facebook-pixel

QR Code Phishing Scams: How to Stay Safe in 2026

L
Lunyb Security Team
··8 min read

QR codes are everywhere in 2026 — on restaurant tables, parking meters, product packaging, event posters, and even utility bills. Their convenience has made them a favorite tool for businesses, but also for cybercriminals. QR code phishing scams, often called "quishing," have exploded in the last two years, with the FBI, Europol, and cybersecurity firms all issuing repeated warnings. This guide explains exactly how these attacks work, how to spot them, and what to do if you've already scanned a suspicious code.

What Are QR Code Phishing Scams?

QR code phishing scams are cyberattacks in which criminals use malicious QR codes to trick victims into visiting fraudulent websites, downloading malware, or handing over sensitive information. Because a QR code is just a machine-readable image, users cannot see the destination URL before scanning — making these attacks uniquely difficult to detect with the naked eye.

The term "quishing" combines "QR" and "phishing." Unlike traditional email phishing, which relies on suspicious links you can hover over, quishing hides the payload behind a black-and-white square. That single layer of obfuscation is enough to bypass many spam filters, email gateways, and even user intuition.

Why QR Code Attacks Are Growing Fast

  • Post-pandemic normalization: Contactless menus and payments trained users to scan codes without thinking.
  • Email filter evasion: Security systems scan text and links, not images, so QR-based phishing emails often reach inboxes untouched.
  • Mobile-first exploitation: Phones typically have weaker security protections than corporate desktops.
  • Low technical barrier: Anyone can generate a QR code in seconds and print it on a sticker.

How QR Code Phishing Attacks Work

Most quishing attacks follow a predictable four-step pattern. Understanding this flow makes the threat much easier to spot.

  1. Creation: The attacker generates a QR code pointing to a malicious URL — often a lookalike login page, a fake payment portal, or a malware download link.
  2. Distribution: The code is delivered via email, printed flyers, stickers placed over legitimate codes, social media posts, or physical mail.
  3. Scanning: The victim scans the code with their phone camera and is redirected to the attacker's website.
  4. Harvesting: The fake site captures credentials, credit card details, two-factor codes, or silently installs a malicious app.

Common Real-World Scenarios

Security researchers have documented dozens of quishing campaigns. The most frequent include:

  • Parking meter scams: Fake QR stickers placed on public parking meters redirect drivers to fraudulent payment pages.
  • Restaurant menu swaps: Attackers cover legitimate menu codes with malicious ones that ask for "login" or payment details.
  • Fake delivery notices: Physical letters or emails claiming a missed package direct users to scan a code and pay a small "redelivery fee."
  • Corporate email quishing: Emails impersonating Microsoft, DocuSign, or HR portals include a QR code to "verify your account" — bypassing email filters entirely.
  • Cryptocurrency drainers: Codes on posters or social media lead to wallet-draining smart contracts.

Warning Signs of a Malicious QR Code

Not every suspicious code is obvious, but there are several red flags you can learn to recognize before scanning.

Physical Red Flags

  • A QR code sticker placed over another code (peel back the corner if safe to do so).
  • Codes on unofficial-looking flyers, lampposts, or public surfaces with no clear branding.
  • Slightly misaligned printing on menus or signs — a sign the original was tampered with.
  • Codes accompanied by urgent language: "Pay now," "Verify immediately," "Claim your reward."

Digital Red Flags

  • Emails containing a QR code as an image with little other content.
  • Messages from unknown senders claiming to be from banks, tax authorities, or shipping companies.
  • Preview URLs that use unfamiliar domains, misspellings (e.g., "paypa1.com"), or excessive subdomains.
  • Shortened links from unknown or suspicious shorteners with no metadata or branding.

How to Safely Scan a QR Code

You don't have to stop scanning QR codes — you just need a safer process. Follow these steps every time.

  1. Use your phone's built-in camera app. It shows a URL preview before opening the link. Avoid third-party scanner apps that auto-redirect.
  2. Read the preview carefully. Check the full domain, not just the first few characters. Look for HTTPS, correct spelling, and a legitimate top-level domain.
  3. Never enter credentials after scanning. If a code leads to a login page, close it and navigate to the site manually through your browser or official app.
  4. Watch for app install prompts. A QR code should almost never trigger an app download. If it does, cancel immediately.
  5. Verify unfamiliar codes with the business. If a menu, invoice, or poster feels off, ask an employee or check the company's official website.

QR Code Phishing vs. Traditional Phishing: A Comparison

Understanding how quishing differs from classic phishing helps explain why it slips past so many defenses.

Attack FeatureTraditional PhishingQR Code Phishing (Quishing)
Delivery methodEmail links, SMS, chatImages, printed materials, stickers
URL visibilityVisible on hoverHidden until scan
Email filter detectionHighLow (image-based)
Primary target deviceDesktop/laptopMobile phone
User awarenessWidely trained againstStill relatively new
Success rate (2025 estimates)~2–4%~15–20%

How Businesses Can Protect Employees and Customers

Organizations bear a growing responsibility to defend against quishing, both for their staff and their customers. A few practical measures make a significant difference.

Internal Defenses

  • Update security awareness training to include QR code scenarios, not just email phishing.
  • Deploy mobile threat defense (MTD) tools that inspect URLs opened on company phones.
  • Enable phishing-resistant MFA such as hardware keys or passkeys, so stolen passwords alone are useless.
  • Configure email gateways that can extract and analyze URLs from embedded QR images.

Customer-Facing Defenses

  • Use branded, trusted short links so customers can visually verify destinations before scanning.
  • Print QR codes with tamper-evident designs or seals on physical materials.
  • Publish official QR code locations on your website so customers can cross-check.
  • Monitor for lookalike domains and takedown fraudulent copies quickly.

A privacy-focused link shortener like Lunyb gives businesses the ability to create clean, trackable short URLs behind their QR codes. Combined with branded domains, this makes it far easier for end users to distinguish a legitimate destination from a spoofed one. For more options, see our 2026 URL shortener buyer's guide.

What to Do If You Scanned a Malicious QR Code

Mistakes happen. If you suspect you've fallen for a quishing attack, act quickly — most damage is done in the first hour.

  1. Disconnect from the internet. Toggle airplane mode to stop any active data exfiltration.
  2. Do not enter or resubmit credentials. Close the browser tab and any related apps.
  3. Change affected passwords from a separate, trusted device. Prioritize email, banking, and work accounts.
  4. Enable or rotate MFA on all sensitive accounts, ideally moving to hardware keys or passkeys.
  5. Scan your device for malware with a reputable mobile security app.
  6. Notify your bank if any payment or card information was submitted, and freeze cards if needed.
  7. Report the incident to your local cybercrime authority (FBI IC3, Action Fraud, ACSC, etc.) and — if it happened at work — your IT security team.

The Future of QR Code Security

QR codes aren't going anywhere. Payment providers, transit systems, and healthcare platforms rely on them for smooth user experience. The good news is that both platforms and users are catching up.

Expect to see these trends accelerate in the next 12–24 months:

  • Signed QR codes: Cryptographically verified codes that phones can validate before opening.
  • OS-level warnings: iOS and Android are already testing enhanced warnings for suspicious destinations.
  • Branded, verified short links: Businesses increasingly using recognizable domains behind every code — a trend covered in our Rebrandly Review 2026 and other shortener reviews.
  • AI-powered link analysis: Real-time reputation checks integrated directly into camera apps.

Until these defenses become universal, awareness remains the single most powerful protection. A five-second glance at the URL preview stops the vast majority of quishing attempts cold.

Key Takeaways

  • QR code phishing ("quishing") hides malicious URLs behind ordinary-looking codes.
  • Attackers exploit trust in physical signage and image-based email content that bypasses filters.
  • Always preview the URL before opening it, and never enter credentials on a page reached via QR code.
  • Businesses should adopt branded short links, tamper-evident printing, and phishing-resistant MFA.
  • If you fall for a scam, disconnect, change passwords, and report the incident quickly.

Frequently Asked Questions

Can simply scanning a QR code infect my phone?

Scanning a code alone almost never installs malware. The danger comes from what happens after — visiting a malicious site, entering credentials, downloading an app, or approving a permission request. Modern phones require user interaction before installing anything, so staying alert after the scan is what matters most.

How can I tell if a QR code sticker has been tampered with?

Look for stickers placed over existing codes, misaligned printing, differences in paper quality, or codes that appear freshly added to older signage. On menus and parking meters especially, gently check whether the code peels off — a legitimate code is usually printed directly onto the material.

Are QR codes in emails always suspicious?

Not always, but they should raise your guard. Legitimate companies rarely rely on QR codes inside emails since you're already on a device that can click a normal link. If an email uses a QR code to "verify" or "log in," treat it as high-risk and navigate to the service manually instead.

Do branded short links help prevent QR code phishing?

Yes. When a QR code resolves to a recognizable branded domain, users can quickly confirm it matches the business they expect. Tools like Lunyb and other providers reviewed in our 2026 shortener guide allow businesses to create trusted short URLs that make spoofing much harder and detection much easier.

Should I stop using QR codes entirely?

No — the convenience is genuine and most codes are safe. The goal is to scan mindfully: use your native camera app, read the URL preview, avoid entering sensitive information on pages reached through QR codes, and verify anything unusual with the business directly. That habit alone neutralizes almost every quishing attempt.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles