ScamWatch

If you feel you're being scammed in United States: Contact the Federal Trade Commission (FTC) at 1-877-382-4357 or report online at reportfraud.ftc.gov

Quishing: How QR‑Code Payment Scams Work and a Step‑by‑Step Guide to Avoid Them

Man in formal attire reviewing paperwork, holding glasses. Business setting.

What is quishing and why it matters now

Quishing is a form of phishing that begins with a QR code: a malicious or tampered QR redirects you to a fake payment page, a credential‑harvesting site, or triggers a download of malware onto your phone. Scammers place fake QR stickers over legitimate codes (parking meters, restaurant menus, delivery notices) or send QR images in emails and texts to trick victims into paying or entering credentials.

Quishing has surged in recent years as mobile payment and scan‑to‑pay workflows become ubiquitous. Security firms and federal agencies reported a rapid rise in QR‑based phishing threats and malicious URLs, with multiple public advisories in 2024–2026 calling attention to sticker‑overlay attacks, package‑based QR lures, and targeted spear‑phishing campaigns that use QR links to harvest credentials.

How quishing attacks typically work — step by step

  1. Placement or delivery: The attacker places a fraudulent QR sticker over a legitimate code (e.g., parking meter, restaurant tabletop) or sends a QR image via email, SMS, social post or an unsolicited parcel with instructions to scan.
  2. Scan → redirect: Scanning the code opens a URL that appears legitimate (a spoofed payment portal, a “failed payment” page, or a delivery tracking site) but actually routes to the attacker’s server.
  3. Action requested: The site asks for payment, card details, login credentials, or prompts you to install an app or an update (which can be malware). Attackers may display urgency: fines, limited‑time refunds, or account lock warnings to shorten your verification time.
  4. Funds/data exfiltration: Money is routed to the scammer’s account or credentials are captured and reused to drain accounts or enable further fraud (account takeover, SIM swap, etc.).

Quishing can also be weaponized in targeted campaigns: advanced actors have used QR links in spear‑phishing to capture corporate credentials and access enterprise resources, increasing risk beyond consumer payments.

Step‑by‑step checklist: Verify a QR code before you scan

Use this concise checklist any time you encounter a QR code that asks you to pay, log in, or download something.

  • Pause and inspect: Look for tampering — is the QR neatly printed on a sticker covering an existing label, or misaligned? If it looks like an overlay, do not scan. Legitimate merchants and municipalities usually use durable, branded labels.
  • Check surrounding context: Official payment or tracking notices come from known channels. If an emailed QR claims to be from a bank, go to the official website or app instead of scanning the code.
  • Hover/preview the link (when possible): Some phones and QR reader apps preview the destination URL before opening. Verify the domain carefully — look for small typos or extra words in the URL.
  • Open the expected app directly: For parking or delivery payments, use the official parking app, the merchant’s app, or the delivery provider’s tracking page — do not rely on a QR that appears in a random text or flyer.
  • Don’t install unknown apps: If the QR prompts an app download or system update, decline. Legitimate services usually use the app stores and will not force an unsigned APK or third‑party installer.
  • Use built‑in camera vs third‑party scanner carefully: Prefer your phone camera’s built‑in scanner or a trusted security app that previews URLs. Avoid unknown “QR scanner” apps that request excessive permissions.
  • Verify payments before sending: If a QR opens a payment portal, verify the payee name and, when possible, confirm using an alternate channel (call the merchant or use an official app). For parking, confirm the location and meter ID in the official city app or signage.

When in doubt, ask the merchant or organization directly — a short call or message to the verified support line beats an irreversible payment.

Quick rule of thumb: If scanning the QR asks for sensitive information (full card number, 2FA codes, or passwords) treat it as a red flag and stop.

If you scanned a malicious QR or lost money — immediate steps

1) Stop further interactions: Close the page, do not enter more data or install anything. 2) Secure accounts: If you entered credentials or 2FA codes, immediately change passwords and revoke sessions from the service’s account settings. 3) Contact your bank or card issuer: Report unauthorized charges and ask about chargeback or fraud protections. 4) Report the incident: For U.S. victims, file a complaint with the FBI’s Internet Crime Complaint Center (IC3) and the Federal Trade Commission (FTC); if the QR came via mail or targeted your delivery, the USPS Inspection Service provides reporting options.

Consider reporting sticker‑overlays to the local merchant or city parking authority so they can remove the fraudulent code and warn others. If you believe you installed malware, disconnect the device from networks and seek professional device cleanup (mobile antivirus, vendor support, or a trusted technician).

Related Articles

Close-up of hands holding a smartphone and a credit card, implying online payment.

Quishing Explained (2026): How QR-Code Payment Scams Work and 8 Steps to Verify a QR Link

Side view of a stylish black man in a trench coat talking on his smartphone outdoors.

STIR/SHAKEN, Carrier Defenses & AI‑Voice Scams: What Your Phone Provider Can (—and Can’t) Do

Flat lay of a tax preparation workspace with calculator, envelope, and colorful numbers.

eSIM, Number‑Porting & Port‑Out Scams: How to Lock Your Mobile Number Now