QR Code Scams: The New Phishing Threat Explained

Introduction

The QR code scam has emerged as one of the most rapidly growing and widely underestimated forms of fraud. As QR codes have become embedded in virtually every aspect of daily life — restaurant menus, parking meters, payment systems, delivery notifications, email communications, and public signage — criminals have found a powerful new tool for delivering phishing attacks, stealing personal data, harvesting financial credentials, and installing malware on victims’ devices. If you have been searching for information about QR code scams, this comprehensive guide will give you everything you need to know to protect yourself in an increasingly scan-first world.

The QR code scam — also known as quishing, short for QR code phishing — exploits a fundamental vulnerability that QR codes create in the human decision-making process. Unlike a clickable web link, which displays its destination URL and can be evaluated before being clicked, a QR code hides its destination entirely. The encoded URL is invisible until after the code has been scanned and the device begins loading the destination page. By this point, any damage may already be underway. More than 20 million people have reportedly been tricked by fake QR codes, and cybersecurity researchers warn that the QR code scam is evolving from a niche concern into a mainstream fraud threat affecting consumers and businesses at scale.

What makes the QR code scam particularly dangerous is how seamlessly it exploits the trust and routine that QR codes have built with users. People have been trained through years of experience to treat QR codes as safe shortcuts — faster than typing a URL, more convenient than navigating an app, and associated with trusted physical environments like restaurants, parking facilities, and retail stores. The QR code scam deliberately leverages this accumulated trust, placing malicious codes in precisely the contexts where people expect to find legitimate ones and feel most confident scanning without verification.

This guide from Scammers Expose provides a thorough breakdown of the QR code scam: the specific tactics used by fraudsters, how these scams unfold step by step, the warning signs that can protect you before you scan, real accounts from affected victims, what authorities say about this growing threat, and the concrete steps you should take if you have been targeted. Understanding the QR code scam fully is the most powerful protection available in a world where scanning has become second nature.

What Is a QR Code Scam?

A QR code scam — or quishing attack — is a form of phishing fraud in which criminals embed malicious URLs inside QR codes and distribute those codes in physical or digital environments where people expect to encounter legitimate QR codes. When a victim scans the malicious QR code, they are redirected to a fake website designed to steal login credentials, payment information, or personal data, or their device may be directed to download malware without their knowledge.

The QR code scam is fundamentally a phishing attack delivered through a new vector. Rather than sending a suspicious link in an email — which years of security awareness training have taught many people to treat with caution — the QR code scam presents the same malicious destination in a format that bypasses both human vigilance and many technical security filters. Because QR codes appear as images rather than clickable links, they evade many email security scanning tools that would otherwise detect and block phishing URLs. And because people have developed deep habitual trust in QR codes encountered in physical environments, the psychological barriers that might otherwise slow a potential victim’s response are significantly reduced.

Research indicates that while 69% of people can identify a bad URL in a traditional phishing email, only 39% can spot a malicious QR code. This gap in awareness is precisely what the QR code scam exploits — and it explains why this attack vector has grown so dramatically in recent years as criminals seek methods that bypass the security training people have received about traditional phishing threats.

How QR Code Scams Work Step by Step

Understanding precisely how the QR code scam operates at each stage makes it significantly easier to identify and avoid before any harm occurs.

Step 1: Creating the Malicious QR Code

The QR code scam begins with the criminal creating a fake website — typically a near-perfect replica of a legitimate service such as a bank login page, a government payment portal, a parking payment system, a delivery tracking service, or a popular email or cloud platform. The fake website is designed to capture whatever credentials or payment information the victim enters, believing they are interacting with the genuine service.

The criminal then generates a QR code that encodes the URL of this fraudulent website. QR code generation requires no technical expertise — free online tools create them instantly. The malicious QR code is visually indistinguishable from any legitimate QR code. This visual neutrality is a core feature of the QR code scam — there is no way to identify a QR code as malicious simply by looking at it.

Step 2: Deploying the QR Code

The deployment method used in the QR code scam varies depending on the target environment. In physical locations, criminals print the malicious QR code on stickers and place them over legitimate QR codes on parking meters, restaurant tables, ATM machines, bicycle rental stations, ticket machines, and public information boards. The placement is deliberate — the fake QR code occupies exactly the position where a real one would be expected, giving victims no reason to question its legitimacy.

In digital environments, the QR code scam is deployed through phishing emails that embed malicious QR codes within what appear to be official communications from banks, delivery companies, government agencies, employers, or technology platforms. The email instructs the recipient to scan the QR code to verify their account, reschedule a delivery, pay an outstanding invoice, or access a secure document. Because the QR code appears as an image rather than a clickable link, it bypasses many email security filters that would otherwise flag or block a phishing URL.

Step 3: The Scan and Redirect

When the victim scans the malicious QR code, their smartphone instantly processes the encoded URL and begins loading the destination page. Most modern smartphones display a brief URL preview after scanning but before the page loads — this is the critical window in which a QR code scam can be identified and avoided. However, most people tap through this preview without reading it, particularly when they are in the context of a trusted physical environment such as a restaurant or parking facility where they have no reason to expect fraud.

The destination page in a QR code scam is typically a highly convincing replica of a legitimate service. It may use the same logos, colour schemes, fonts, and layout as the genuine website. The URL may contain subtle misspellings or use a different domain extension — “paypa1.com” instead of “paypal.com”, for example — that most users will not notice when glancing at a mobile browser address bar.

Step 4: Credential or Payment Theft

Once on the fake page, the victim is prompted to enter login credentials, payment card details, personal identification information, or banking account details. Everything entered on the fake page is captured by the QR code scam operator in real time. In more sophisticated attacks, the fake page may immediately relay the victim’s credentials to the genuine website, logging in on their behalf and displaying real account information to avoid raising suspicion while the criminal begins exploiting the compromised account in the background.

In some QR code scam variants, simply loading the malicious destination page can trigger a download of spyware or malware onto the device, compromising the device’s security and potentially providing the criminal with ongoing access to the victim’s communications, banking applications, and stored credentials even after the initial scan incident.

Types of QR Code Scams to Know

The Parking Meter QR Code Scam

The parking meter QR code scam is one of the most widely reported physical variants. Criminals place stickers bearing malicious QR codes over the legitimate payment QR codes on parking meters, ticket machines, and pay-and-display stations. Drivers who scan the fake code to pay for parking are directed to a convincing fake payment page where they enter their credit or debit card details, believing they are completing a legitimate parking transaction. Their card details are stolen, and the parking payment is never processed — often resulting in a penalty notice in addition to the financial loss from card fraud.

The Restaurant Menu QR Code Scam

In the restaurant QR code scam, criminals replace or cover legitimate table QR codes — typically used to display digital menus or process payments — with malicious alternatives. Diners who scan the fake code expecting to view a menu are instead directed to a page requesting payment verification, login credentials, or personal information. The trusted context of a restaurant table significantly reduces the likelihood that a diner will question the authenticity of a QR code they encounter there.

The Fake Delivery Notification QR Code Scam

This digital variant of the QR code scam involves criminals sending emails, text messages, or physical door tags claiming that a delivery has been missed or is being held, instructing the recipient to scan a QR code to reschedule. The QR code leads to a fake delivery company website that requests payment of a small redelivery fee — harvesting card details — or a fake login page that captures account credentials. The combination of a plausible delivery notification with the immediate call-to-action of scanning a QR code makes this one of the most effective digital QR code scam variants.

The Government Payment QR Code Scam

The government impersonation QR code scam involves criminals sending fraudulent notices claiming to be from tax authorities, local councils, or government agencies, demanding payment of outstanding fines, taxes, or fees and including a QR code for payment. Real government agencies do not collect payments through random QR codes in unsolicited communications. Any payment notice containing a QR code and claiming to represent a government authority should be verified by contacting the relevant agency through their official contact details before any action is taken.

The Corporate Email QR Code Scam

In corporate environments, the QR code scam is delivered through phishing emails impersonating IT departments, HR teams, or senior management, instructing employees to scan a QR code to access a secure document, complete mandatory training, verify their Microsoft or Google account, or respond to an urgent request. Because the QR code bypasses email security filters that scan for malicious links, this variant of the QR code scam has proven particularly effective at penetrating corporate security environments and compromising employee accounts at scale.

The QR Code Brushing Scam

The brushing QR code scam involves victims receiving unsolicited packages or flyers at their home address containing a QR code, typically under the guise of revealing who sent a gift or claiming a prize. The QR code leads to a phishing website designed to collect personal information or install malware. This variant is particularly insidious because the physical arrival of a package creates a sense of legitimacy and triggers natural curiosity that overcomes the caution a recipient might otherwise apply to an unsolicited digital communication.

QR Code Scam Warning Signs Everyone Should Know

Recognising the QR code scam before scanning — or before entering any information on a page reached via QR code — is far better than attempting to recover from the consequences. These are the specific warning signs every person should know:

• Physical signs of tampering: Before scanning any QR code in a public physical location, look for signs that a sticker has been placed over the original code — peeling edges, misaligned placement, different paper quality, or a slightly raised surface are all indicators of a potential QR code scam overlay. Legitimate QR codes at established venues are typically printed directly on the material, not applied as a separate sticker.
• The QR code appears in an unexpected location: QR codes appearing on street signs, lampposts, unbranded posters, or in locations where they serve no obvious legitimate purpose should be treated with extreme caution. Legitimate organisations place QR codes in branded, consistent contexts — not randomly in public spaces.
• An email or message urges you to scan urgently: Any message — whether by email, text, or physical mail — that creates urgency around scanning a QR code should be treated as a probable QR code scam. Legitimate services do not threaten account suspension, fines, or missed deliveries that can only be resolved by scanning a QR code immediately.
• The URL preview looks suspicious: After scanning a QR code and before tapping to load the page, read the URL preview your smartphone displays carefully. Look for misspellings, unexpected domain names, the use of HTTP rather than HTTPS, overly long strings of random characters, or domain names that mimic legitimate services with slight variations. Any suspicious URL is a signal to stop and verify independently.
• The destination page immediately requests sensitive information: Legitimate services rarely ask for login credentials, payment details, or personal identification information immediately after a QR code scan, particularly in physical environments. Any page that instantly requests this information upon a QR scan should be treated as a potential QR code scam.
• A government agency or bank is demanding payment via QR code: No legitimate government agency, financial institution, or utility company will demand payment through a QR code in an unsolicited communication. This is a categorical indicator of a QR code scam.
• The QR code was sent by someone you don’t know: Apply the same caution to QR codes that you would to links in emails from unknown senders. If you did not request the communication or the QR code has no clear legitimate context, do not scan it.

Real Stories: How the QR Code Scam Affects Real People

The impact of the QR code scam extends across everyday situations that most people would never think to question. The following anonymised accounts illustrate how these scams operate in practice.

Story 1: The Parking Payment Victim

A woman parked her car in a busy city centre car park and scanned the QR code on the parking meter to pay for two hours. The page she was taken to looked completely identical to the council’s parking payment portal — same logo, same layout, same colour scheme. She entered her debit card details and received what appeared to be a payment confirmation.

Several hours later she received a penalty notice for non-payment of parking charges. When she checked her bank statement, she found her card had been charged multiple times by an unknown merchant. The QR code scam sticker had been placed over the legitimate parking meter QR code — her card details had been stolen and the parking payment had never been processed. She had to contest both the penalty notice and multiple fraudulent card charges simultaneously.

Story 2: The Corporate Account Compromise

A marketing manager at a medium-sized company received what appeared to be an internal IT department email asking all staff to verify their Microsoft 365 account by scanning an attached QR code. The email used the company’s logo and the sender’s display name appeared to be from IT support. She scanned the code and entered her work email address and password on what appeared to be the Microsoft login page.

Within minutes, the criminal had used her credentials to access her email account, extract sensitive client data, and send further phishing emails to her contacts. The QR code scam had bypassed the company’s email security filters because it appeared as an image rather than a clickable link. The data breach required extensive IT intervention, client notification, and regulatory reporting.

Story 3: The Fake Delivery Victim

A man received a text message telling him a parcel delivery had been attempted and that he needed to scan a QR code to reschedule. He was expecting several online orders at the time, so the message seemed entirely plausible. He scanned the code and was taken to what appeared to be a major courier’s website, where he was asked to pay a £1.50 redelivery fee by entering his card details.

The £1.50 charge appeared on his statement — but so did a £340 charge made to an overseas merchant two days later. His card details, captured through the QR code scam fake payment page, had been used for a much larger fraudulent purchase. His bank eventually refunded the fraudulent charge, but the process took several weeks and caused significant inconvenience. No genuine parcel had ever been awaiting delivery.

What Authorities Say About QR Code Scams

Law enforcement and consumer protection authorities worldwide have recognised the QR code scam as a significant and growing threat and have issued extensive guidance to help the public protect themselves.

The Federal Bureau of Investigation issued a public service announcement through its Internet Crime Complaint Center specifically warning consumers about criminals tampering with QR codes at physical locations — particularly parking meters, cryptocurrency kiosks, and restaurant payment codes. The FBI advises the public to treat QR codes with the same caution applied to links in unsolicited emails and to verify the destination URL before proceeding after scanning.

The United States Postal Inspection Service has issued guidance on QR code scam activity — including both quishing attacks and the QR code brushing variant — and advises consumers not to scan QR codes from unexpected communications, particularly those urging immediate action. Reports of QR code scam activity can be filed with the FBI’s IC3 at ic3.gov and the FTC at reportfraud.ftc.gov.

Action Fraud in the United Kingdom accepts QR code scam reports at actionfraud.police.uk or by calling 0300 123 2040. The National Cyber Security Centre maintains guidance on phishing attacks including quishing at ncsc.gov.uk and operates a suspicious email and QR code reporting service.

Cybersecurity researchers note that QR code scam attacks are particularly effective against corporate targets because malicious QR codes embedded in phishing emails bypass many email security scanning systems that are designed to detect and block suspicious URLs in text form. Many organisations are now updating their security awareness training to specifically address the QR code scam threat and implementing technical controls to detect QR code phishing at the email gateway level.

How to Protect Yourself from QR Code Scams

Inspect Before You Scan

Before scanning any QR code in a physical location, take a moment to inspect it. Look for signs of tampering — a sticker placed over the original code, peeling edges, misaligned placement, or a different printing quality from the surrounding material. Check whether the QR code is consistent with the branding and visual style of the location. This brief inspection habit can identify the physical overlay variant of the QR code scam before any scan takes place.

Always Read the URL Preview Before Tapping

Most modern smartphones display a URL preview after scanning a QR code but before the page loads. This is your most important protection against the QR code scam in digital and physical environments. Take a moment to read the URL carefully — check for misspellings, unexpected domain names, HTTP rather than HTTPS, or domain structures that do not match the legitimate service. If anything about the URL looks unusual, do not proceed and verify the destination independently through official channels.

Treat QR Codes in Emails with Maximum Caution

Apply the same scepticism to QR codes in emails that you would apply to links in emails from unknown senders. If you receive an email containing a QR code — regardless of how legitimate the sender name, logo, or communication content appears — verify the request through the organisation’s official website or contact number before scanning. The QR code scam is specifically designed to exploit the reduced vigilance people apply to QR codes compared to clickable links.

Use Official Apps Instead of Scanning

Where possible, use the official app of a service provider rather than scanning a QR code to access their services. For banking, payments, and account management, opening the verified official app eliminates the risk of a QR code scam redirect entirely. For parking payments and similar services, many providers have official apps that are safer than scanning physical QR codes that may have been tampered with.

Never Enter Sensitive Information Based Solely on a QR Scan

Even if the URL preview appears legitimate and the destination page looks genuine, be cautious about entering sensitive information — login credentials, payment details, or personal identification data — on a page reached through a QR code scan, particularly in response to an unsolicited communication. If in doubt, navigate to the service directly through your browser or app and complete the action there instead. This additional verification step provides comprehensive protection against the QR code scam.

Keep Your Device Software Updated

Ensure your smartphone’s operating system, browser, and security software are kept up to date. Software updates frequently include patches for vulnerabilities that QR code scam malware delivery attacks exploit. Mobile security software can detect malicious websites and block risky downloads before damage is done, providing an additional layer of protection for situations where a malicious QR code destination is accessed before the fraud is recognised.

What to Do If You Have Been Targeted by a QR Code Scam

Do Not Enter Any Further Information

If you realise mid-interaction that you may be on a fake page reached through a QR code scam, stop immediately. Close the page without entering any further information. Do not attempt to log in, make a payment, or provide any details. If you have already entered information, proceed immediately to the steps below.

Change Compromised Passwords Immediately

If you entered login credentials on a page reached through a QR code scam, change your password on the genuine service immediately. If you use the same password across multiple accounts — which should be avoided — change it on all of them. Enable multi-factor authentication on all important accounts to prevent access even if your password has been captured.

Contact Your Bank Immediately

If you entered payment card details on a page reached through a QR code scam, contact your bank or card provider immediately to report the fraud and request that your card be cancelled and reissued. Report any unauthorised transactions and request a chargeback for any fraudulent charges. Acting quickly significantly increases the chances of recovering any funds lost through card fraud.

Scan Your Device for Malware

If you scanned a QR code scam code and loaded the destination page — even if you did not enter any information — run a security scan on your device using reputable mobile security software. Some sophisticated QR code scam attacks can trigger malware downloads simply through the act of loading the malicious page, without any further user interaction required.

Report to Authorities and the Relevant Organisation

Report the QR code scam to Action Fraud at actionfraud.police.uk in the UK, the FBI’s IC3 at ic3.gov in the US, or Scamwatch at scamwatch.gov.au in Australia. If you encountered the QR code scam as a physical sticker on a parking meter, restaurant table, or public location, report it to the venue and relevant local authority so the tampered code can be removed and other people protected. Report suspicious QR codes in emails to the NCSC’s phishing reporting service at report@phishing.gov.uk in the UK.

Conclusion

The QR code scam represents one of the most elegant and effective fraud innovations of recent years — exploiting the trust, convenience, and ubiquity that QR codes have built with the public to deliver phishing attacks in contexts where people feel completely safe. As QR codes continue to replace traditional menus, payment systems, and access controls across virtually every sector of daily life, the QR code scam will only grow in scale and sophistication.

The defence against the QR code scam requires one fundamental shift in habit: treating every QR code with the same thoughtful caution you would apply to a link in an email from an unknown sender. Inspect physical codes for tampering, read URL previews before tapping, verify unexpected communications through official channels before scanning, and never enter sensitive information on a page reached via QR code without independent verification. These habits, applied consistently, make the QR code scam significantly harder to execute successfully against you.

If this article helped you understand the QR code scam, please share it widely — particularly with people who may not be aware that QR codes can be used as fraud tools. The more people who understand how quishing works, the harder it becomes for criminals to exploit the trust that QR codes have built. Visit our news section for the latest scam alerts. For more insights into fraud and online scams, visit Scammers Expose.

Related Articles

If you found this article helpful, you may also want to read these related scam awareness guides:

• AI Deepfake Scams: How Criminals Clone Voices & Faces
• Fake Job Offer Scams: How to Spot and Avoid Them
• Crypto Investment Scams: Warning Signs You Must Know
• Phishing Scam Warning: Signs, Examples, and How to Stay Safe
• Curaleaf Clinic Scam: How It Works, Warning Signs, and How to Protect Yourself