QR Code Phishing (Quishing) Scams — How to Spot Fake QR Codes and Stay Safe
Scanning a QR code can steal your personal data in seconds. Learn what quishing is, how to identify fake QR codes, and how to protect yourself from QR code phishing scams.
QR Code Phishing (Quishing) — The Scam Hiding in Plain Sight
You scan a QR code at a restaurant to view the menu. You scan one at a parking meter to pay. You scan a code from a delivery notification to track your package. These feel completely harmless. But what if that QR code isn't what it seems?
QR phishing attacks have surged by 270% month-over-month in 2025-2026, and 12% of all phishing attacks now contain QR codes. The FBI has even warned about North Korean hackers deploying malicious QR codes. It's time to start treating QR codes with the same caution as suspicious links.
What Is Quishing?
Quishing = QR + Phishing
Traditional phishing sends you a fake link via email or iMessage. Quishing uses a fake QR code to redirect you to a malicious website instead. The key difference? You can't read a QR code with your eyes — making it even more dangerous than a text-based link.
Real-World Quishing Scams
1. Fake Parking Meter QR Codes
Criminal places a sticker over the legitimate QR code
→ You scan it and land on a fake payment page
→ Enter your card details → stolen instantly
Across the US, fake QR stickers have appeared on parking meters, bike-share stations, and EV charging stations. Cities like Austin, San Antonio, and Houston have issued public warnings.
2. Fake Restaurant Menu QR Codes
Scammers place a fraudulent QR sticker over a restaurant's real menu code. Instead of the menu, you're taken to a page requesting personal information or payment details — especially at places that require pre-ordering.
3. QR Codes in Phishing Emails
"Your account requires security verification — scan the QR code below"
→ Fake login page
→ Corporate credentials stolen
AI and LLM tools are now being used to craft highly convincing phishing emails with embedded QR codes. These bypass traditional email filters because the malicious URL is hidden inside the image.
4. Fake Delivery Notification QR Codes
"Delivery rescheduled — scan this QR code to update your address"
→ Fake carrier website
→ Name, address, and payment info harvested
Text messages and emails pretending to be from FedEx, UPS, or USPS with QR codes have become one of the fastest-growing scam vectors.
5 Signs of a Fake QR Code
| # | Warning Sign | What to Look For |
|---|---|---|
| 1 | Physical sticker placed over original | Feel the surface — if there's a sticker layered on top, it's likely fake |
| 2 | URL doesn't match expected domain | The scanned URL should match the business (e.g., parking-city.gov, not p4rking-pay.net) |
| 3 | Asks for personal info or payment immediately | Legitimate QR codes rarely demand card details right away |
| 4 | No HTTPS | If the URL starts with http:// instead of https://, the connection isn't secure |
| 5 | Redirects through shortened URLs | Multiple redirects that obscure the final destination are a red flag |
How to Scan QR Codes Safely
Step 1: Use Your Phone's Built-In Camera
Your iPhone or Android camera shows a URL preview before opening the link. Never use third-party QR apps that open links automatically.
Step 2: Check the URL Before Tapping
Read the URL carefully. Does it match the expected business? cityparking.gov is safe. c1ty-parking-pay.com is not.
Step 3: Never Enter Payment Details from a QR-Scanned Link
If a QR code leads to a payment page, close it. Go directly to the official app or website to make your payment instead.
Step 4: Use a QR Scanner App with URL Checking
Security-focused QR scanners can flag known malicious URLs before you open them.
Step 5: Physically Inspect the QR Code
In public places, check whether the QR code is a sticker placed over another one. If it's raised, peeling, or misaligned — don't scan it.
Safe QR Codes vs Dangerous QR Codes
Legitimate Uses
- Wi-Fi sharing: Cafes and hotels providing Wi-Fi credentials via QR
- Official menus: Restaurant QR codes integrated into their ordering system
- Trusted payments: QR codes generated within official banking or payment apps
- LOCK.PUB link sharing: Password-protected QR links with a trusted
lock.pubdomain
Dangerous Red Flags
- QR codes in unsolicited emails
- Stickers placed in public spaces by unknown sources
- QR codes on random flyers, posters, or business cards
- QR codes received via iMessage or Messenger from unknown senders
What to Do If You Scanned a Suspicious QR Code
Don't panic. Follow these steps immediately:
- Close the browser — if you didn't enter any information, you're likely safe
- If you entered credentials, change your password immediately
- If you entered payment info, contact your bank or card issuer to freeze the card
- Check for unknown apps that may have been installed and delete them
- Report it to the FTC (reportfraud.ftc.gov) or your local cybercrime authority
How LOCK.PUB Uses QR Codes Safely
LOCK.PUB lets you share links via QR codes — but with built-in safety features that set it apart:
- Password protection: Even after scanning the QR code, a password is required to access the content
- Trusted domain: Always resolves to
lock.pub— easy to verify - Expiration: Links automatically deactivate after the set time period
- Access tracking: See exactly who opened your link and when
The problem isn't QR codes themselves — it's unverified QR codes from unknown sources. Stick to QR codes from trusted origins, and always check the URL before tapping.
Conclusion
QR codes are everywhere because they're convenient. But that convenience is exactly what scammers exploit. One scan can hand over your credit card details, your login credentials, or access to your corporate network.
Before you scan any QR code, take 3 seconds to verify it. Those 3 seconds could save your identity, your money, and your peace of mind.
Keywords
You might also like
How to Prevent Interview Coding Assignment Leaks
Learn how to protect interview coding assignments from being leaked online. Strategies for both companies and candidates using password-protected links, expiration times, and secure submission methods.
How to Safely Share Passwords with Family and Partners
Netflix, Wi-Fi, cloud storage — families and couples share dozens of accounts. Learn the safest ways to send passwords without leaving them exposed in your chat history.
Encrypt Link: How to Encrypt Any URL for Free
Learn how to encrypt any link for free. Create encrypted URLs with password protection, expiration dates, and one-time access. Complete guide to link encryption.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free