QR-Code Scams (Quishing)
Malicious QR codes on stickers, emails or posters that lead to phishing or payment fraud.
Last reviewed: 1 June 2026
What this scam is
QR-code scams ('quishing') use malicious QR codes — on fake parking signs, restaurant tables, emails, or stickers over real ones — to send you to phishing sites or fraudulent payment pages.
How it works
You scan a QR code expecting a menu, payment, or parking page. Instead it opens a fake site that harvests card or login details, or initiates a payment to the scammer. Codes are often placed over legitimate ones.
Common red flags
- A QR sticker that looks added or covers another code
- The code opens a login or payment page on an odd domain
- Requests for card or login details after scanning
- QR codes in unexpected emails
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Scan to pay for parking — [QR code] — enter your card details to complete.
Payment methods used
- Card details harvested
- Payments to scammer
Who is usually targeted
- Diners
- Drivers paying for parking
- Email users
What to do immediately
- Check the URL before entering anything; close if it looks wrong
- Prefer official apps/websites for payments and menus
- If you entered card details, contact your bank
Evidence to preserve
- Photo of the code/location
- The URL it opened
- Payment records
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do I scan QR codes safely?
Preview the URL before opening, be wary of codes that look stuck on over another, and avoid entering card or login details from a scanned page. Use official apps for payments where possible.