Quishing Explained (2026): How QR-Code Payment Scams Work and 8 Steps to Verify a QR Link

Introduction — What is “quishing” and why it matters now

Quishing (QR‑code phishing) is the practice of embedding malicious links, payment redirects, credential harvesters, or malware inside QR codes so that victims who scan the code are immediately taken to a scam page or a fraudulent payment flow. The technique exploded in 2025 and continues to evolve in 2026, with attackers placing fake QR stickers on parking meters, shipping packages, posters and using QR links in unsolicited text messages and emails to lure users into instant transactions or logins.

Because QR codes hide the destination URL and scanning is quick and frictionless on most smartphones, many people bypass normal URL scrutiny — a habit scammers exploit. Public‑facing sectors (parking, restaurants, kiosks) and social channels are frequent vectors, and law enforcement and consumer agencies have issued warnings about rising losses and sophisticated campaigns.

How quishing attacks typically work — an anatomy

Quishing attacks use a simple but effective social‑engineering pattern. Common stages include:

1. Placement or delivery: attacker places a visible QR (sticker or printed code) on a payment terminal, parking meter, menu, or includes a QR in an unsolicited package, text, or social post.
2. Urgency or authority: messaging creates pressure — “Pay now,” “Claim refund,” “Confirm delivery” — to encourage immediate scanning.
3. Redirection: the scanned code opens a malicious URL that mimics a legit payment page or login portal; it may auto‑initiate a payment to the scammer’s account, or prompt for credentials or card details.
4. Credential or funds capture: victims enter payment details, authenticate with banking credentials, or approve a transaction — sometimes via a fake app flow — enabling immediate theft.
5. Cleanup and reuse: attackers use fast, hard‑to‑reverse payment rails (crypto wallets, gift codes, P2P) or move credentials on dark‑web markets. Some campaigns now combine QR coding with targeted spear‑phishing.

Quishing can also be used in targeted attacks: security researchers and the FBI reported nation‑state actors embedding spear‑phishing and credential‑capture flows in QR links to hit organizations and high‑value targets.

8 practical steps to verify a QR link before you scan (or after you scan)

Follow these checks to reduce risk. Do not rush — QR scanning is convenient but not always safe.

1. Question the context: If the QR is on an unexpected package, a handwritten sticker, a torn poster, or an unsolicited message, don’t scan. Legitimate businesses rarely replace their own printed payment stickers with cheap labels.
2. Inspect the code visually: look for overlays, mismatched stickers, tape edges, or cheaper paper stuck over a genuine sign. If anything looks tampered with, don’t scan.
3. Use your phone’s URL preview: most QR scanners show the destination URL before opening it; read it carefully. Look for misspellings, extra subdomains (login.example.com.badsite[.]xyz), or domain mismatches. If your scanner doesn’t show a preview, use a scanner app that does.
4. Check the domain — not just the brand: legitimate payment pages usually use well‑known domains (bankname.com, stripe.com, paypal.com). Beware of domains that try to imitate a brand with small changes. When in doubt, use the vendor’s official app or website instead of scanning.
5. Avoid entering credentials or card data on a page opened from a QR unless you initiated the transaction: if the QR unexpectedly asks you to log in or re‑authenticate a payment, close it and access the service through known channels.
6. Use a security‑aware scanner or browser protections: enable browser/site‑safety warnings or use security apps that check URLs in real time before loading. Some security vendors now include QR checks to flag malicious links.
7. Hover‑or‑test with a second device: if you must scan a public code (e.g., restaurant menu), test with a phone that has limited accounts or use a QR reader that only reveals the URL (do not follow it). Alternatively, ask staff for a printed menu or typed URL.
8. When in doubt, pay another way and report it: use contactless tap, card reader, or the merchant’s official app. If you suspect a fake QR sticker, take a photo and report the location to the business and local authorities or consumer protection (USPS, FTC, or local police as appropriate).

If you already scanned and the page asked for sensitive information, close the page immediately, change any passwords (especially for accounts you might have entered), contact your bank or card issuer, and follow the reporting steps in the next section.

If you were targeted — reporting, recovery, and prevention for individuals and organizations

Quick actions improve the chance of recovery:

• For stolen money: contact your bank or card issuer immediately to request a hold or reversal; for P2P or crypto transfers, report to your provider and document as much evidence as possible. Banks and platforms have different remedies — act fast.
• For credential theft: change passwords, revoke sessions, enable multi‑factor authentication (use passkeys or an authenticator app rather than SMS where possible), and scan devices for malware.
• Report the incident: in the U.S. report to the Federal Trade Commission (FTC), local police, and (if postal items are involved) the U.S. Postal Inspection Service; industry and national agencies track quishing trends and warnings. For corporate incidents, notify your security team and follow internal incident response procedures.
• For businesses and venues: inspect and secure payment signage, use tamper‑evident materials for QR displays, educate staff and customers, and consider MDM or URL filtering on managed devices. Organizations should add QR‑link checks to their phishing training and incident playbooks.

Why these steps matter: public reporting and faster vendor responses help disrupt quishing campaigns and make it harder for attackers to reuse physical drop sites or cloned payment flows. New defensive tools and research are emerging in 2026 to detect malicious QR structure and intercept dangerous payloads before they reach users — but user caution and verification remain the fastest, most reliable defense.

Bottom line: QR codes are a useful shortcut — but convenience shouldn't replace safety checks. Treat unfamiliar QR codes like unknown links: inspect, verify, and when in doubt, pay another way or ask the business. Reporting suspected quishing helps protect others and accelerates takedown of malicious infrastructure.