Phishing Scams That Exploit QR Codes for Payment Fraud
Quishing (QR code phishing) tricks victims into scanning malicious QR codes that redirect to fake payment portals or login pages, harvesting bank credentials or directing crypto transfers to scammer wallets — appearing in physical spaces, emails, and social media.
Part of: Phishing
Last reviewed: 1 June 2026
QR codes bridge physical and digital worlds in a way that makes fraud harder to detect. Unlike a typed URL that a cautious user might notice is misspelled, a QR code shows no readable destination — victims trust the physical or digital context in which they find it and scan without pre-verification.
QR code phishing — quishing — has grown significantly as QR codes became normalised for restaurant menus, parking payment, and marketing. Criminals place malicious QR codes over legitimate ones in public spaces, embed them in phishing emails, and use them in fake parcel delivery notices.
How this scam works on QR Code
A victim scans a QR code on a parking meter, restaurant table tent, or public notice that appears official. Instead of the expected payment portal, they are taken to a cloned site that collects card details. The payment appears to succeed but the card has been compromised.
In email quishing, a message impersonating a courier, bank, or utility company instructs the recipient to scan a QR code to verify their account or track a delivery. The landing page clones the real service and captures login credentials.
Crypto quishing displays a QR code representing a wallet address. The code appears in fake investment opportunities or on physical 'crypto ATM instruction cards' that have been replaced by scammer-printed alternatives directing transfers to a different wallet.
Common red flags
- QR code on a public parking meter or payment terminal that appears to have been added as a sticker rather than printed by the manufacturer
- Email from a courier or bank containing a QR code with an instruction to scan to track or verify
- QR code leading to a site whose URL in the address bar does not match the expected service
- Crypto investment contact who sends a QR code representing a wallet address for payment
- QR code login page that asks for full account credentials including password and OTP
How to protect yourself
- Before scanning a QR code in a public space, check whether it appears to be a sticker added over an original printed code
- Preview the URL after scanning — do not proceed if it does not match the expected site
- Use your bank's official app to make parking or service payments rather than scanning QR codes
- Never scan a QR code received in an unsolicited email to log into an account
- Report suspicious physical QR codes to the venue manager and the relevant payment service
How to report it
- Report to the payment service or bank whose brand was impersonated
- File a complaint with the FTC at reportfraud.ftc.gov or Action Fraud (UK)
- Report suspicious QR codes placed in public spaces to local authorities
Frequently asked questions
Can QR code payment apps detect malicious redirects before payment?
Some QR code scanner apps show a URL preview before opening the link. Always use a scanner that previews the destination URL and verify it matches the expected service. Banking apps that handle QR payments typically scan for known malicious domains, but this protection is not universal.