QR Code Phishing (Quishing)

High SeverityStableQR Code Phishing (Quishing)Verified 2026-02-28

Malicious QR codes placed over legitimate ones on parking meters, restaurant menus, EV chargers, and in phishing emails. 26% of all malicious links are now delivered via QR code, and 73% of Americans scan codes without verification. Because QR codes hide the URL, they bypass the most basic scam detection: checking the link before clicking.

Annual Losses

Growing rapidly — part of broader $16.6B cybercrime landscape (FBI IC3 2024)

Avg Loss / Victim

$100-$2,000

Primary Vector

Physical stickers (parking, menus, chargers), email attachments, paper mail

Peak Season

Year-round, spikes in tourist-heavy areas and holiday shopping

How It Works

Scammers print high-quality QR code stickers and place them over legitimate QR codes in public spaces — parking meters, restaurant menus, EV charging stations, bike-share kiosks. When you scan, instead of reaching the real payment or menu site, you land on a convincing fake that steals your payment information. The key advantage for scammers: QR codes hide the URL, removing the visual warning sign that helps people spot fake links.

1Scammer prints a professional-looking QR code sticker
2Sticker is placed over a legitimate QR code on a parking meter, menu, charger, or flyer
3Victim scans the code expecting a normal service (payment, menu, tracking)
4Phone opens a phishing website that closely resembles the real service (e.g., fake ParkMobile page)
5Victim enters payment card details or login credentials
6Scammer harvests the data for fraudulent use

Example Scam Messages

Hover or tap the highlighted text to see why each element is a red flag.

EXAMPLE 1

[Physical sticker on parking meter] Scan to Pay — ParkMobile™ [QR code leads to poybyphone.comRed flag: Typosquatted domain — one letter changed from the real 'paybyphone.com' instead of paybyphone.com]

“poybyphone.com” — Typosquatted domain — one letter changed from the real 'paybyphone.com'

“Sticker overlay” — Physical stickers placed over legitimate QR codes are the primary delivery method in the physical world

EXAMPLE 2

[Email] Your recent shipment requires confirmation. Scan the QR codeRed flag: Embedding QR codes in emails bypasses email security scanners that check text-based links below to verify delivery details and update your preferences.

“Scan the QR code” — Embedding QR codes in emails bypasses email security scanners that check text-based links

Red Flags Checklist

QR code sticker placed on top of another code

Look for edges, different paper quality, or misalignment — legitimate codes are printed directly on the surface

QR code in an email asking you to scan with your phone

This is designed to move you from your protected email client to your phone, bypassing corporate security filters

Landing page immediately asks for payment or credentials

Pause and verify the URL in your phone's browser bar before entering any information

URL doesn't match the expected service

Your phone camera (iOS 18+, Android 14+) shows a URL preview before opening — check it carefully

What Real Communication Looks Like

Legitimate parking QR codes are printed directly on the meter or signage (not stickered over). Real restaurant menus link to the restaurant's own domain. Legitimate services have recognizable, established domains (parkmobile.io, paybyphone.com). Always preview the URL your phone shows before proceeding.

What To Do

If you just received this message:

Before scanning any QR code: check for sticker overlays or signs of tampering

Use your phone's built-in QR scanner (camera app) which shows a URL preview before opening

If the URL looks wrong, don't proceed — navigate to the service directly via their app or website

For parking: use the parking service's official app instead of scanning codes on the meter

If you already clicked or gave information:

If you entered payment info: contact your bank/card issuer immediately

If you entered login credentials: change the password immediately from a different device

If you downloaded an app from the QR code: delete it and run a security scan

Check your phone for any unfamiliar apps or profiles that may have been installed

Where to report:

FTC: reportfraud.ftc.gov

FBI IC3: ic3.gov

Report tampered codes to the city/municipality or business that owns the meter/kiosk

Report to the legitimate service being impersonated (ParkMobile, etc.)

Frequently Asked Questions

Are all QR codes dangerous?

No. QR codes themselves are just a way to encode a URL. The risk is when malicious codes replace legitimate ones or when codes in emails bypass security filters. The defense is simple: always check the URL before entering any information.

Can scanning a QR code install malware?

Scanning alone typically just opens a URL. However, that URL could lead to a site that prompts you to download a malicious app or exploits a browser vulnerability. Keep your phone's OS updated and never install apps from QR code links.

Sources

APWG Q4 2025 Report (Feb 2026); Mimecast 716K malicious QR codes (Q3 2025 data)
FBI IC3 QR Code Scam Alerts
Austin/Houston/NYC parking meter QR scam reports (2024-2025)

Got a suspicious message?

Paste it in and get an instant analysis — free, private, no account needed.

Analyze a Message