- \n
- Quishing attacks rose 587%<\/strong> from 2022 to 2023 (Keepnet Labs<\/a>)<\/li>\n\n\n\n
- QR code phishing jumped another 25% in 2025<\/strong>, affecting over 26 million Americans (Hoxhunt<\/a>)<\/li>\n\n\n\n
- 26% of all malicious links<\/strong> are now embedded in phishing QR codes (Hoxhunt<\/a>)<\/li>\n\n\n\n
- Nearly 2% of all scanned QR codes<\/strong> are malicious (QR Tiger<\/a>)<\/li>\n\n\n\n
- 73% of Americans<\/strong> scan QR codes without verifying the destination URL first (ScamWatch HQ<\/a>)<\/li>\n<\/ul>\n\n\n\n
The core problem: QR codes are opaque. Unlike a link you can read before clicking, a QR code reveals nothing about its destination until after you scan it. Scammers exploit this blind trust.<\/p>\n\n\n\n
What Is Quishing?<\/h2>\n\n\n\n
Quishing \u2014 QR code phishing \u2014 is the use of QR codes to direct victims to fraudulent websites that steal credentials, payment information, or install malware. It’s the QR code equivalent of a phishing email, but harder to detect because you can’t preview the URL before scanning.<\/p>\n\n\n\n
Traditional phishing relies on suspicious-looking links in emails or texts. Quishing bypasses this entirely. The QR code itself looks legitimate \u2014 there’s no misspelled URL or sketchy domain to spot. The victim only sees the destination after they’ve already scanned and their browser has loaded the page.<\/p>\n\n\n\n
Quishing attacks have been found in:<\/p>\n\n\n\n
- \n
- Emails posing as corporate IT departments (“Scan to verify your account”)<\/li>\n\n\n\n
- Fake parking meter and restaurant payment stickers<\/li>\n\n\n\n
- Phishing letters mailed to homes with QR codes for “package delivery” or “account verification”<\/li>\n\n\n\n
- Fake Wi-Fi login pages at cafes and airports<\/li>\n\n\n\n
- Fraudulent flyers posted in public spaces<\/li>\n<\/ul>\n\n\n\n
The Most Common QR Code Scams<\/h2>\n\n\n\n
1. Fake QR Code Stickers (Overlay Scams)<\/h3>\n\n\n\n
This is the most common physical QR code scam. A scammer prints a fake QR code on a sticker and places it over a legitimate one \u2014 on a parking meter, restaurant table, transit sign, or store display. The victim scans what they think is the business’s code, but they’re actually visiting the scammer’s phishing page.<\/p>\n\n\n\n
In 2022, the FBI issued a warning after fake QR code stickers appeared on parking meters in major US cities including Austin, Houston, and San Antonio<\/a>. Victims who scanned the codes were directed to fake payment pages that captured their credit card information.<\/p>\n\n\n\n
How to spot it:<\/strong> Look for stickers placed on top of other stickers or printed materials. If a QR code looks like it was added after the fact \u2014 raised edges, different paper quality, slightly crooked \u2014 don’t scan it.<\/p>\n\n\n\n
2. Brushing Scam QR Codes<\/h3>\n\n\n\n
You receive a package you didn’t order \u2014 often from Amazon or another major retailer. Inside is a product you never bought, along with a card or insert with a QR code. The message says something like “Scan to learn more about your product<\/em>” or “Scan to register your warranty.<\/em>“<\/p>\n\n\n\n
This is a brushing scam. The seller sent you an unsolicited package to generate a fake “verified purchase” review. The QR code might lead to a phishing page, a data-harvesting survey, or a site that installs malware. At best, it’s a deceptive marketing scheme. At worst, it’s identity theft.<\/p>\n\n\n\n
How to spot it:<\/strong> If you receive a package you didn’t order with a QR code inside, don’t scan it. Report the brushing scam to the retailer and the FTC.<\/p>\n\n\n\n
3. Email and Document Quishing<\/h3>\n\n\n\n
Scammers embed QR codes in phishing emails to bypass email security filters. Most email security tools scan URLs in the email body \u2014 but they can’t read the destination encoded in a QR code image. The email might look like it’s from Microsoft, Google, your bank, or your company’s IT department, asking you to “scan to verify your identity<\/em>” or “scan to reset your password.<\/em>“<\/p>\n\n\n\n
This is why QR codes were used in 22% of all phishing attacks<\/strong> in 2024\u20132025. They’re an effective way to slip malicious links past automated defenses.<\/p>\n\n\n\n
How to spot it:<\/strong> Legitimate companies rarely ask you to scan a QR code in an email. If an email contains a QR code and urgency language (“Your account will be suspended<\/em>“), it’s almost certainly a scam.<\/p>\n\n\n\n
4. Fake Wi-Fi QR Codes<\/h3>\n\n\n\n
A scammer places a QR code in a cafe, hotel lobby, or airport with a label like “Free Wi-Fi \u2014 Scan to Connect.<\/em>” Instead of connecting you to Wi-Fi, the code directs you to a fake login page that captures your email, password, or payment information. Some variants actually connect you to a rogue Wi-Fi network that intercepts your traffic.<\/p>\n\n\n\n
Legitimate WiFi QR codes<\/a> connect you directly to a network without requiring a login page. If scanning a “WiFi” QR code opens a webpage asking for personal information, close it immediately.<\/p>\n\n\n\n
5. Cryptocurrency and Payment Scams<\/h3>\n\n\n\n
Scammers use QR codes to direct victims to fraudulent cryptocurrency wallets or payment pages. The setup often involves a phone call or text from someone posing as a utility company, government agency, or tech support \u2014 instructing the victim to “pay a fine<\/em>” or “secure their account<\/em>” by scanning a QR code at a Bitcoin ATM or payment terminal.<\/p>\n\n\n\n
How to spot it:<\/strong> No legitimate organization will ask you to make a payment via QR code to a cryptocurrency wallet. Ever.<\/p>\n\n\n\n
6. Fake Package Delivery Notices<\/h3>\n\n\n\n
You find a card on your door or in your mailbox: “We missed your delivery. Scan to reschedule.<\/em>” The QR code leads to a phishing page disguised as USPS, UPS, or FedEx, asking for your address, phone number, and sometimes payment for a “redelivery fee<\/em>” that doesn’t exist.<\/p>\n\n\n\n
How to spot it:<\/strong> Delivery services leave tracking numbers, not QR codes. If you receive an unexpected delivery notice with only a QR code, go directly to the carrier’s official website instead of scanning.<\/p>\n\n\n\n
Create Trustworthy QR Codes Your Customers Can Verify<\/h3>
Dynamic QR codes with transparent short links \u2014 no hidden redirects.<\/p>Create Your Free QR Code Now<\/a><\/div>\n\n\n\n
Are QR Codes Safe?<\/h2>\n\n\n\n
Yes \u2014 the technology itself is safe. A QR code is just a way to encode information visually. It’s no more inherently dangerous than a URL printed on a piece of paper. The risk comes from where<\/em> the QR code sends you, not from the code itself.<\/p>\n\n\n\n
Scanning a QR code cannot install malware on your phone by itself. Your phone’s camera reads the code, decodes the URL, and shows you a preview before opening it. The danger begins when you tap through to a malicious website and enter personal information or download something.<\/p>\n\n\n\n
Think of it this way: a QR code is a door. The door itself isn’t dangerous \u2014 what matters is what’s on the other side. The question isn’t “are QR codes safe?<\/em>” but rather “is this specific QR code from a source I trust?<\/em>“<\/p>\n\n\n\n
How to Protect Yourself from QR Code Scams<\/h2>\n\n\n\n
You don’t need to stop scanning QR codes. You just need to scan smarter. Here are the habits that keep you safe.<\/p>\n\n\n\n
1. Check the URL Before You Tap<\/h3>\n\n\n\n
When you scan a QR code, your phone shows you a URL preview before opening it. Actually read it.<\/strong> Look for:<\/p>\n\n\n\n
- \n
- Misspelled domain names (g00gle.com instead of google.com)<\/li>\n\n\n\n
- Suspicious domains you don’t recognize<\/li>\n\n\n\n
- HTTP instead of HTTPS<\/li>\n\n\n\n
- Excessively long URLs with random characters<\/li>\n<\/ul>\n\n\n\n
If the URL doesn’t match what you’d expect \u2014 a parking meter code should go to the city’s payment system, not a random domain \u2014 don’t tap it.<\/p>\n\n\n\n
2. Inspect Physical QR Codes for Tampering<\/h3>\n\n\n\n
Before scanning a QR code on a parking meter, restaurant table, or public sign, look at it closely:<\/p>\n\n\n\n
- \n
- Is it a sticker placed over another code?<\/li>\n\n\n\n
- Does the paper or print quality differ from the surrounding material?<\/li>\n\n\n\n
- Are the edges raised or slightly crooked?<\/li>\n\n\n\n
- Does it look like it was added after the original signage was installed?<\/li>\n<\/ul>\n\n\n\n
If anything looks off, don’t scan. Find another way to access the service \u2014 type the URL directly, use the business’s app, or ask an employee.<\/p>\n\n\n\n
3. Never Enter Payment Info from an Unsolicited QR Code<\/h3>\n\n\n\n
If a QR code you didn’t expect leads to a payment page, stop. Legitimate payment flows from QR codes should take you to a recognized payment processor (Square, Stripe, PayPal) or a URL you recognize as the business’s domain. If it asks for your full credit card number on a page that doesn’t look professional, close the browser immediately.<\/p>\n\n\n\n
4. Be Skeptical of QR Codes in Emails<\/h3>\n\n\n\n
QR codes in emails are a major red flag. Legitimate companies send clickable links in emails \u2014 they have no reason to make you pull out your phone and scan a code from your computer screen. If an email asks you to scan a QR code to “verify your account<\/em>” or “update your payment method<\/em>,” it’s almost certainly quishing.<\/p>\n\n\n\n
5. Don’t Scan QR Codes from Unexpected Packages<\/h3>\n\n\n\n
If you receive a package you didn’t order with a QR code inside, don’t scan it. This is a classic brushing scam. Report it to the retailer and the FTC at reportfraud.ftc.gov<\/a>.<\/p>\n\n\n\n
6. Keep Your Phone Updated<\/h3>\n\n\n\n
Modern smartphones (iOS and Android) show URL previews when you scan QR codes and warn you about known malicious websites. Make sure your operating system and browser are up to date to benefit from the latest security protections.<\/p>\n\n\n\n
How Businesses Can Protect Their Customers<\/h2>\n\n\n\n
If you’re a business using QR codes \u2014 on restaurant menus<\/a>, real estate signs<\/a>, product packaging, or marketing materials \u2014 you have a responsibility to make your codes trustworthy. Here’s how.<\/p>\n\n\n\n
Use a Recognizable Short Domain<\/h3>\n\n\n\n
When customers scan your QR code, the URL preview should look legitimate. A code that resolves to
qrch.am\/your-menu<\/code> oryourbrand.com\/menu<\/code> is immediately more trustworthy thanbit.ly\/3xK9mPz<\/code> or a random string of characters. Platforms like QR Chameleon<\/a> use a consistent short domain(qrch.am)<\/code> so customers can learn to recognize and trust your links.<\/p>\n\n\n\nUse Dynamic QR Codes<\/h3>\n\n\n\n
Dynamic QR codes<\/a> give you control. If someone places a fake sticker over your code, you can check your scan analytics and notice unusual patterns \u2014 a sudden drop in scans at one location, scans from unexpected geographies, or a spike in scans with no corresponding conversions. Static codes give you zero visibility.<\/p>\n\n\n\n
Dynamic codes also let you update the destination if a URL changes, without reprinting materials. This means your codes always point somewhere legitimate and current.<\/p>\n\n\n\n
Physically Secure Your QR Codes<\/h3>\n\n\n\n
Print QR codes directly onto materials rather than using stickers when possible. If you must use stickers, use tamper-evident labels that show visible damage if someone tries to peel them off. Regularly inspect your QR code placements \u2014 especially in public-facing locations \u2014 for signs of tampering.<\/p>\n\n\n\n
Add Context Around Your QR Codes<\/h3>\n\n\n\n
Tell customers where the code will take them. A label that says “Scan to view our menu at qrchameleon.com” is far more trustworthy than a bare QR code with no explanation. This also helps customers verify the URL matches what they see after scanning.<\/p>\n\n\n\n
Monitor Your Scan Analytics<\/h3>\n\n\n\n
If you’re using a QR code platform with analytics, watch for anomalies. A Google review QR code<\/a> at your counter that suddenly shows zero scans might mean someone covered it with a fake code. A code on a flyer that shows scans from a country where you don’t operate could indicate the image was copied and misused.<\/p>\n\n\n\n
![\"QR](\"https:\/\/qrchameleon.com\/assets\/images\/qr_chameleon_hero2x.webp\")
<\/div>Ready to create your own QR codes?<\/h3>
Start for free \u2014 no credit card required.<\/p>Create Your Free Account Now<\/a><\/div><\/div>\n\n\n\n
What to Do If You’ve Been Scammed<\/h2>\n\n\n\n
If you scanned a QR code and entered personal or payment information on a suspicious site, act fast:<\/p>\n\n\n\n
- \n
- Contact your bank or credit card company immediately.<\/strong> Report the compromised card and request a freeze or replacement. Most banks can reverse fraudulent charges if reported quickly.<\/li>\n\n\n\n
- Change your passwords.<\/strong> If you entered login credentials, change those passwords immediately \u2014 and any other accounts that use the same password.<\/li>\n\n\n\n
- Enable two-factor authentication<\/strong> on any accounts that may have been exposed.<\/li>\n\n\n\n
- Report the scam.<\/strong> File a report with the FTC at reportfraud.ftc.gov<\/a> and the FBI’s Internet Crime Complaint Center at ic3.gov<\/a>.<\/li>\n\n\n\n
- Monitor your credit.<\/strong> Consider a credit freeze or fraud alert through the three major bureaus (Equifax, Experian, TransUnion).<\/li>\n\n\n\n
- Scan your device for malware.<\/strong> Run a security scan on your phone to check for any malicious software that may have been installed.<\/li>\n<\/ol>\n\n\n\n
The Bottom Line: Scan Smart, Not Scared<\/h2>\n\n\n\n
QR codes aren’t going away. Over 100 million Americans<\/a> scan them regularly, and adoption is only growing. The technology itself is safe \u2014 the risk comes from bad actors who exploit the trust we’ve built around scanning.<\/p>\n\n\n\n
The fix isn’t to stop scanning. It’s to build the same habits around QR codes that we’ve built around email links: pause, check the source, verify the URL, and trust your instincts when something feels off.<\/p>\n\n\n\n
For businesses, the best defense is transparency. Use a recognizable short domain, add context around your codes, monitor your analytics, and make it easy for customers to verify where your codes lead. Platforms like QR Chameleon<\/a> create dynamic QR codes<\/a> with transparent short links, full scan analytics, and editable destinations \u2014 so your codes stay trustworthy and under your control.<\/p>\n\n\n\n
QR Code Scam FAQs<\/h2>
- Change your passwords.<\/strong> If you entered login credentials, change those passwords immediately \u2014 and any other accounts that use the same password.<\/li>\n\n\n\n
- Contact your bank or credit card company immediately.<\/strong> Report the compromised card and request a freeze or replacement. Most banks can reverse fraudulent charges if reported quickly.<\/li>\n\n\n\n
- QR code phishing jumped another 25% in 2025<\/strong>, affecting over 26 million Americans (Hoxhunt<\/a>)<\/li>\n\n\n\n