QR Code Scam (Quishing): How to Spot a Fake Code in 2026

A QR code scam is one of the easiest phishing attacks to fall for in a public place. The sticker sits on a parking meter, your phone is already aimed at it, and the page looks normal. This guide explains what to check before you tap.

#What Is Quishing and Why It Works

Quishing is phishing delivered through a QR code instead of an email link.

The attacker prints a sticker with their own code and places it over a legitimate code in a public spot. You scan it the same way you would any other QR code. Your phone shows a URL, you tap, and you land on a page that imitates a parking app, a restaurant payment page, or a delivery confirmation. The page then asks for the payoff: your login or your card number.

According to the FTC’s 2023 consumer alert on QR code scams, scammers have been hiding harmful links inside QR codes placed over legitimate codes in public locations including parking meters since at least 2023, with the goal of capturing payment details or login credentials. On Android, a small share of campaigns also push a drive-by app prompt after the page loads.

Three reasons it works so well.

First, QR codes look like infrastructure, not advertising, so most people trust them by default. Second, the URL stays hidden until you actually scan, so there’s nothing to inspect ahead of time. Third, the moment of scanning usually happens when you’re rushed: you just parked, you’re hungry, the package is at the door.

#Where Are You Most Likely to See a Fake QR Code?

Some physical spots get hit again and again. Foot traffic is high, the real sticker is easy to cover, and the surface is rarely supervised.

Parking meters are the classic case.

Parking meters and pay stations. The legitimate sticker carries the city’s parking app URL. An attacker prints a near-identical sticker and presses it on top, often within seconds during a quiet moment. You scan, “pay”, and the card details go to the scammer.

Restaurant tables and menus. Touchless menus and table-side payment QR codes are everywhere now. A scammer drops by, peels the corner of the real sticker, and lays a fresh one on top with an attacker-controlled URL that resembles the restaurant’s payment processor. The fake page asks for the card and a tip percentage. The card details flow to the scammer, and the diner walks out thinking the meal is paid for when the merchant never received a cent.

Packages and “missed delivery” cards. A QR code on a card claiming a missed delivery sends you to a fake carrier site. The fee is small. There was no package.

The FBI’s Internet Crime Complaint Center reports that quishing-style fraud has spread to EV charging stations, public flyers, and mailed letters dressed up as official notices from the IRS or utility companies since 2024. Real agencies don’t initiate payment through a mailed QR code.

A few physical signs that a sticker is fake: a raised edge, a slight color mismatch with the surface underneath, fresh adhesive at the corners, or a sticker that looks much newer than everything around it. If you can lift a corner without much force, it likely went up yesterday.

For deeper background on what happens after credentials are stolen, our guide on passkey vs password vs 2FA covers why a stolen password isn’t enough to break a passkey-protected account.

#How Do You Preview a QR Code’s Link Before Opening It?

Both modern iPhones and Android phones show you the destination URL before opening it. The point of preview is to read the domain calmly, away from the rush of “just scan and pay”.

#On iPhone (iOS 17 and later)

1. Open the Camera app
2. Point the rear camera at the code without tapping
3. A small banner slides in showing the URL and the source app
4. Read the full domain before tapping the banner

We tested this on an iPhone 15 running iOS 18. The banner appears within a second.

According to Apple’s iPhone Camera support documentation, the Camera app and Code Scanner both show a URL preview notification before opening any link, and the preview includes the source app handling the request so you can spot anything unexpected.

#On Android (Pixel and most Samsung)

1. Open the Camera app
2. Hover over the code for a beat, don’t tap the shutter
3. The URL appears as a chip or banner near the bottom of the screen
4. Tap once to expand and read the full domain before opening

If the default camera doesn’t preview the URL, use Google Lens instead. Google recommends using Lens for QR codes because the app shows the destination URL and a “where this links to” label before opening anything. We tested this on a Pixel 8 running Android 14, and the preview behavior matched the documentation exactly.

#What to Look For in the URL

• The domain matches what you’d expect (a city’s real parking app, the restaurant’s real brand, the carrier’s real name)
• No extra hyphens or appended words: usps.com is real, usps-redelivery-pay.com is not
• No swapped letters: paypal.com is real, paypall.com and paypa1.com are not
• No long randomized subdomain in front: pay.cityname.gov is plausible, pay-cityname-gov.secure-portal.xyz is not
• The top-level domain matches the brand: a U.S. city won’t ask you to pay at .xyz or .top

If anything looks off, don’t tap. Type the merchant’s real URL into your browser yourself, or use the merchant’s official app from the App Store or Play Store.

#What to Do If You Already Scanned a Malicious QR Code

Scanning a bad code is not the moment of harm by itself. The harm starts with what you do next on the page that loads. Work through this checklist in order, fastest items first.

Close the page without typing anything. Close the tab. Clear site data.

If you entered a password, change it. Change it on the real site, from a known-good device. Turn on two-factor authentication if it isn’t on. Then sign out of every existing session under that account so the attacker’s session dies along with the old password.

If you entered a card number, contact the bank. Call the number on the back of your physical card, not a number from the page you scanned. Freeze the card and dispute any charges. Most banks now let you freeze a card with one tap in the bank’s official app, and that single tap stops new charges within seconds even before you reach a human on the phone.

If you entered Apple ID or Google account details, lock the account. Sign in on a known-good device you own, change the password, sign out all other sessions, and review login history. For iPhone owners, our iPhone privacy settings checklist covers the follow-on hardening steps.

Check breach dumps. Credentials from quishing pages often appear in dumps weeks later. The guide on how to tell if your email is on the dark web gives you a regular monitoring habit.

Android: check for unwanted apps. Android allows a small set of drive-by paths from a malicious page if you tap through prompts. Go to Settings > Apps and uninstall anything you don’t recognize. Then run a Play Protect scan from inside the Play Store under your profile icon.

iPhone: watch for spyware symptoms next. A successful quishing prompt rarely installs anything on iOS, but our guide on how to detect spyware on iPhone covers the rare profile-based abuse cases worth ruling out.

On any phone: review browser permissions. Some quishing pages ask for camera or location access. Revoke anything you don’t need. Our guide on preventing cross-site tracking covers the broader Safari and Chrome hygiene settings.

#How to Report a Fake QR Code

Acting fast helps the next person walking up to that parking meter.

Tell the property owner first. Tell the restaurant manager, the city’s parking department, the building’s leasing office, or the store associate. They can pull the sticker, alert staff, and notify their own payment processor.

The FTC recommends filing a report at reportfraud.ftc.gov with the location, the URL you saw, and what data the page requested. The reports feed law-enforcement partners and inform future consumer alerts.

File with the FBI if money was lost. Submit a complaint at ic3.gov with the URL, the location of the sticker, and the amount you lost. Quishing is illegal wire fraud under federal law, and the reports help prosecutors build cases against the rings printing these stickers.

Notify your bank or card issuer. Even if no money has been taken yet, a heads-up gets the merchant code flagged for unusual activity on your card.

Reporting takes about five minutes total.

It costs you nothing, and it gives the next person a chance not to scan the same sticker.

#QR Codes Are Containers, Not Threats

QR codes are just URL containers.

The danger is whatever URL the code holds and whatever page that URL leads to. A code printed by your own bank inside its own app is identical, technically, to a sticker placed on a parking meter by a stranger overnight. The difference is who you trust.

Trust the source of the code, not the code itself.

A code on the inside of a sealed restaurant menu binder is much harder to swap than a code stuck on the outside of a public-facing sign. A code generated on demand inside your bank’s official mobile app is safer than a code printed on a letter you didn’t ask for.

#Bottom Line

Preview every QR code’s URL on the lock screen banner before you tap. Don’t enter passwords, payment details, or app store credentials into a page reached by scanning a code on a parking meter, restaurant table, package, or flyer. If a sticker looks fresh, raised at the edge, or doesn’t match the surface, peel it off and report it to the property owner and to reportfraud.ftc.gov. Type the merchant’s real URL yourself, or use the merchant’s official app.

#Frequently Asked Questions