QR codes are everywhere — and that ubiquity is exactly what makes them a compelling attack surface. A fraudulent QR code looks identical to a real one. You scan it without a second thought. What happens next depends on what type of scam it was designed for.
9 min readLast updated: May 2026~1,750 words
What Is QR Code Phishing (Quishing)?
QR code phishing — sometimes called "quishing" — is a cyberattack that uses malicious QR codes to redirect victims to fraudulent websites, download malware, or harvest personal and financial credentials. The word "quishing" combines "QR" with "phishing," the broader category of deceptive credential theft.
Unlike traditional phishing, which arrives via a suspicious email link you can hover over, QR codes are opaque — you can't read a QR code the way you'd read a URL. This opacity is the core vulnerability. Your brain has been conditioned to trust printed QR codes in physical spaces because, for most of digital history, they were created by legitimate businesses for legitimate purposes.
FBI reporting from 2024 indicates that QR code fraud losses reached hundreds of millions of dollars in the United States, with the problem accelerating as mobile QR scanning became seamlessly integrated into phone camera apps. The attack vector is especially effective against people who are not security-conscious, because scanning a QR code feels mundane and routine.
Where Fake QR Codes Are Found
Malicious QR codes appear in a surprising range of locations:
Parking meters and pay stations. Scammers place adhesive stickers printed with their QR code over the legitimate payment QR code. Victims scan and are redirected to a fake payment portal that collects their credit card data.
Restaurant table tents and menu stands. With digital menus now standard, many restaurants have permanent QR codes on tables. Stickers can be placed over these to redirect to malware-installing sites or fake login pages.
Phishing emails and text messages. Email filters catch text-based links. Embedding a malicious QR code as an image bypasses many filters, so this has become a favored corporate phishing technique — particularly targeting employees' Microsoft 365 or Google Workspace credentials.
Flyers and posters. Public bulletin boards, community notice boards, and even utility poles are used to post fake "free giveaway," "lost pet reward," or "rent a car" flyers with QR codes that lead to data-harvesting sites.
Package inserts and fake delivery notifications. Counterfeit shipping notifications included in packages or mailed physically instruct recipients to scan a QR code to "reschedule delivery" or "pay customs fees."
Charity and donation solicitations. Fake charity flyers, particularly after natural disasters or major news events, use QR codes to harvest payment information.
Cryptocurrency ATMs. Some fake "help" stickers on legitimate crypto ATMs direct users to fraudulent customer support sites designed to steal wallet credentials.
How the Attack Works
Once you scan a malicious QR code, one of several things can happen depending on how the code was designed:
Credential Phishing
The most common attack. The QR code redirects you to a website that appears to be a legitimate service — your bank, PayPal, a parking payment portal, Microsoft login, or Amazon. The site looks pixel-perfect. When you enter your credentials, they are sent to the attacker in real time, often triggering automatic account takeover before you've even noticed anything wrong.
Payment Harvesting
You're taken to a fake payment form that collects credit card numbers, expiration dates, and CVV codes. This is especially common with parking meter QR stickers. The payment form may even display a fake "success" message to avoid immediate suspicion.
Malware Installation
The QR code links to a download or exploits a mobile browser vulnerability to install malware. This can enable keystroke logging, camera access, location tracking, or SMS interception — critical for bypassing two-factor authentication.
App Store Spoofing
The code directs you to a fake app store page or a direct APK download (on Android) that installs a malicious app designed to mimic a banking or utility app.
⚠️ Critical Risk
Simply visiting a malicious URL — even without entering any information — can sometimes be enough to trigger a browser exploit on an unpatched device. Always keep your mobile OS and browsers updated.
What to Do Right After Scanning (But Before Entering Data)
If you scanned a QR code and the destination URL looks suspicious, or you're not 100% sure where it came from:
1
Do not interact with the page. Don't tap anything, don't scroll, don't fill in any field. Close the browser tab immediately.
2
Check the URL before proceeding. Most phone cameras now show you the URL before opening it. A parking payment URL like parkmeter-pay.xyz is not the same as your city's official payment portal. Look for misspellings, unusual domains, or HTTP instead of HTTPS.
3
Clear your browser history and cache for the session. On iOS: Settings → Safari → Clear History and Website Data. On Android Chrome: Settings → Privacy → Clear Browsing Data.
4
Run a malware scan. On Android, use Google Play Protect (built in) or a reputable security app to scan for potentially harmful apps. On iOS, the sandboxed architecture makes drive-by installs very rare, but keep iOS updated.
5
Report the QR code. Notify the business, parking authority, or location where you found it so they can remove it and warn others. If you're at a parking meter, contact your city's transportation department.
What to Do If You Entered Information
Act immediately based on what you entered:
If You Entered a Password
Change that password immediately on every site where you use it
Enable two-factor authentication on the affected account
Check account activity logs for unauthorized access
If it was your email password: check for forwarding rules, suspicious logins, and sent-mail folders for messages you didn't send
If You Entered Payment Card Details
Call your bank's fraud line immediately (the number on the back of your card) to report potential compromise
Request a new card number — most banks will issue one same-day or next-day
Review your recent transactions for any unauthorized charges
Place a fraud alert with Equifax, Experian, and TransUnion
If You Entered Your Social Security Number or ID Information
Place a credit freeze with all three major bureaus (free, and the strongest protection)
Consider placing a freeze with ChexSystems as well (banking fraud prevention)
File a report with the FTC at IdentityTheft.gov, which will create a personalized recovery plan
✓ Good News
If you only scanned the code and closed the page without entering any information, your risk is low. Most QR phishing attacks require your active input to cause harm. Still clear your browser cache and monitor your accounts for a week.
How to Spot a Fake QR Code Before Scanning
Prevention is always better than remediation. Here's what to check before you scan:
Look for a sticker overlay. Run your finger over the QR code. If it feels like an adhesive sticker on top of another surface, it may be a replacement. Compare the texture and print quality to surrounding surfaces.
Preview the URL before opening. Modern iOS and Android camera apps show the destination URL before navigating. Read it. Does it match the business's known domain?
Check for HTTPS. The destination should use HTTPS. An HTTP-only URL for a payment portal is a red flag (though HTTPS alone does not guarantee legitimacy).
Be skeptical of QR codes in unexpected places. A QR code on an email from your "bank" asking you to verify your account is almost certainly phishing. Legitimate banks send you to their app or have you navigate directly.
Search the destination manually. For parking, search your city's official parking payment service rather than scanning an on-meter code.
Types of Damage Scammers Can Cause
Understanding what's at stake clarifies why fast action matters:
Account takeover: Email, social media, banking, or streaming accounts compromised and locked before you realize it happened.
Financial theft: Direct card fraud charges or unauthorized ACH transfers from entered banking data.
Identity theft: Personal information used to open new credit lines, file fraudulent tax returns, or apply for government benefits.
Secondary scam targeting: Your contact information sold to other scam operations, leading to a wave of follow-up phone calls and emails.
Business network compromise: If you scanned a malicious code on a work device while connected to a corporate network, the malware can potentially move laterally through the network.
Prevention Going Forward
Use a QR scanner with URL preview. Most native camera apps now show the URL first — don't disable this feature.
Keep all devices patched and updated. Browser exploits used in drive-by attacks are typically patched quickly. Running outdated iOS or Android removes your best protection.
Use a password manager. A good password manager won't autofill credentials on a phishing site because the domain won't match. This is one of the strongest defenses against credential phishing regardless of delivery method.
Never scan QR codes from unsolicited communications. Legitimate companies don't email you QR codes to log in. Navigate directly to the site instead.
Not sure if a QR code destination URL is safe?
Paste the URL into ScanBeyond and get an instant risk analysis before you interact with the site.
Can just scanning a QR code (without clicking anything) infect my phone?
Simply scanning a QR code with your camera app does not inherently cause harm — the code just encodes a URL. The risk arises when your browser navigates to the destination and that destination contains exploit code. Keeping your OS and browser updated dramatically reduces this risk. If you only scanned and immediately closed without the browser loading, you're almost certainly fine.
I paid a parking meter with a QR code that looked slightly off. What should I do?
Contact your credit card company or bank immediately and report the transaction as potentially fraudulent. Ask them to monitor for unusual charges and, if you provided your full card number on the site, request a new card. Report the meter location to your city's transportation or parking authority so they can investigate and remove any fraudulent stickers.
Are QR codes in emails always dangerous?
Not always, but QR codes in unsolicited emails are high risk. If you did not initiate the communication and the email asks you to scan a QR code to log in, verify an account, or complete a payment, treat it as phishing. Legitimate companies do not require you to scan a QR code from an email for authentication. Navigate directly to the company's website instead.
Can iPhones be affected by malicious QR codes?
iOS's sandboxed architecture makes drive-by malware installation extremely rare. However, credential phishing via QR code is just as effective on iPhones because the attack exploits human psychology rather than OS vulnerabilities. An iOS user is equally at risk of entering their password or payment details into a convincing fake website.