A QR code scam — also called quishing, short for QR code phishing — is a form of phishing fraud in which criminals embed malicious URLs inside QR codes and distribute those codes in physical or digital environments where people expect to encounter legitimate QR codes. When a victim scans the malicious code, they are redirected to a fake website designed to steal login credentials, payment information, or personal data, or their device may be directed to download malware without their knowledge.

The QR code scam is fundamentally a phishing attack delivered through a new vector. Rather than sending a suspicious link in an email — which years of security awareness training have taught many people to treat with caution — the QR code scam presents the same malicious destination in a format that bypasses both human vigilance and many technical security filters. Because QR codes appear as images rather than clickable links, they evade many email security scanning tools that would otherwise detect and block phishing URLs. And because people have developed deep habitual trust in QR codes encountered in physical environments, the psychological barriers that might otherwise slow a potential victim’s response are significantly reduced.

Research indicates that while 69% of people can identify a bad URL in a traditional phishing email, only 39% can spot a malicious QR code. This gap in awareness is precisely what the QR code scam exploits — and it explains why this attack vector has grown so dramatically as criminals seek methods that bypass the security training people have received about traditional phishing threats. The same brand-impersonation playbook is documented in our imposter scam warning signs guide.

Almost every QR code scam follows the same four-stage pattern, from the moment the criminal creates the malicious code to the moment credentials or payment details are captured.

Step 1: Creating the Malicious QR Code

The QR code scam begins with the criminal creating a fake website — typically a near-perfect replica of a legitimate service such as a bank login page, a government payment portal, a parking payment system, a delivery tracking service, or a popular email or cloud platform. The fake website is designed to capture whatever credentials or payment information the victim enters, believing they are interacting with the genuine service. The criminal then generates a QR code that encodes the URL of this fraudulent website. QR code generation requires no technical expertise — free online tools create them instantly. The malicious QR code is visually indistinguishable from any legitimate QR code. This visual neutrality is a core feature of the QR code scam: there is no way to identify a QR code as malicious simply by looking at it.

Step 2: Deploying the QR Code

The deployment method used in the QR code scam varies depending on the target environment. In physical locations, criminals print the malicious QR code on stickers and place them over legitimate QR codes on parking meters, restaurant tables, ATM machines, bicycle rental stations, ticket machines, and public information boards. The placement is deliberate — the fake QR code occupies exactly the position where a real one would be expected, giving victims no reason to question its legitimacy. In digital environments, the QR code scam is deployed through phishing emails that embed malicious QR codes within what appear to be official communications from banks, delivery companies, government agencies, employers, or technology platforms. The email instructs the recipient to scan the QR code to verify their account, reschedule a delivery, pay an outstanding invoice, or access a secure document. Because the QR code appears as an image rather than a clickable link, it bypasses many email security filters that would otherwise flag or block a phishing URL.

Step 3: The Scan and Redirect

When the victim scans the malicious QR code, their smartphone instantly processes the encoded URL and begins loading the destination page. Most modern smartphones display a brief URL preview after scanning but before the page loads — this is the critical window in which a QR code scam can be identified and avoided. However, most people tap through this preview without reading it, particularly when they are in the context of a trusted physical environment such as a restaurant or parking facility where they have no reason to expect fraud. The destination page in a QR code scam is typically a highly convincing replica of a legitimate service. It may use the same logos, colour schemes, fonts, and layout as the genuine website. The URL may contain subtle misspellings or use a different domain extension — “paypa1.com” instead of “paypal.com”, for example — that most users will not notice when glancing at a mobile browser address bar.

Step 4: Credential or Payment Theft

Once on the fake page, the victim is prompted to enter login credentials, payment card details, personal identification information, or banking account details. Everything entered on the fake page is captured by the QR code scam operator in real time. In more sophisticated attacks, the fake page may immediately relay the victim’s credentials to the genuine website, logging in on their behalf and displaying real account information to avoid raising suspicion while the criminal begins exploiting the compromised account in the background. In some QR code scam variants, simply loading the malicious destination page can trigger a download of spyware or malware onto the device, compromising the device’s security and potentially providing the criminal with ongoing access to the victim’s communications, banking applications, and stored credentials even after the initial scan incident.

The QR code scam adapts to wherever people expect a legitimate code — parking meters, restaurant tables, delivery notices, emails, payment notices, and unsolicited packages. These are the six most reported variants.

The Parking Payment Victim

The QR code scam strikes hardest in the most routine moments. A woman parked her car in a busy city centre car park and scanned the QR code on the parking meter to pay for two hours. The page she was taken to looked completely identical to the council’s parking payment portal — same logo, same layout, same colour scheme. She entered her debit card details and received what appeared to be a payment confirmation. Several hours later she received a penalty notice for non-payment of parking charges. When she checked her bank statement, she found her card had been charged multiple times by an unknown merchant. The QR code scam sticker had been placed over the legitimate parking meter QR code — her card details had been stolen and the parking payment had never been processed. She had to contest both the penalty notice and multiple fraudulent card charges simultaneously.

The Corporate Account Compromise

The QR code scam now routinely bypasses corporate email security. A marketing manager at a medium-sized company received what appeared to be an internal IT department email asking all staff to verify their Microsoft 365 account by scanning an attached QR code. The email used the company’s logo and the sender’s display name appeared to be from IT support. She scanned the code and entered her work email address and password on what appeared to be the Microsoft login page. Within minutes, the criminal had used her credentials to access her email account, extract sensitive client data, and send further phishing emails to her contacts. The QR code scam had bypassed the company’s email security filters because it appeared as an image rather than a clickable link. The data breach required extensive IT intervention, client notification, and regulatory reporting.

The Fake Delivery Victim

The QR code scam blends seamlessly into routine logistics communications. A man received a text message telling him a parcel delivery had been attempted and that he needed to scan a QR code to reschedule. He was expecting several online orders at the time, so the message seemed entirely plausible. He scanned the code and was taken to what appeared to be a major courier’s website, where he was asked to pay a £1.50 redelivery fee by entering his card details. The £1.50 charge appeared on his statement — but so did a £340 charge made to an overseas merchant two days later. His card details, captured through the QR code scam fake payment page, had been used for a much larger fraudulent purchase. His bank eventually refunded the fraudulent charge, but the process took several weeks and caused significant inconvenience. No genuine parcel had ever been awaiting delivery.

Law enforcement and consumer protection authorities worldwide have recognised the QR code scam as a significant and growing threat and have issued extensive guidance to help the public protect themselves.

The Federal Bureau of Investigation issued a public service announcement through its Internet Crime Complaint Center specifically warning consumers about criminals tampering with QR codes at physical locations — particularly parking meters, cryptocurrency kiosks, and restaurant payment codes. The FBI advises the public to treat QR codes with the same caution applied to links in unsolicited emails and to verify the destination URL before proceeding after scanning. Report at ic3.gov.

The United States Postal Inspection Service has issued guidance on QR code scam activity — including both quishing attacks and the QR code brushing variant — and advises consumers not to scan QR codes from unexpected communications, particularly those urging immediate action. Reports of QR code scam activity can be filed with the FBI’s IC3 and the FTC at reportfraud.ftc.gov.

Action Fraud in the United Kingdom accepts QR code scam reports at actionfraud.police.uk or by calling 0300 123 2040. The National Cyber Security Centre maintains guidance on phishing attacks including quishing at ncsc.gov.uk and operates a suspicious email and QR code reporting service at report@phishing.gov.uk.

Cybersecurity researchers note that QR code scam attacks are particularly effective against corporate targets because malicious QR codes embedded in phishing emails bypass many email security scanning systems that are designed to detect and block suspicious URLs in text form. Many organisations are now updating their security awareness training to specifically address the QR code scam threat and implementing technical controls to detect QR code phishing at the email gateway level.

Inspect Before You Scan

Before scanning any QR code in a physical location, take a moment to inspect it. Look for signs of tampering — a sticker placed over the original code, peeling edges, misaligned placement, or a different printing quality from the surrounding material. Check whether the QR code is consistent with the branding and visual style of the location. This brief inspection habit can identify the physical overlay variant of the QR code scam before any scan takes place.

Always Read the URL Preview Before Tapping

Most modern smartphones display a URL preview after scanning a QR code but before the page loads. This is your most important protection against the QR code scam in digital and physical environments. Take a moment to read the URL carefully — check for misspellings, unexpected domain names, HTTP rather than HTTPS, or domain structures that do not match the legitimate service. If anything about the URL looks unusual, do not proceed and verify the destination independently through official channels.

Treat QR Codes in Emails with Maximum Caution

Apply the same scepticism to QR codes in emails that you would apply to links in emails from unknown senders. If you receive an email containing a QR code — regardless of how legitimate the sender name, logo, or communication content appears — verify the request through the organisation’s official website or contact number before scanning. The QR code scam is specifically designed to exploit the reduced vigilance people apply to QR codes compared to clickable links. The same playbook is used in our imposter scam warning signs guide.

Use Official Apps Instead of Scanning

Where possible, use the official app of a service provider rather than scanning a QR code to access their services. For banking, payments, and account management, opening the verified official app eliminates the risk of a QR code scam redirect entirely. For parking payments and similar services, many providers have official apps that are safer than scanning physical QR codes that may have been tampered with.

Never Enter Sensitive Information Based Solely on a QR Scan

Even if the URL preview appears legitimate and the destination page looks genuine, be cautious about entering sensitive information — login credentials, payment details, or personal identification data — on a page reached through a QR code scan, particularly in response to an unsolicited communication. If in doubt, navigate to the service directly through your browser or app and complete the action there instead. This additional verification step provides comprehensive protection against the QR code scam.

Keep Your Device Software Updated

Ensure your smartphone’s operating system, browser, and security software are kept up to date. Software updates frequently include patches for vulnerabilities that QR code scam malware delivery attacks exploit. Mobile security software can detect malicious websites and block risky downloads before damage is done, providing an additional layer of protection for situations where a malicious QR code destination is accessed before the fraud is recognised.

If you suspect you have been caught by a QR code scam, act fast. The steps below limit the damage and protect you from the downstream consequences.