use?

The built-in camera apps on modern iOS and Android are generally the safest choice because they show a URL preview and integrate with the OS's safe-browsing warnings. Avoid third-party scanners that request excessive permissions or aggressively push ads — they often add unnecessary risk without meaningful benefit.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles