Quishing is QR code phishing. Scammers create fake QR codes that link to phishing sites and place them over real QR codes at parking meters, restaurants, and other public places.

How can I tell if a QR code is fake?

Look for stickers placed over other stickers, preview the URL before opening it, and check if the URL matches what you would expect. If something looks off, use the business's app or website directly instead.

What should I do if I scanned a fake QR code and entered payment info?

Call your bank immediately and dispute the charge. Monitor your accounts for unauthorized transactions and report the scam to the FTC.

Trending By Isaiah Shawver 6 min read Updated Mar 2026

QR code scams are showing up everywhere

QR codes went from that weird square nobody used to something we scan without thinking. Menus, parking meters, event tickets, Wi-Fi logins. We got trained to point our phone cameras at them and tap whatever pops up.

Scammers noticed.

The concept is simple: take a QR code that points to a phishing site, print it on a sticker, and paste it over a real QR code in a public place. Someone scans it thinking they are paying for parking and instead they are handing their credit card info to a scammer. Security researchers started calling this "quishing" (QR + phishing), and it has been picking up fast since 2024.

Where fake QR codes are showing up

Parking meters and pay stations

This is the big one. Cities across the US have reported fake QR code stickers placed on parking meters. You scan to pay, it opens a page that looks like the city's payment portal, you enter your card info, and nothing happens except your card details going to someone in another country. Austin, Texas was one of the first cities to issue a public warning about this in 2022. By 2025 it had spread to dozens of cities.

Restaurant tables and menus

Post-COVID, tons of restaurants switched to QR code menus. A scammer can walk into a restaurant, stick a fake QR code over the real one on a table tent, and redirect diners to a phishing page. Most people would not think twice about scanning a code at their table.

Flyers, posters, and mail

Fake charity flyers, fake event promotions, fake package delivery notices with QR codes. If it is a piece of paper in a public place with a QR code on it, there is no way to verify who put it there.

Inside phishing emails

This one is clever. Email security tools scan links in emails to check if they are malicious. But they cannot scan a QR code that is embedded as an image. So scammers send emails with a QR code image instead of a clickable link. "Scan this code to verify your account." The email bypasses the link scanner and the victim does the work of opening the malicious URL themselves.

Why this works

QR codes are opaque. You cannot look at one and tell where it goes. A suspicious URL at least gives you something to read. A QR code is just a square of dots. You are trusting it blindly every time you scan one.

Most phone cameras now open URLs automatically when you scan a QR code. Some show a preview of the URL first, some do not. Even when they do show a preview, most people tap through without reading it.

How to protect yourself

Preview the URL before you open it. Both iPhone and Android show the URL when you scan a QR code with the camera. Read it. If it looks weird, long, or does not match what you expected, do not tap.
Look for stickers over stickers. If a QR code in a public place looks like it was stuck on top of something else (edges peeling up, different paper quality, slightly crooked), do not scan it.
Use the business's app or website directly. For parking, use the city's official parking app instead of scanning a code on the meter. For restaurants, ask the server for a paper menu if something looks off.
Do not scan QR codes from emails. If a company needs you to log in, go to their website yourself. There is no reason a legitimate email would make you scan a QR code instead of clicking a normal link.
If you scanned something and entered payment info, call your bank immediately and dispute the charge.

The physical world is now a phishing surface

That is the part that bugs me about this. We spent years training people to watch out for bad links in emails and texts. Now the same attack shows up as a sticker on a parking meter and all that training goes out the window because it is a physical object in the real world, so it must be legit.

It is not. Treat every QR code the same way you would treat a link in a text from an unknown number. Check before you trust it.

Check a URL from a QR code

If you scanned a QR code and copied the URL instead of opening it, paste it here to check if it is safe.

Check the link See all current scams