How to Protect Yourself From QR Code Scams

QR codes are everywhere — restaurant menus, parking meters, event tickets, product packaging, even business cards. Their convenience has made them a part of daily life, but it has also made them a powerful weapon for scammers. QR code phishing, known as "quishing," has surged dramatically since 2023, and most people have no idea how to spot a malicious QR code before it is too late. Here is what you need to know to protect yourself.

What Is Quishing?

Quishing is a form of phishing that uses QR codes instead of traditional hyperlinks to direct victims to malicious websites. The term combines "QR" and "phishing," and the attack works precisely because QR codes remove one of the most important safety checks available to users: the ability to see where a link leads before clicking it.

With a standard phishing email, you can hover over a link and inspect the URL before clicking. A QR code offers no such preview — you scan it and your phone opens whatever destination the code encodes, whether that is a legitimate menu or a credential-harvesting page. Making matters worse, when attackers embed QR codes as images in phishing emails, traditional email security filters cannot scan the encoded URL, allowing malicious links to bypass automated defenses entirely.

How QR Code Scams Work

Scammers have developed a wide range of quishing techniques, targeting people in both digital and physical environments. Here are the most common attack methods:

Fake Parking Meter QR Codes

Criminals place sticker QR codes over legitimate ones on parking meters and pay stations. When you scan the code to pay for parking, you are redirected to a fraudulent payment page that captures your credit card details. These scams have been reported in major cities across the United States and Europe, and the stickers are designed to blend in seamlessly.

Tampered Restaurant QR Codes

Table-top QR codes at restaurants are another target. Scammers replace legitimate menu or payment codes with their own, redirecting diners to fake login or payment pages that capture financial information.

Fake EV Charging Station QR Codes

Fraudulent QR codes placed on EV charging stations direct drivers to fake payment portals. Since many drivers are unfamiliar with the specific payment flow of each charging network, the fake pages often succeed in stealing card details.

Malicious QR Codes in Emails

This is one of the fastest-growing quishing vectors. Attackers embed QR codes in phishing emails disguised as urgent security alerts, package delivery notifications, or multi-factor authentication setup requests. The victim scans the code with their phone — which typically has fewer security protections than a corporate laptop — and lands on a credential-harvesting page.

Flyers, Posters, and Mail

QR codes appear on physical flyers promising prizes, discounts, or package delivery information. Scammers post these in public places or mail them directly to victims. The urgency of a "missed package" or "prize claim" drives people to scan without thinking.

Fake WiFi Login QR Codes

At cafes, airports, and hotels, scammers place fake QR codes that claim to provide free WiFi access. Scanning the code leads to a fake captive portal that asks for an email address, password, or even payment details. In some cases, the portal installs malware or redirects to a phishing site.

Red Flags: How to Spot a Malicious QR Code

Learn to recognize these warning signs before you scan:

• The code is a sticker placed over another code — especially on parking meters, charging stations, or restaurant tables
• The surrounding signage looks altered — different print quality, misaligned colors, or peeling edges
• The QR code appears in an unsolicited email — particularly one creating urgency about account security or deliveries
• The URL preview does not match the expected domain — misspellings, extra characters, or unfamiliar domains are strong indicators of fraud

Eight Ways to Stay Safe From Quishing

The good news is that quishing attacks rely on speed and inattention. Slowing down and applying a few simple habits can protect you from the vast majority of QR code scams.

1. Inspect the QR code physically before scanning

   If you are scanning a QR code in a public place, look closely. Does the code appear to be a sticker placed over another code? Are the edges peeling? A tampered QR code is one of the clearest signs of a quishing attempt.

2. Read the URL preview before opening

   Most modern smartphones show a URL preview when you scan a QR code with the default camera app. Read it carefully before tapping. Look for misspellings, extra characters, or unfamiliar domains. If the parking meter is from ParkMobile but the URL points to "park-m0bile-pay.com," do not open it.

3. Use a QR scanner app that shows the full URL

   Some third-party QR scanner apps provide more detailed URL previews and can flag known malicious domains before your browser opens them.

4. Never enter credentials or payment info from a QR code link

   If scanning a QR code takes you to a page requesting a login, password, or credit card number, stop. Navigate to the website manually by typing the official URL into your browser instead.

5. Do not scan QR codes from unknown or unsolicited sources

   Treat unexpected QR codes with the same skepticism you would give an unexpected email attachment. A QR code on a random flyer or in an unsolicited email should be treated as suspicious by default.

6. Install mobile security software

   Mobile security apps can detect phishing sites, block malicious URLs, and warn you before you enter information on a fraudulent page.

7. Enable two-factor authentication on financial accounts

   Even if a scammer captures your login credentials through a quishing attack, two-factor authentication (2FA) can prevent them from accessing your account. Use an authenticator app rather than SMS-based 2FA whenever possible.

8. When in doubt, navigate manually

   If a QR code claims to take you to your bank, a delivery service, or a payment portal, skip the code and go directly to the official website or app. This single habit eliminates the risk entirely.

What to Do If You Have Been Scammed

If you believe you scanned a malicious QR code and entered personal or financial information on a fraudulent site, act immediately:

1. Contact your bank or credit card company right away. Request a hold on your card, dispute any unauthorized charges, and ask for a replacement card.
2. Change your passwords on any account where you entered credentials through the suspicious link. If you reuse that password elsewhere, change it on those accounts too.
3. Enable 2FA on all affected accounts if you have not already.
4. Monitor your financial accounts closely for unauthorized transactions over the following weeks.
5. File a complaint with the FBI's Internet Crime Complaint Center (IC3) at ic3.gov.
6. Report the scam to the FTC at reportfraud.ftc.gov.
7. Run a security scan on your phone to check for any malware that may have been installed.
8. Report the physical QR code to the business or municipality where you found it so they can remove or replace it.

The Data Broker Connection

QR code scams become significantly more dangerous when attackers can access your personal information. If your name, address, phone number, and employer are readily available on data broker and people-search sites, scammers can combine that data with QR phishing to craft highly targeted attacks. A scammer who knows your address can mail a convincing fake utility notice with a QR code for "paying your bill." One who knows your employer can send a QR-based phishing email mimicking your company's IT department. The more data available about you online, the more convincing these personalized attacks become.

Reduce Your Exposure With PrivacyOn

PrivacyOn removes your personal data from 100+ data broker and people-search sites, cutting off the supply of information that scammers use to research and personalize their attacks — including quishing campaigns. By continuously monitoring for and removing your data, PrivacyOn makes it significantly harder for attackers to turn a generic QR code scam into a convincing, targeted one.