Phishing Scams That Exploit QR Codes for Payment Fraud
Quishing (QR code phishing) tricks victims into scanning malicious QR codes that redirect to fake payment portals or login pages, harvesting bank credentials or directing crypto transfers to scammer wallets — appearing in physical spaces, emails, and social media.
Part of: Phishing
Last reviewed: 1 June 2026
QR codes bridge physical and digital worlds in a way that makes fraud harder to detect. Unlike a typed URL that a cautious user might notice is misspelled, a QR code shows no readable destination — victims trust the physical or digital context in which they find it and scan without pre-verification.
QR code phishing — quishing — has grown significantly as QR codes became normalised for restaurant menus, parking payment, and marketing. Criminals place malicious QR codes over legitimate ones in public spaces, embed them in phishing emails, and use them in fake parcel delivery notices.
How this scam works on QR Code
A victim scans a QR code on a parking meter, restaurant table tent, or public notice that appears official. Instead of the expected payment portal, they are taken to a cloned site that collects card details. The payment appears to succeed but the card has been compromised.
In email quishing, a message impersonating a courier, bank, or utility company instructs the recipient to scan a QR code to verify their account or track a delivery. The landing page clones the real service and captures login credentials.
Crypto quishing displays a QR code representing a wallet address. The code appears in fake investment opportunities or on physical 'crypto ATM instruction cards' that have been replaced by scammer-printed alternatives directing transfers to a different wallet.
Common red flags
- QR code on a public parking meter or payment terminal that appears to have been added as a sticker rather than printed by the manufacturer
- Email from a courier or bank containing a QR code with an instruction to scan to track or verify
- QR code leading to a site whose URL in the address bar does not match the expected service
- Crypto investment contact who sends a QR code representing a wallet address for payment
- QR code login page that asks for full account credentials including password and OTP
How to protect yourself
- Before scanning a QR code in a public space, check whether it appears to be a sticker added over an original printed code
- Preview the URL after scanning — do not proceed if it does not match the expected site
- Use your bank's official app to make parking or service payments rather than scanning QR codes
- Never scan a QR code received in an unsolicited email to log into an account
- Report suspicious physical QR codes to the venue manager and the relevant payment service
How to report it
- Report to the payment service or bank whose brand was impersonated
- File a complaint with the FTC at reportfraud.ftc.gov or Action Fraud (UK)
- Report suspicious QR codes placed in public spaces to local authorities
Frequently asked questions
How can I tell if a QR code has been tampered with or is malicious?
Look closely for a sticker placed over an original QR code, especially on parking meters, restaurant table tents, or public posters, since this is a common way scammers physically substitute a malicious code. Before scanning, check whether the code appears slightly misaligned, peeling, or inconsistent with the surrounding printed material. Most phone camera apps show a preview of the destination URL before opening it — always check that the link matches what you expect.
I scanned a QR code and entered my bank details — what should I do now?
Contact your bank immediately to freeze or monitor the account and change your online banking password. Review the URL you were directed to and report it to your bank's fraud team as part of your report. Also report the physical location or QR code itself if it was in a public place, so it can be removed.
Are QR codes in public places (parking meters, restaurants) safe to scan?
Not automatically — while most are legitimate, QR codes in public, physically accessible locations can be covered with a scammer's sticker without anyone noticing. Before entering any payment or login details after scanning, check that the resulting page's URL matches the business you expect, and consider using the venue's official app or website instead if you have any doubt. Never enter banking details on a page reached via a QR code from an unfamiliar or suspicious source.
Can QR code payment apps detect malicious redirects before payment?
Some QR code scanner apps show a URL preview before opening the link. Always use a scanner that previews the destination URL and verify it matches the expected service. Banking apps that handle QR payments typically scan for known malicious domains, but this protection is not universal.