QR codes are everywhere — restaurant menus, parking meters, product packaging, event tickets, and email inboxes. And scammers have noticed. QR code phishing attacks, known as "quishing," increased fivefold in 2025, making it one of the fastest-growing cyber threats in the world. According to Keepnet Labs research, over 4.2 million QR code phishing threats were identified in early 2025, and 12% of all phishing attacks now contain a QR code. The problem is compounded by a staggering statistic: 73% of Americans scan QR codes without verifying where they lead. Scammers are exploiting that trust to steal credentials, financial data, and money at scale.

How QR Code Scams Work

The mechanics are deceptively simple. A scammer creates a QR code that links to a malicious website — a fake login page, a fraudulent payment portal, or a site that downloads malware. They then place that QR code where victims will scan it, either physically (as a sticker or printed code) or digitally (in emails, text messages, or social media posts).

When you scan the code, your phone's browser opens the malicious URL. Because QR codes hide their destination — you cannot read the URL just by looking at the code — victims often do not realize they have been redirected to a fake site until it is too late.

Nearly 90% of quishing attacks are designed to steal login credentials, targeting corporate email systems, cloud storage platforms, banking portals, and remote access tools. The FTC has warned that scammers are now attaching QR codes to physical mail and packages sent directly to people's homes.

Where Fake QR Codes Appear

Parking Meters and Public Spaces

One of the most widely reported quishing tactics involves fake QR code stickers placed over legitimate ones on parking meters, EV charging stations, and bike-share kiosks. You think you are paying for parking, but the code sends you to a fake payment page that captures your credit card information. In 2025, fake QR code stickers at over 200 retail locations caused $2.3 million in damage control costs. Cities including Austin, Houston, San Antonio, and multiple European cities have issued public warnings about tampered parking QR codes.

Restaurant Menus and Retail

The pandemic-era shift to QR code menus created a new attack surface. Scammers place sticker QR codes over legitimate ones at restaurants, bars, and retail stores, redirecting customers to phishing pages or fake ordering systems that capture payment data. Because patrons expect to scan codes in these environments, the scam is nearly invisible.

Email and Business Communications

QR-based phishing emails surged from approximately 47,000 in August to over 249,000 in November 2025. These emails impersonate banks, shipping companies, HR departments, or IT teams and include a QR code instead of a traditional phishing link. The QR code bypasses many email security filters that scan URLs but cannot read QR code contents. Common tactics include fake package delivery notifications, account verification requests, and multi-factor authentication reset prompts.

Physical Mail and Packages

The Federal Trade Commission has documented a rise in scam letters and packages that include QR codes. These may claim to be from your bank, a government agency, or a utility company, directing you to scan the code to "verify your account" or "claim a refund." Some scammers even send unsolicited packages with QR codes on the label or packing slip.

Cryptocurrency Scams

Crypto scammers use QR codes to direct victims to fraudulent wallet addresses or fake exchange platforms. Because cryptocurrency transactions are irreversible, a single scan can result in permanent loss of funds. If you encounter a suspicious crypto-related QR code, you should report the crypto scam immediately.

Why Quishing Is So Effective

QR code scams exploit several human behaviors and technical blind spots:

• Codes hide their destination. Unlike a URL you can read and evaluate, a QR code is opaque — you cannot see where it leads until after you scan it.
• People trust physical codes. A QR code printed on a parking meter or posted in a restaurant feels legitimate because it occupies a trusted physical space.
• Mobile screens obscure URLs. Phone browsers display truncated URLs, making it harder to spot a fake domain on a small screen.
• Email filters cannot read QR codes. Most corporate email security tools scan links in text but cannot analyze QR codes embedded as images, allowing phishing emails to bypass filters.
• AI accelerates attacks. Scammers use AI tools to rapidly generate convincing phishing pages and tailor them to specific targets, making quishing campaigns easier to scale and harder to detect.

How to Verify QR Codes Safely

Protecting yourself from quishing requires a few simple habits:

1. Preview the URL before tapping. Most phone cameras show the destination URL after scanning. Read it carefully before opening. Look for misspellings, extra characters, or domains that do not match the expected organization.
2. Check for physical tampering. At parking meters, restaurants, or public kiosks, look for stickers placed over existing QR codes. If the code looks like it was added after the fact, do not scan it.
3. Type URLs directly. If a QR code claims to link to your bank, the IRS, or any known organization, skip the code entirely and type the official URL directly into your browser.
4. Use a QR scanner with preview. Some QR scanning apps show the full URL and flag known malicious domains before opening the link. Your phone's built-in camera app typically provides a URL preview as well.
5. Never enter credentials after scanning. If a QR code leads to a login page, be extremely cautious. Close the browser, navigate to the official site manually, and log in from there.
6. Use our tools to check suspicious URLs. If a QR code directs you to an unfamiliar website, check if the site is a scam before entering any information.

What to Do If You Scanned a Malicious QR Code

If you believe you scanned a fake QR code and entered information on a suspicious site:

1. Change your passwords immediately for any accounts whose credentials you may have entered, starting with email and banking.
2. Enable two-factor authentication on all sensitive accounts if you have not already.
3. Monitor your bank and credit card statements for unauthorized charges.
4. Run a security scan on your phone using your device's built-in security tools or a reputable mobile security app.
5. Report the phishing site — forward details to the Anti-Phishing Working Group at reportphishing@apwg.org and report the phishing email if it arrived by email.
6. Report tampered physical codes to the business owner, local authorities, or the parking authority responsible for the location.

If you have been scammed online through a QR code attack, documenting everything quickly — screenshots, URLs, transaction records — is critical for both recovery and law enforcement reporting.

Related Resources