QR-Code Scams (Quishing)
Malicious QR codes on stickers, emails or posters that lead to phishing or payment fraud.
Last reviewed: 1 June 2026
What this scam is
QR-code scams — sometimes called quishing, a blend of QR and phishing — use malicious QR codes to direct you to fraudulent websites or payment pages. Unlike a link in an email, a QR code's destination is not visible until after you scan it, which makes the attack more difficult to spot in advance.
Scammers place malicious QR codes in several ways. Physical stickers are placed over legitimate codes in locations where scanning is common — parking meters, restaurant menus on tables, package delivery slips, shared workspaces. Because the sticker looks like part of the fixture, victims have no reason to be suspicious.
In the digital context, QR codes are embedded in emails, PDFs, or images shared on messaging platforms. Email security systems that scan links for phishing are less equipped to analyse QR code images, so these messages sometimes bypass filters that would catch a plain text link.
The destination of a malicious QR code is typically a phishing page designed to harvest login credentials or card details, or a fraudulent payment page where you pay the scammer thinking you are paying a legitimate service.
How it works
In the most common physical variant, a scammer applies a sticker with their QR code over a legitimate code on a parking machine, café table, or delivery notice. When you scan it, the page that opens looks appropriate for the context — a parking payment page, a restaurant menu ordering system, or a delivery confirmation form.
The page asks you to enter your payment card details or log in to an account. The design is convincing because it matches what you expected to find. Your details are captured and the page may show a confirmation message or redirect you to the real service to avoid immediate suspicion.
In email-based quishing, the message creates a pretext for scanning the code — 'scan to verify your identity', 'scan to pay your invoice', 'scan to set up your new account'. Because you are moving from an email to a phone camera to a website, the usual habit of checking a link before clicking is bypassed.
Some quishing attacks target employees and use QR codes in fake IT messages, directing recipients to fake login pages for workplace systems to harvest corporate credentials.
In parcel delivery variants, a fake 'delivery failed' notice left on a door contains a QR code linking to a page requesting a redelivery fee and card details.
Why this scam works
The key advantage of QR codes for scammers is that the destination is hidden until after you scan. With a regular link, you can hover to preview the URL; with a QR code, this step is skipped entirely.
Physical placement exploits the assumption that codes in public spaces are legitimate. If a code is on a parking meter or restaurant table, it looks institutional and trustworthy — the idea that someone may have covered the real code with a fake one does not naturally occur to most people.
In email contexts, QR codes bypass one of the main defences people have been taught: checking links before clicking. The habit of 'hover to preview' does not translate to scanning a code with your phone.
A typical pattern
A person parks their car and scans the QR code on the parking meter to pay. The code opens a page that looks exactly like the parking operator's payment system, asking for their car registration, duration, and card details. They pay and receive a confirmation. Later they discover their card was charged multiple times, and no parking payment was ever registered with the operator. Inspecting the meter, they find the real code had a sticker placed over it.
Common red flags
- A QR sticker that appears to have been placed over another code
- The scanned URL contains an unfamiliar or mismatched domain
- Payment or login page opened after scanning on an odd or unexpected domain
- Email containing a QR code where a link would normally appear
- Request for card details after scanning a menu or information code
- Parking payment page accessed via QR code asking for full card details
- Delivery notice left at your door with a QR code and a request for a fee
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Scan to pay for parking — enter your card details to complete payment at this location.
Scan the QR code below to verify your identity and access your account: [QR code image in email].
We attempted to deliver your parcel. Scan to reschedule and pay a small redelivery fee.
Invoice attached — scan to process payment securely via our payment portal.
Your IT password expires today. Scan this code to reset it before access is restricted.
Scan to view today's menu and order directly from your table.
Common variations
- Parking meter sticker — malicious code placed over a legitimate payment code
- Restaurant table code — sticker over a real menu or ordering code
- Email quishing — QR code in a business email bypassing link-scanning security tools
- Fake delivery notice — QR code on a card through a letterbox requesting a redelivery fee
- Workplace IT phishing — QR code in a fake internal IT message targeting employee credentials
- Package QR code — code on a shipping label or tracking notice leading to a fake portal
How to verify before you act
Before entering any information, check the URL in your phone's browser after scanning. Look at the actual domain — not the text before or after a slash, but the core domain name. A parking payment page should be on the operator's official domain, not an unfamiliar one.
For physical QR codes, inspect the code itself before scanning. If it appears to be a sticker, peel at the corner gently to check whether another code is underneath. Many parking and payment operators now print codes directly on the machine rather than using stickers for this reason.
For parking payments and restaurant orders, most operators have an official app or website you can use instead of the QR code. Using these directly removes the risk.
If a QR code in an email leads to a login page for a work system, navigate to the system directly via your browser rather than scanning.
Payment methods used
- Card details entered on a fake payment page
- Login credentials harvested via fake sign-in
Who is usually targeted
- People paying for parking
- Restaurant and café visitors
- Email users in corporate environments
- Parcel recipients
What to do immediately
- Check the URL before entering any information — close the page if the domain looks wrong
- Prefer official apps or the operator's website over scanned codes for payments
- If you entered card details, contact your bank immediately to block the card
- If you entered login credentials, change your password on that service directly
- Take a photo of the suspicious code and its location as evidence
- Report suspicious physical stickers to the venue, parking operator, or local council
How to prevent it
- Preview the URL your phone shows after scanning before you tap to open it
- Check physical QR codes for stickers that appear placed on top of the original
- Use official apps or the operator's website for parking payments rather than scanning
- Be cautious of QR codes in emails — navigate to services directly instead
- Never enter card details on a page you reached via a QR code without verifying the domain
- Report suspicious stickers on public infrastructure to the venue or operator
- On mobile, use a QR scanner that previews the URL before opening
Evidence to preserve
- Photo of the QR code and its physical location
- The URL it opened
- Screenshot of the fake page
- Payment records or card statements
- Any message or email that contained the code
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do I scan QR codes safely?
Preview the URL before opening, be wary of codes that look like stickers placed over the original, and avoid entering card or login details from a scanned page without verifying the domain. Use official apps for payments where possible.
Can I tell from the QR code itself whether it is malicious?
No — the pattern of a QR code gives no visual indication of its destination. The only way to verify is to check the URL shown by your scanner after scanning, before you open it.
Are QR codes in emails from legitimate companies dangerous?
Legitimate companies sometimes use QR codes in emails. The question is whether the link destination is the company's real domain. If in doubt, navigate to the company's service directly rather than scanning.
I paid via a scam parking QR code — can I get my money back?
Contact your bank immediately. You may be able to dispute the transaction as a fraudulent charge. Also report to Action Fraud (UK), the FTC (US), or your local equivalent, and to the parking operator so they can check and replace the code.
How is quishing different from regular phishing?
The destination of a QR code is not visible until after scanning, bypassing the habit of checking links before clicking. Physical QR codes also exploit a different context — a parking meter, a café table — that creates automatic trust.
What should I do if I find a suspicious sticker on a parking meter?
Do not scan the code. Take a photo and report it to the parking operator, local council, or police. If you have already scanned and paid, contact your bank.