QR Code Scams (Quishing): How to Scan Safely
QR codes are everywhere now, on menus, parking meters, packages, and letters. They are convenient, which is exactly why scammers have started using them. A fake QR code can send your phone to a copycat website or quietly install harmful software, and it is hard to tell a good code from a bad one just by looking.
This newer scam even has a name: quishing, a blend of QR and phishing. This guide explains how it works, shows a real example, and gives you simple habits to scan with confidence.
What it is
Quishing is phishing delivered through a QR code. Instead of a suspicious link in a text or email, the scammer hides the link inside a QR code. When you scan it, you are sent to a fake site built to steal your login, card number, or personal details, or prompted to download malware.
The trick works because a QR code hides its destination. You cannot read a web address inside those black-and-white squares, so you are trusting wherever it sends you, sight unseen.
How it works
- A scammer places a fake QR code where you expect a real one, or sends one by mail, email, or on a package.
- You scan it, expecting a menu, a bill, a parking payment, or a delivery update.
- The code opens a fake website that looks legitimate and asks for your login, payment, or personal information.
- You enter your details, and the scammer captures them, or your phone downloads harmful software.
Criminals stick fake QR stickers over real ones on parking meters and signs, slip them into official-looking letters, and even mail unsolicited packages containing a QR code that asks you to “verify” information. The FBI has warned about this package version specifically.
A real example
Doris, 70, receives a small package she did not order, with a note inside: scan the QR code to identify the sender and arrange a return. Curious, she scans it. The page asks her to log in with her email and “confirm” her address and card details to process the return. It looks professional, so she enters them. There was no real shipment to return. The package was bait, and the QR code led to a site harvesting her information for fraud.
By the numbers
- Roughly 73 percent of Americans scan QR codes without verifying where they lead, and tens of millions have been sent to malicious sites (industry research cited by NordVPN).
- By 2025, QR codes appeared in about 12 percent of all phishing attacks, a sharp rise from prior years (industry research).
- The FBI has warned that criminals mail unsolicited packages containing QR codes to start fraud and install malware (FBI IC3).
Red flags to watch for
- A QR code on an unexpected letter, email, or package.
- A sticker QR code that looks placed over the original on a sign or meter.
- A scanned page asking you to log in or enter payment “to verify.”
- An unsolicited package that asks you to scan a code.
- A web address after scanning that looks slightly off or unfamiliar.
How to protect yourself
- Pause before scanning a code you did not expect, especially on mail, packages, or public surfaces.
- After scanning, check the web address before entering anything. If it looks off, close it.
- Go direct instead. Type a known website yourself, or use the official app, rather than scanning a code to log in or pay.
- Never enter passwords or card details on a page you reached only by scanning an unexpected code.
- Reduce unwanted mail and packages tied to you. Scammers use addresses and details from data-broker and people-search sites. Removing your information from those sites, which a privacy or data-removal service can do for you, can help.
- Keep your phone updated, so its built-in protections can catch known bad sites.
If you’ve already responded
Change the password for any account you logged into, and turn on two-step verification. Contact your bank or card company if you entered payment details. If you downloaded anything, have your phone checked by someone you trust, and report it to the FTC at ReportFraud.ftc.gov.
In the news
- ‘Quishing’ scams dupe millions as criminals turn the QR code bad (CNBC)
- FBI warns over ‘quishing’ scam (Tom’s Guide)
Sources
Frequently asked questions
What is quishing?
It is phishing that uses a QR code to hide a malicious link, sending you to a fake site or to malware when you scan.
Is it safe to scan QR codes at restaurants or stores?
Usually, but check the web address before entering personal or payment details, and watch for stickers placed over the original code.
I scanned a code from a package I did not order. What now?
Do not enter any information. Unsolicited packages with QR codes are a known scam. Change passwords if you logged in, and report it.
See if KinKeeper is right for your family
Daily check-ins by call or text. Free to start, no credit card.
Get Started