Skip to main content
    Back to GCR Scam Guard

    QR Code Scams (Quishing): Malicious QR Code Attacks

    Last updated: March 2026

    qr code scam
    quishing
    malicious qr code
    fake qr code

    Overview

    QR code scams, known as quishing, exploit the widespread adoption of QR codes for payments, menus, and information sharing. Criminals place malicious QR codes over legitimate ones on parking meters, restaurant tables, and public signage, or embed them in phishing emails and fake flyers. Scanning a malicious QR code can redirect you to phishing websites, trigger malware downloads, or initiate unauthorized payments.

    How This Scam Works

    1

    Criminals place stickers with malicious QR codes over legitimate ones on parking meters, leading victims to fake payment sites that steal credit card information.

    2

    Phishing emails and letters contain QR codes that bypass email security filters, which cannot scan the content of QR code images.

    3

    Fake flyers and posters in public places advertise deals, contests, or Wi-Fi access through QR codes that lead to malicious websites.

    4

    QR codes on fake parking tickets, utility bills, and government notices direct victims to fraudulent payment portals.

    Warning Signs

    QR codes that appear to be stickers placed over existing codes
    QR codes in unexpected places or on unofficial-looking materials
    QR codes in emails from unknown senders
    Scanning a QR code that opens a website URL that does not match the expected organization
    QR codes that immediately prompt you to download an app or file

    Real Scam Examples

    These are examples of messages used in this type of scam.

    Fake Parking Meter

    [Sticker on parking meter]: Scan to pay for parking. Quick, contactless payment accepted. [QR code links to phishing site that steals credit card information]

    Phishing Email

    Your package could not be delivered. Scan the QR code below to update your delivery address and reschedule. [QR code embedded in email to bypass text-based spam filters]

    How to Protect Yourself

    1Preview QR code URLs before opening

    Most phone cameras show the URL preview before opening it. Check that the URL matches the expected organization before tapping to open.

    2Look for tampered QR codes

    Before scanning QR codes in public places, check if the code appears to be a sticker placed over an original code. Tampered codes may have different textures or edges.

    3Use your phone's built-in camera

    Use your phone's native camera app rather than third-party QR scanner apps, as the built-in camera provides better URL previews and security warnings.

    4Be skeptical of QR codes in emails

    QR codes in emails are often used to bypass spam filters. If an email contains a QR code, it is likely more trustworthy to navigate to the company's website directly.

    5Use the GetCyberRight GCR Scam Guard

    Our scam checker tool can analyze QR code contents and URLs for known phishing indicators before you visit the link.

    Frequently Asked Questions

    Think you have received a scam like this?

    Paste the suspicious message into our free AI-powered scam analyzer.

    Related Resources