Safety9 min readUpdated May 6, 2026

Quishing Is the QR Code Scam Hiding in Plain Sight

QR-code phishing is rising because it jumps from email to your phone. Learn the 10-second scan check, risky locations, and what to do before entering card or login details.

Phone displaying a QR code payment screen

In This Article

  1. Why QR Scams Are Rising Now
  2. The 10-Second QR Scan Check
  3. Where Quishing Works Best
  4. Safe Ways To Use QR Codes
  5. What To Do If You Scanned a Bad QR Code
  6. A Household QR Rule

Why QR Scams Are Rising Now

QR codes solved a real problem: they move people from the physical world to a website without typing. That is also why criminals like them. A QR code hides the destination until after you scan it, and many people scan from a personal phone that is outside workplace email protection.

The scam is called quishing, short for QR-code phishing. It appears in emails, parking meters, fake tickets, restaurant flyers, delivery notices, package inserts, event posters, utility warnings, and even stickers placed over real QR codes.

Recent security reporting shows why the topic deserves attention. Microsoft threat data reported a sharp rise in QR-code phishing in early 2026. Consumer reporting has also warned that many people scan QR codes without checking the destination first. The trick works because scanning feels harmless, quick, and official.

The 10-Second QR Scan Check

Before you enter a password, card number, phone number, one-time code, or address after scanning a QR code, pause for ten seconds.

Check one: does the physical code look tampered with? A sticker placed over another sticker, a different color label, crooked edges, fresh adhesive, or a QR code that does not match nearby branding is enough reason to stop.

Check two: does the preview URL match the place you expected? Your phone usually shows the link before opening it. Look for misspellings, extra words, strange domains, URL shorteners, or domains that do not match the brand.

Check three: did the QR code create urgency? Fake parking fines, failed delivery warnings, bank alerts, and account suspension messages push you to act fast. Urgency is a phishing smell.

Check four: can you reach the same page another way? Open the official app, type the website yourself, search for the official company page, or use the payment method already printed on the machine.

Where Quishing Works Best

The most dangerous QR codes are the ones attached to a task you already planned to do.

Parking payments are high risk because you are standing outside, in a hurry, worried about a ticket, and ready to enter a card. Package notices are high risk because people are curious and may not remember every order. Restaurant menus are lower risk when they only show food, but they become risky if the page asks you to create an account, install an app, or enter payment details.

Workplace QR codes are also a problem. A fake QR in an email can bypass desktop link scanning because the actual visit happens on a phone. If that phone is signed into work email, cloud storage, or chat, the attacker may get a very useful session.

Safe Ways To Use QR Codes

Use your phone camera or built-in QR scanner because it previews the destination before opening. Avoid random scanner apps that request unnecessary permissions.

For payments, prefer an official app you already installed. If a parking meter offers a QR code, also check whether the operator name and zone number match the official app or signage. If a restaurant QR code asks for a login before showing a menu, ask for a paper menu or type the restaurant website yourself.

For packages, do not scan a surprise QR code from an unexpected delivery note. Go directly to the courier's official site or app and enter the tracking number manually.

For work, treat QR codes like links. If a QR code asks for Microsoft, Google, Slack, bank, payroll, or VPN login, verify through a known channel first.

What To Do If You Scanned a Bad QR Code

If you scanned but did not type anything, close the page. You are probably fine, but do not install anything it offered. Clear the browser tab if it keeps reopening.

If you entered a password, change that password from a clean browser window or official app. If you reused the password anywhere else, change it there too. Use a password manager to make each password unique.

If you entered a one-time code, assume the attacker may have signed in. Go to the account's security page, sign out of all sessions, remove unknown devices, change the password, and add or reset multi-factor authentication.

If you entered card details, call the card issuer and ask for the card to be frozen or replaced. If the QR code was on public property, report the sticker or notice to the business, parking operator, property owner, or local authority so other people do not get caught.

A Household QR Rule

Teach this rule to kids, parents, and grandparents: scan for information, not for payment or login.

That does not mean every QR payment is fake. It means payment and login pages deserve a second path. If the code only opens a menu, map, manual, or event page, the risk is lower. If it asks for money, credentials, personal details, or app installation, slow down and verify.

QR codes are not going away. The skill is learning when convenience should hand the wheel back to caution.

Sources & Image Credits

Microsoft threat reporting via TechRadar: QR-code phishing surge in Q1 2026CNBC: QR-code scams and consumer behavior dataFTC: QR codes on unexpected packages can lead to phishing sitesHero photo: Unsplash, Markus Winkler

Try These Tools

📱
QR Code Generator
Free · No sign-up
URL
URL Encoder Decoder
Free · No sign-up
🔐
Password Generator
Free · No sign-up
← Back to All Articles