Malicious QR code scams
QR code scams, sometimes called quishing, use fraudulent codes placed on parking meters, restaurant tables, or sent via email to redirect victims to malicious websites designed to steal payment details or login credentials, and reports of this scam type have risen substantially since 2021.
What we know
QR codes became far more common in everyday commerce during and after the COVID-19 pandemic, as many restaurants, parking systems, and public facilities adopted them as a touchless way to display menus, process payments, or direct users to informational websites. This widespread adoption also created an opportunity for scammers, who exploit the fact that a QR code's destination is not visible to the human eye before scanning, unlike a written web address that a cautious user might inspect for spelling errors or an unfamiliar domain.
A common physical variant involves scammers placing fraudulent QR code stickers over legitimate codes on parking meters, public parking payment signs, or restaurant tables, redirecting victims who scan the code to a fake payment website that closely mimics the legitimate parking authority or restaurant's site, capturing credit card information entered by the victim. The Federal Trade Commission issued a specific consumer alert about this pattern in early 2022, following a rise in reports across multiple U.S. cities, and numerous local police departments have issued similar warnings after discovering fraudulent stickers on municipal parking infrastructure.
A separate and increasingly common variant, sometimes referred to as quishing, involves QR codes embedded in phishing emails rather than physical locations. Because many email security filters are designed primarily to scan text-based links and attachments for malicious content, a QR code image embedded in an email can sometimes bypass these automated filters, since the malicious destination is encoded visually in an image rather than as scannable text. The victim scans the code using their phone, often specifically to move the interaction off a monitored work computer and onto a personal device with potentially weaker security, and is directed to a fake login page designed to steal corporate or personal credentials. Cybersecurity firms including Check Point Research and Proofpoint documented substantial increases in QR-code-based phishing campaigns starting in 2023, particularly targeting corporate email systems.
Fraudulent QR codes have also appeared in fake parking tickets left on windshields, fake package delivery notices, and fraudulent charity or fundraising materials, all designed to exploit the same basic vulnerability: a scanned code takes the user to a destination they cannot verify in advance without additional caution.
Consumer protection guidance from the FTC and cybersecurity agencies including CISA recommends inspecting a QR code sticker for signs of tampering, such as a sticker placed over another sticker, avoiding entering payment or login information on a website reached via a scanned code without first verifying the web address matches the legitimate organization's known domain, using a phone's built-in camera preview feature to see the destination web address before fully opening a link when available, and paying via official apps or entering a known web address manually rather than scanning an unfamiliar code in ambiguous public settings, particularly for any transaction involving payment information.
Common claims
- QR codes are safe because they come from physical objectsFalse - QR code stickers can be placed over legitimate codes anywhere
- Email security tools catch malicious QR codesOften false - QR images bypass filters that scan text links
- Scanning a QR code cannot install malwareFalse - scanning can direct to drive-by malware download pages

