QR Code Scams (Quishing)
Americans lost $12.5 billion to fraud in 2024, according to the FTC.
Quick Answer
QR code scams, or 'quishing,' use malicious QR codes to steal personal information or install malware, with attacks surging by over 300% year-over-year as scammers exploit the public's trust in this technology.
Think you've seen this scam?
Paste any suspicious text, email, or voicemail into our free checker — get a verdict in 5 seconds. Or get our free Scam Defense Playbook.
Free. No credit card. No signup required for the checker.
How It Works
1
A scammer creates a malicious QR code that links to a fraudulent website or initiates a malware download. These fake codes are often distributed by placing stickers over legitimate QR codes on public fixtures like parking meters, restaurant menus, or advertisements.
2
The QR code is also sent directly to victims through unsolicited emails, text messages, or unexpected packages, often creating a false sense of urgency, such as a problem with an account or a pending delivery. This method is called "quishing," a combination of QR code and phishing.
3
A person scans the code with their smartphone. The phone's camera automatically opens the link, which directs the user to a phishing website designed to look like a legitimate login page or payment portal.
4
The fraudulent site prompts the user to enter sensitive information like usernames, passwords, credit card numbers, or banking details. In other cases, scanning the code can trigger an automatic download of malware, which can steal data directly from the device.
Red Flags
- A QR code on a sticker placed over another one, especially on public payment terminals like parking meters.
- Receiving a QR code in an unexpected email, text message, or package you did not order.
- Language that creates a sense of urgency, demanding you act immediately to avoid a negative consequence.
- Your phone's camera preview shows a suspicious or misspelled URL before you open the link.
- The website you land on has a non-secure URL (HTTP instead of HTTPS), poor grammar, or low-quality logos.
- A QR code that promises a free prize, an unbelievable discount, or a government refund.
- The code is located in an unusual or random public place with no context.
What to Do If Targeted
- If you scanned a suspicious QR code, immediately disconnect your device from the internet to prevent further data transmission.
- Do not enter any information on the website that opens. Close the browser tab immediately.
- If you entered any passwords, change them immediately for that account and any others that use the same password.
- Contact your bank or credit card company to report potential fraud if you entered any financial information.
- Run a full scan with a reputable mobile security or antivirus application to check for malware.
- Report the scam to the authorities and the business being impersonated to help prevent others from becoming victims.
How to Report It
- FTC — File a fraud report with the Federal Trade Commission to help with law enforcement investigations.
- FBI IC3 — Report internet-related crime, including phishing and malware, to the FBI's Internet Crime Complaint Center.
- FCC — File a complaint about phone scams, robocalls, or unwanted calls with the Federal Communications Commission.
- AARP Fraud Helpline — Call 877-908-3360 for free support from trained fraud specialists. Available to anyone, not just AARP members.
Key Statistics
- QR code phishing campaigns surged by 331% year-over-year, indicating a significant shift in cybercriminal tactics. — Cofense 2024
- 89.3% of all QR code attacks are designed for credential phishing, aiming to steal usernames and passwords. — Abnormal AI H1 2024
- In 2025, the FBI's Internet Crime Complaint Center (IC3) received over 1 million complaints of cyber crime, with total reported losses exceeding $20.8 billion. — FBI IC3 2025 Annual Report
- Company executives are heavily targeted, receiving 42 times more QR code attacks than the average employee. — Abnormal AI H1 2024
- The FBI warns that scammers are increasingly using QR codes in conjunction with cryptocurrency ATMs to facilitate fraudulent payments. — FBI IC3
Get scam alerts before they hit your parents' inbox
One email per week. The scam that's spreading right now, the red flags, and what to tell Mom and Dad.
Free forever. Unsubscribe in one click.
Frequently Asked Questions
Quishing is a type of phishing attack that uses a malicious QR (Quick Response) code instead of a text-based link. Scammers trick you into scanning the code, which then directs your device to a fraudulent website designed to steal your personal and financial information or install malware.
Yes, scanning a malicious QR code can lead to a website that initiates an automatic malware download. This malware can then spy on your activity, steal sensitive information like passwords and banking details, or take control of your device.
Physically inspect the QR code for signs of tampering, such as a sticker placed over an original code. Before opening the link, preview the URL displayed by your phone's camera; look for misspellings or suspicious domain names. Be cautious of any QR code received in an unsolicited email or message, especially if it creates a sense of urgency.
Immediately disconnect your device from Wi-Fi and cellular data. Do not enter any information on the site that opens. Change any passwords you may have entered, run an antivirus scan on your device, and monitor your financial accounts for suspicious activity. Report the incident to the FTC at reportfraud.ftc.gov.
Has this scam reached your family?
Ready to protect yourself?
We've vetted the tools that actually work — VPN, threat protection, and identity monitoring.
See our recommended tools →Get weekly scam alerts
One breakdown per week. Real threats. Zero fluff.
You're in! Check your inbox.