QR Code Scams Are Everywhere in 2026: How "Quishing" Works and How to Protect Yourself

Here's a scenario that probably sounds familiar to you.

You park your car downtown. There's a QR code on the parking meter. You scan it, a payment page loads on your phone, you enter your credit card number, and you go about your day.

Except the QR code wasn't from the parking authority. It was a sticker placed over the real one by a scammer. The payment page looked legitimate — same logo, same colors, same layout — but it was a phishing page that just captured your full credit card details. You paid for parking that never registered, and your card information is now in a criminal's hands.

This is called quishing — QR code phishing — and it's one of the fastest-growing attack methods in 2026.

The FBI issued a specific warning about quishing in early 2026, citing North Korean-linked hacking groups using fake QR codes in email campaigns targeting U.S. organizations. The FTC has warned consumers about QR codes on unexpected packages. And cybersecurity researchers at Proofpoint estimated over 4.2 million QR code-related threats in just the first half of 2025.

This isn't a niche attack anymore. It's mainstream.

Why QR Codes Are Perfect for Scammers

Think about how you interact with a regular web link. If someone sends you a URL, you can at least glance at it before clicking. You might notice that "paypa1.com" isn't the same as "paypal.com." You might recognize a suspicious domain. You have a visual cue.

QR codes remove that cue entirely. When you scan a QR code, you don't see the URL until your browser is already loading it. By the time the page appears on your screen, the phishing site is already rendering, and most people aren't checking the URL bar on their phone once a page looks legitimate.

QR codes also bypass most email security filters. Corporate email gateways are excellent at detecting malicious links in text, but they can't analyze the contents of an image containing a QR code. This makes quishing particularly effective in corporate phishing campaigns — the attacker embeds a QR code in what looks like a routine IT notification or invoice, and the employee scans it with their phone, which is outside the corporate network's security controls.

And there's the physical dimension. Unlike traditional phishing, which happens entirely online, quishing can happen in the real world. Scammers stick fake QR codes on parking meters, restaurant tables, public bulletin boards, event posters, and even package delivery notices taped to front doors. The physical context makes the QR code feel trustworthy — you expect a QR code on a parking meter to be legitimate.

Common Quishing Attacks You'll Encounter

The Parking Meter Scam

This is probably the most widespread physical quishing attack. Scammers print QR code stickers and place them over legitimate payment QR codes on parking meters. The fake code leads to a convincing payment page that collects your credit card information. Multiple cities across the US have issued warnings about this, including Austin, Houston, and San Antonio, where fraudulent QR codes were found on hundreds of meters.

The Package Delivery Scam

You find a card on your doorstep or in your mailbox with a QR code and a message: "We attempted delivery. Scan to reschedule." The QR code leads to a fake delivery company page that asks for your address, phone number, and sometimes payment for a "redelivery fee."

The U.S. Postal Inspection Service has issued specific warnings about this variant, noting that scammers sometimes pair it with a "brushing" scheme where they actually send small, unsolicited packages.

The Corporate Email Quishing

This targets people at work. You receive an email that appears to be from your IT department, HR, or a trusted vendor. It contains a QR code with instructions like "Scan to verify your identity" or "Scan to review your updated benefits." The QR code leads to a fake login page that harvests your corporate credentials.

Because the email contains an image rather than a clickable link, it often slips past email security filters.

The Restaurant and Event Scam

Scammers replace legitimate QR codes at restaurants (for menus or payment) and at events (for tickets or schedules) with their own codes that redirect to phishing pages or trigger malware downloads. This is especially insidious because you have a reasonable expectation that a QR code at a restaurant table is legitimate.

The Cryptocurrency Scam

QR codes are standard for cryptocurrency transactions. Scammers create fake QR codes that redirect payments to their own wallet addresses. This has been used on printed donation appeals, fake charity drives, and even modified signage at crypto ATMs.

How to Protect Yourself

Preview Before You Open

Both iOS (18+) and Android (14+) now show you the URL destination when you point your camera at a QR code, before you actually open the link. Use this feature. Don't just tap to open immediately. Read the URL that appears.

On iPhone: Settings → Camera → make sure "Scan QR Codes" is enabled. The URL preview will appear at the top of the screen.

On Android: Most default camera apps show a URL preview. If yours doesn't, use Google Lens, which displays the destination before opening it.

Inspect Physical QR Codes

Before scanning a QR code in a public place, look at it carefully. Is it a sticker placed on top of something else? Are the edges peeling? Does the QR code look different from others nearby? If a QR code appears to be covering another one, don't scan it.

Never Enter Payment Details Through a QR Code You Didn't Expect

If a QR code leads you to a page asking for payment information, stop. Go directly to the service provider's official website or app instead. If it's a parking meter, use the official city parking app. If it's a delivery rescheduling, go to the carrier's website directly.

Be Skeptical of QR Codes in Emails

Legitimate companies rarely send QR codes via email. If you receive an email with a QR code asking you to "verify" or "authenticate" something, treat it with the same suspicion you'd give a suspicious link. Go to the service's website directly rather than scanning.

Use a QR Scanner with Security Features

Some security apps, like Norton Mobile Security or Trend Micro Mobile Security, include QR code scanners that check destination URLs against known phishing databases before opening them.

If You've Already Scanned a Suspicious QR Code

If you think you've been quished, act immediately. Close the browser tab. Don't enter any information. If you already entered payment details, contact your bank immediately to block the card. If you entered login credentials, change that password immediately from a different device. And if you downloaded anything, run a malware scan on your phone.

The Bigger Picture

QR codes aren't going away. They're too convenient and too deeply embedded in everyday life. But the trust we've built around them — the assumption that a QR code is inherently safe — is exactly what scammers exploit.

Treat every QR code the way you should treat every link: with healthy skepticism. Preview the URL. Question the context. And when in doubt, type the address manually.

Dynamic QR Codes Make It Even Worse

There's a technical detail that makes quishing particularly insidious. QR codes come in two types: static and dynamic.

A static QR code always points to the same URL. Once it's printed, it can't be changed. A dynamic QR code, however, points to a short URL that can be redirected to different destinations at any time by whoever controls it.

Scammers love dynamic QR codes because they can change where the code points after it's been placed. They might create a QR code that initially leads to a harmless page — maybe even the real parking payment page — until enough people are scanning it. Then they flip the destination to their phishing page. When investigators check the QR code later, they might redirect it back to the legitimate page.

This cat-and-mouse ability makes dynamic QR code attacks harder to investigate and harder to prevent. NordVPN research found that 73% of Americans scan QR codes without verifying the destination. With over 26 million users redirected to malicious websites through QR codes, the scale of the problem is staggering.

What About QR Codes at Work?

The corporate risk is arguably even higher than the personal risk. Quishing attacks targeting businesses often arrive as emails pretending to be from HR, IT, or payroll departments. The QR code leads to a fake Microsoft 365, Google Workspace, or VPN login page.

What makes corporate quishing especially dangerous is that the employee scans the QR code with their personal phone, which is outside the company's email security filters and endpoint protection. The corporate security team has no visibility into what happens on the employee's personal device.

If you receive a QR code at work claiming to be from IT or HR, verify directly with the sender through a known channel. Don't scan.

Your camera app is not a security tool. Your awareness is.