QR Code Scams & Quishing: How to Spot Fake QR Codes and Stay Safe Online

Quishing combines QR codes with phishing: attackers place codes that lead to fake login pages, payment portals, or malware downloads. Because the destination URL is hidden until after the scan, users may trust a familiar-looking sticker or email graphic without checking the actual domain.

Reports of QR-related fraud have risen as codes appear on parking pay stations, restaurant tables, delivery notices, and crypto giveaways. Security teams and consumers both need a simple mental model: treat every unexpected QR like an unknown link.

Sticker overlays: a fraudulent QR placed on top of a legitimate one on public posters or payment kiosks. Urgency messages: “Verify your account” or “Package undeliverable” that push immediate action. Too-good offers: free gift cards or cryptocurrency returns that route through look-alike domains.

Businesses should monitor whether their brand is impersonated via rogue codes in the wild; individuals should pause when a code appears in an unsolicited email or SMS, even if the logo looks official.

Prefer scanning codes from official apps or websites you navigated to yourself rather than from random stickers. When you must scan, preview the URL on your phone if the OS shows it, and check the domain spelling (e.g., bank name typos).

Use updated device software and consider enterprise mobile threat defense for corporate devices. For high-risk transactions, skip the QR entirely and type a known URL manually.

Use branded, tamper-evident placements for printed codes; educate customers on where legitimate codes appear. For email campaigns, explain that you will never ask for passwords via QR in unexpected messages.

Security awareness training should include QR-specific scenarios alongside traditional phishing simulations.