QR Code Quishing Impersonating Target In-Store
Fraudsters attach fake QR code stickers to Target self-checkout kiosks, gift-card displays, and Circle loyalty signage, redirecting customers to phishing pages that capture card numbers or Target account credentials.
Part of: Quishing: Physical Payment Point QR Code Scams
Last reviewed: 8 June 2026
Target's in-store experience relies heavily on digital touchpoints: the Target Circle loyalty programme uses QR codes at checkout, gift card racks display scannable codes, and customer service signage increasingly uses QR links. This normalises QR scanning for Target shoppers, making them a receptive audience for quishing attacks where criminals substitute genuine codes with fraudulent ones.
A quishing attack at a Target store requires minimal technical skill — a printed sticker placed over an existing QR code — but can harvest hundreds of payment records before store staff discover the tampering. Target's distinctive branding and loyal shopper base make impersonation highly credible.
The attack exploits the trust shoppers place in physical retail environments. Unlike an email phishing message, a QR code on a physical in-store sign or display does not trigger the same instinctive suspicion that an unexpected email might, particularly when the surrounding environment is a familiar and trusted store.
How this scam works on the Target brand
Criminals typically target three locations within a Target store: the self-checkout payment station (where a QR code might plausibly enable an alternative payment method), the Target Circle sign-up display (where a QR code legitimately signs up new loyalty members), and the gift card activation desk (where customers may already be in payment mode).
The fake QR code links to a page styled to match Target.com, asking the customer to log in to their Target Circle account or enter payment details to complete a loyalty reward or verify a transaction. Credentials and card numbers entered here are captured by the attacker.
Some campaigns are more targeted: a sticker is placed near a checkout line for a specific category, such as electronics or baby products, with a message that says 'Scan to activate your Target Circle offer for this category'. Shoppers expecting a genuine discount are more motivated to scan and comply.
Common red flags
- A QR code sticker that appears slightly misaligned over an existing printed code, with raised edges or a different paper finish
- Scanning the code opens a URL that is not target.com — any variation is fraudulent
- The page that opens asks for your full Target Circle login, credit card number, or CVV as part of a rewards activation
- A sign says scan to receive a discount or reward but carries no Target receipt number, date, or store identifier
- The fake page lacks the standard Target.com header, navigation, or accessibility footer typically found on genuine Target pages
- You are asked to enter details that Target's standard checkout flow would never require via a QR code scan
How to protect yourself
- Inspect any in-store QR code before scanning — look for physical stickers over original printed codes
- If the QR code lands on a non-target.com page, close it immediately without entering any information
- Use the Target app's built-in Circle barcode at checkout rather than scanning external QR codes
- Alert Target store staff if you notice a suspicious QR sticker so they can investigate and warn other shoppers
- Monitor your Target Circle account and saved payment methods in the Target app for unauthorised activity
- If you entered payment details, contact your bank immediately to freeze the card
How to report it
- Report tampered QR codes directly to Target store management
- Report financial fraud to the FTC at reportfraud.ftc.gov
- If card details were captured, call your bank and dispute any fraudulent charges
- File a report with the FBI at ic3.gov if financial loss resulted
Frequently asked questions
Does Target use QR codes legitimately in stores?
Yes. Target uses QR codes in its Circle app for checkout, on promotional signage, and in its app. Always compare the URL from a scanned code against target.com before entering any information.
I scanned a QR code but closed the page without entering anything. Am I safe?
Probably yes. Close and clear your browser cache as a precaution. Some pages attempt drive-by exploits, so run a malware scan on your phone if you are concerned.
How often are physical QR sticker attacks discovered in retail stores?
Incidents have been reported at multiple US retailers and in car parks. They tend to be discovered when customers report suspicious page redirects or when store staff notice physical tampering during routine checks.