Guide · QR-code phishing · Updated June 2026

Quishing Scams: How to Spot QR-Code Phishing and Stay Safe

Quishing — QR-code phishing — is the fastest-growing fraud category of 2026. Scammers slap stickers over parking meters, embed QR codes in emails to bypass corporate filters, and post fake “airdrop” codes in DMs to drain crypto wallets. This guide covers every pattern in circulation, the red flags that give them away, and the safe-scan checklist fraud analysts use.

If you already scanned and entered card or password

Freeze the card or change the password right now — recovery odds drop sharply after the first hour. Detailed playbook below.

Open the Panic Guide

The 6 quishing patterns to know

Fake parking-meter / EV-charger QR stickers

How it works: A scammer prints a sticker with their own QR code and slaps it over the real one on a parking meter, parking-lot sign, or EV charger. You scan it, land on a convincing payment page, enter your card, and pay a stranger — sometimes for hours that were never reserved on your spot.

Dead giveaway: If the QR code is a sticker peeling at the edges, sits on top of another label, or the URL after scanning doesn't match the city/operator's real domain, walk away and pay at the kiosk or in the official app.

Restaurant menu / table-tent overlay

How it works: A fake QR is taped over the genuine one on a table tent or menu. The page looks like the restaurant's ordering or tipping flow but routes payment (and your card details) to the scammer.

Dead giveaway: Real restaurant QR menus almost never ask for your card on the same page that shows the menu. If it asks for a card before you've placed an order — or asks for a "verification fee" — close the page and order from a server.

QR-code phishing email ("Quishing")

How it works: An email that looks like Microsoft 365, DocuSign, your bank, or HR contains a QR code instead of a link. Why? Corporate email scanners and link-rewriters are blind to images, so the malicious URL inside the QR slips through. You scan with your personal phone (which has no corporate protection) and land on a credential-harvesting page.

Dead giveaway: A legitimate company will never put a QR code in an email and tell you to scan it with your phone to log in. Open the service directly in your browser instead.

Fake delivery / "missed package" QR notices

How it works: A flyer on your door or a text message: "We tried to deliver — scan to reschedule." The QR leads to a fake USPS / DHL / FedEx page that asks for a small redelivery fee + your full card and address.

Dead giveaway: Real carriers don't charge redelivery fees. They also don't ask you to verify your full card number on a QR-linked page.

Crypto / investment "airdrop" QR codes

How it works: Posted in Telegram, Discord, X DMs, or even printed on flyers at meetups. "Scan to claim free tokens / connect your wallet." Scanning opens a malicious dApp that requests `setApprovalForAll` and drains your wallet the moment you sign.

Dead giveaway: Real airdrops never require an upfront approval that grants access to all your tokens. Never scan a QR from a stranger that asks you to connect a hot wallet holding real funds.

Charity / donation QR-code swap

How it works: At events, places of worship, or on the street, a scammer covers the real donation QR with their own. Donors think they're giving to the cause; the money lands in the scammer's wallet.

Dead giveaway: Confirm the receiving name on the payment screen out loud before sending. If the recipient name doesn't match the charity, stop.

8 red flags of a quishing scam

✕A QR code on a sticker that looks freshly applied or sits on top of another label
✕After scanning, the URL doesn't match the real business / city / brand domain
✕The page asks for full card number, CVV, and ZIP on the first screen
✕Urgency language: "pay within 10 minutes", "final notice", "vehicle will be towed"
✕A QR code inside an email that tells you to scan with your phone to "verify" or "log in"
✕QR code shared in a DM by someone you've never met in person
✕Wallet-connect prompts asking for "setApprovalForAll" or unlimited token spend
✕The payment recipient name doesn't match the merchant / charity / agency name

The 5-step safe-scan checklist

1. Preview the URL before opening it
Modern iOS and Android cameras show the destination URL above an "Open" button — read it first. If it's not the official domain you expect (e.g. real city parking sites end in .gov, not .com / .pay / .link), do not tap.
2. Look at the sticker itself
Tap the QR with your fingernail. If it's a sticker peeling at the corner, sitting on top of another QR, or printed on different paper than the surrounding sign, it was almost certainly added by a scammer.
3. Prefer typing the URL or using the official app
For parking, charging, deliveries, and banking, open the official app or type the known domain yourself. A QR shortcut is a convenience, never a requirement.
4. Never scan QRs from emails on your phone
QR-code phishing exists specifically to escape your corporate email security. Open the service the email claims to be from on your laptop and log in there.
5. Check the receiving name on the payment screen
Before confirming a payment, read the merchant / recipient name out loud. If it's an unfamiliar individual or LLC, cancel.

What to do if you already scanned

1. If you entered card details: lock the card now
Open your banking app and freeze or replace the card immediately — most major banks let you do this in two taps. Then call the fraud line on the back of the card and request a chargeback.
2. If you connected a crypto wallet: revoke approvals
Move any remaining funds to a fresh wallet, then revoke token approvals at revoke.cash (Ethereum / EVM) or the equivalent for your chain. Assume the original wallet is compromised; do not reuse it.
3. If you entered a password: change it everywhere it's reused
Start with email, then banking, then any account using the same password. Turn on a hardware key or authenticator app — SMS codes are not enough against this type of phishing.
4. Report it
Submit at IC3.gov (FBI) and reportfraud.ftc.gov, and tell the local property owner (parking authority, restaurant, charity) so they can pull the sticker.
5. Submit the scammer's details to GACS
Wallet, URL, recipient name, or merchant alias — gets the entity into search results so the next person who scans the same sticker sees a warning before they pay.

Next steps

It's happening now — Panic Guide Check if a website is a scam How to report to FTC & IC3

Trusted sources

FAQ

What is quishing?

Quishing is QR-code phishing — using a QR code to deliver a malicious link instead of typing the link directly. It exists because email and chat scanners check text URLs but usually can't read what's encoded inside an image, so the malicious destination slips past corporate filters and lands on your unprotected personal phone.

How can I tell if a QR code is fake?

Three checks: 1) physically inspect the QR for sticker overlays or peeling edges, 2) preview the URL in your camera app before tapping Open, 3) confirm the domain matches the real organization (e.g. a city parking page should end in .gov, not .pay or .link).

Is it safe to scan QR codes in restaurants?

Generally yes, but only for viewing menus. If a restaurant QR routes you to a payment page that asks for your card before you've ordered, treat it as suspicious — pay through your server or a known app instead.

Can scanning a QR code install malware?

Just scanning won't install anything by itself — modern phones won't auto-install apps from a URL. But the page the QR opens can phish your password, trick you into installing a malicious profile or APK, or prompt a crypto wallet to sign a draining transaction. The danger is what you do after the scan, not the scan itself.

Why are QR-code scams growing in 2026?

Two reasons: post-pandemic, QR codes became a default UX in parking, restaurants, and payments — people have stopped questioning them. And email security tools are finally good at catching text-link phishing, so attackers have shifted to QR codes that those tools can't read.

Should I avoid QR codes entirely?

No — QRs are fine for menus and information. Just never use one for payment, login, or wallet-connect unless you can verify it wasn't tampered with and the destination domain matches what you expect.