← All guides
June 2, 2026 · 5 min read

QR Code Scams (Quishing): How to Stay Safe

Scammers hide phishing links inside QR codes — on emails, parking meters, and fake stickers. Here's how QR code scams (quishing) work and how to scan safely.

Short answer: a QR code is just a link you can't read with your eyes. Scammers exploit that by hiding phishing pages inside codes — in emails, on fake parking-meter stickers, on "verify your account" notices — because you can't hover a QR code to see where it goes. This is called quishing (QR + phishing).

The good news: scanning a code is harmless on its own. The danger is what you do on the page it opens. Here's how to stay safe.

Quick check: Treat an unexpected QR code like an unexpected link. Preview the URL before opening it, never enter logins or payment on a page reached by a random code, and be suspicious of codes in emails or stuck onto public surfaces.

Where QR scams show up

  • In emails. A code in the message body sidesteps link-hovering and spam filters — you scan with your phone and land on a phishing site. A favorite in fake "Microsoft 365" and "document shared with you" emails.
  • On public surfaces. Stickers slapped over real codes on parking meters, EV chargers, restaurant menus, and event posters, redirecting you to a fake payment page.
  • On fake packages or letters. "Scan to confirm delivery" or "scan to claim a refund."
  • In texts. A QR image instead of a tappable link, for the same reason.

Why quishing works

Two reasons. First, you can't see a QR code's destination the way you can read or hover a normal link, so your usual check doesn't apply. Second, scanning happens on your phone, where the address bar is small and easy to ignore — and where you're often distracted and in a hurry.

So the defense shifts from "read the link" to "verify the destination after scanning, before doing anything."

How to scan safely

  1. Pause on unexpected codes — in emails, on stickers, on random flyers.
  2. Preview the URL. Most phone cameras show the link before opening it; read the real domain first.
  3. Watch for look-alike or shortened domains that aren't the real organization's.
  4. Never enter a password or payment on a page you reached from a code you didn't expect.
  5. For payments or accounts, go direct — type the known website or open the official app instead of trusting the code.
  6. On public surfaces, check for a sticker placed over the original code.

Safe vs. suspicious QR codes at a glance

| Situation | Usually safe | Be suspicious | | --- | --- | --- | | Where you found it | A menu/poster you trust, in context | An email, a sticker, an unsolicited letter | | The URL preview | The real organization's domain | Look-alike, shortened, or random domain | | What it asks | To view a page or menu | To log in or enter payment | | On a public surface | Printed as part of the sign | A sticker placed over the original |

A quick word on parking and payment codes

Fake QR stickers on parking meters, EV chargers, and pay-to-park signs are a fast-growing version of this scam, because paying by phone QR is now normal. Before paying, check whether the code looks like a sticker stuck over the real one, and prefer the official parking app or the number printed on the meter. If the page asks for more than a simple payment — like account logins — back out.

What to do if you scanned a bad one

  • If you only opened the page and entered nothing, close it; you're likely fine.
  • If you entered a password, change it everywhere you used it and turn on two-factor authentication.
  • If you entered card details, call your bank using the number on the back of your card.

For the full walkthrough, see what to do if you clicked a phishing link.

Not sure about a code or the page it opened?

If a QR code arrives in an email or text and you're unsure, forward the message to FraudRoom at check@fraudroom.com before you scan or enter anything — you'll get a plain-English risk level and the safest next step back.

FAQ

Can scanning a QR code hack your phone?

Simply scanning and viewing the destination is generally safe. The real risk is the website it opens — entering logins or payment details there, or being prompted to install something. Preview the link and don't enter information on untrusted pages.

How do I know if a QR code is safe to scan?

Be cautious with codes you didn't expect, especially in emails or stuck onto public surfaces. After scanning, read the URL preview and confirm it's the real organization's domain before opening or entering anything.

What is quishing?

Quishing is phishing that uses QR codes to hide a malicious link. Because you can't visually inspect a QR code's destination, scammers use it to bypass the link-checking habits that catch ordinary phishing.

Key takeaways

  • A QR code is an unreadable link — treat unexpected ones like unexpected links.
  • Scanning is safe; entering credentials on the resulting page is the risk.
  • Preview the URL after scanning and confirm the real domain.
  • For payments or logins, go direct via the official site or app instead.

Not sure about a message?

Forward it to check@fraudroom.com and get a plain-English scam check in minutes.

Try it free — 5 checks, no card