QR Code Scams (Quishing) 2026: How to Spot and Avoid Fake QR Codes

Updated March 2026 · Silent Security Research Team

Quishing Is Surging

QR code phishing attacks ("quishing") increased over 400% between 2022 and 2025, according to FBI reports. Scammers are targeting parking meters, restaurant menus, package delivery notifications, and business emails. Most people don't inspect QR codes before scanning — making this one of the most effective social engineering attacks today.

Some product links on this page are affiliate links — we may earn a commission at no extra cost to you. See our full disclosure.

QR codes are now everywhere — and scammers have noticed. By replacing or overlaying a legitimate QR code with their own, they redirect you to a phishing site designed to steal credentials, install malware, or capture payment information. The FBI has issued multiple warnings about this attack vector.

How Quishing Works

The attack is simple: a criminal places a fake QR code sticker over a legitimate one — in a parking meter, on a restaurant table, on a package delivery notice, or in an email. You scan the code, your phone opens a URL, and you land on a convincing fake website that looks like your bank, the IRS, PayPal, or a parking payment portal. You enter your credentials or payment info. The attacker captures everything.

The key vulnerability: unlike URLs in emails, which many people have learned to inspect, QR codes are opaque — you have no idea where they point until you've already scanned them.

Where Fake QR Codes Are Found

Parking Meters & Lots

Stickers placed over city-issued QR codes direct you to a fake payment portal that captures your card number. Multiple cities have issued warnings including Austin, San Antonio, Houston, and Nashville.

Email Phishing

Phishing emails increasingly replace text links with QR codes to bypass email security filters that scan URLs. Common themes: "Verify your account," "Your package is delayed," "Required 2FA update."

Restaurants & Cafes

Table QR codes for menus and payment can be replaced by scammers. Payment-focused attacks are especially lucrative. Look for stickers placed over the original code.

Fake Packages / Notes

Fake delivery missed-notice cards left at your door with a QR code to "reschedule delivery" — actually a phishing page collecting your personal info and sometimes payment.

Crypto/Investment Scams

QR codes in mailers, social media ads, or text messages directing to fake investment platforms or crypto wallets designed to steal funds.

Business/HR Documents

Targeted business email compromise (BEC) attacks use QR codes in documents and PDFs sent to employees, redirecting to credential-harvesting pages for Microsoft 365 or corporate VPNs.

How to Verify a QR Code Before Acting

Safe Scanning Protocol

Check the physical code first. Look for stickers placed over original codes. If the QR code looks raised, layered, or has different printing quality, don't scan it.
Preview the URL before opening. Most phone cameras show the URL before launching it. Read the URL — does it match the organization it claims to be from? Look for subtle misspellings (amaz0n.com, paypa1.com, "irs-payment.net" instead of irs.gov).
Never enter credentials after scanning. Legitimate companies rarely require you to log in after scanning a QR code. If you're asked to enter a password, close the browser and go directly to the organization's official app or website.
Never pay via a QR code you didn't initiate. Use the official payment method for parking meters and restaurants when possible — apps and direct websites are safer than QR code payment flows.
For emails: if it could be a QR code, it's suspicious. Legitimate companies don't need to use QR codes in emails to replace links. If you receive a QR code in an email, navigate directly to the company's website instead of scanning it.

What Happens After Scanning a Malicious QR Code

Outcomes range from credential theft (you enter your password) to drive-by malware installation (rare on updated phones) to direct payment fraud. The most common outcome: a convincing phishing page captures your username, password, and/or credit card number.

If you scanned a suspicious QR code and entered information:

Change the password for any account you entered credentials for — immediately
Enable two-factor authentication on that account if not already active
If you entered payment card info, call your bank to report fraud and request a new card
Monitor your accounts for unauthorized activity over the next 30–60 days
Run a malware scan on your phone (for Android, use a reputable security app; iPhone malware is rare but not impossible)

QR Code Scanner Security Settings

iPhone: iOS's built-in camera scanner shows the URL before opening — always read it. You can also enable "Fraudulent Website Warning" in Settings › Safari for additional protection.

Android: Use Google Lens or the built-in camera QR scanner. Install a security app like Malwarebytes or Bitdefender Mobile that can scan URLs in real-time. Be cautious with third-party QR scanner apps — some themselves are malware.

Reporting Quishing Attacks

FBI Internet Crime Complaint Center (IC3): ic3.gov — report any financial loss
FTC: reportfraud.ftc.gov — report identity theft and scams
Local authorities: If you found a fake sticker on a parking meter, report it to the city immediately so it can be removed and others protected