How does a QR code scam work?
QR code scams replace legitimate codes with fraudulent ones that redirect to phishing pages, fake payment portals, or malware downloads — exploiting the user's inability to read a QR code before scanning.
Last reviewed: 10 June 2026
Explanation
A QR code is an opaque link: unlike a URL you can read before clicking, a QR code reveals its destination only after the camera has scanned it. Fraudsters exploit this by placing fraudulent QR codes over legitimate ones in physical locations — restaurant menus, parking payment notices, public information boards, and charity donation stands are all documented targets.
In parking payment fraud, a sticker with a fake QR code is placed over the real one on a parking meter or pay-and-display machine. Drivers who scan to pay are taken to a convincing fake payment portal where card details are harvested. The real fee is never paid, meaning a penalty notice may also follow.
Email and text-based QR code phishing ('quishing') sends a QR code image in a message impersonating a bank or delivery service. The QR code bypasses many email security filters that scan hyperlinks but do not process image-embedded URLs. Scanning opens a phishing page requesting credentials or payment details.
Malicious QR codes can also trigger automatic app installation, pre-fill a message to be sent, or connect a device to a fraudulent network depending on the platform. The attack surface is wide because most people do not verify a QR code's destination before acting on it.
Common red flags
- A QR code in a public place looks like it has been applied as a sticker over an existing surface
- Scanning a code takes you to a site that asks for payment or login details unexpectedly
- The URL displayed after scanning does not match the organisation whose code you scanned
- A QR code in an email or text message requests urgent account or payment verification
- The code destination URL is a shortened link that obscures the actual domain
What to do now
- Check physical QR codes for signs of tampering — peeling stickers or misaligned placement
- Preview the destination URL before opening it after scanning
- Type the organisation's official address directly into your browser instead of using a QR code for payments
- If you entered payment details on a suspicious page, contact your bank immediately
- Report tampered QR codes to the venue or local authority responsible for the location
- Report quishing emails to the impersonated organisation and your email provider
Frequently asked questions
Are QR codes at restaurants safe to use?
Most are. The risk is specifically with codes that appear to have been added externally — on stickers that could be placed by anyone. Codes printed directly on the table or menu by the establishment are lower risk.
Can my phone get hacked just by scanning a QR code?
A QR code alone cannot execute code on your device. Harm occurs when the destination URL leads to a phishing page or triggers an automatic action you confirm. Keep your OS and browser updated to reduce exploitation risk.
What is 'quishing'?
Quishing is phishing conducted through QR codes embedded in emails or messages. The term combines QR and phishing. It is growing because QR images bypass the URL-scanning filters many email security tools use.