Is that QR code safe to scan? How QR code phishing works
QR code phishing β called 'quishing' β is a fast-growing attack vector. Unlike a link in an email, a QR code hides its destination URL entirely until you scan it, bypassing many email security filters that check for malicious links. Scammers embed QR codes in phishing emails, print stickers over legitimate codes on parking meters and menus, and share them on social media.
Common scenarios: an email claims your Microsoft 365 or banking account requires verification and includes a QR code to scan with your phone; a sticker over a restaurant's menu QR code redirects to a card-skimming payment page; a parking meter has a fake payment QR code printed on a sticker placed over the real one.
The attack is particularly effective because scanning is typically done on a mobile phone, where URLs are less visible and security software is less prevalent than on desktops.
π© Red flags to watch for
- βΆA QR code in an email asking you to verify an account, confirm a payment, or complete a security check.
- βΆA QR code on a physical sticker that appears to be placed on top of or beside an existing official notice.
- βΆThe URL that appears after scanning looks unfamiliar, has random characters, uses a URL shortener, or has a domain that isn't the company's real website.
- βΆThe page the QR code opens asks for login credentials, credit card details, or personal information.
- βΆYou were not expecting to receive a QR code from this sender or on this surface.
β What to do
- 1After scanning, always check the URL that appears before tapping to open it. If it looks unfamiliar or shortened, do not proceed.
- 2For physical QR codes (parking, restaurants, menus): look for stickers placed over printed codes β these are often slightly misaligned and can be peeled off.
- 3Use a QR code scanner app that shows you the full URL before opening rather than jumping directly to the page.
- 4Never enter credentials or payment details on a page reached via a QR code you weren't expecting.
- 5Report suspicious QR codes on parking meters or public property to the local authority or property owner.
π£ Where to report (by country)
πΊπΈ United States
π¬π§ United Kingdom
- Action Fraud
- Police Scotland β call 101
π¦πΊ Australia
π¨π¦ Canada
π Everywhere else
- Contact your local police and your bank immediately
- If money was sent, ask your bank about a recall request β act within hours
Got a suspicious message right now?
Paste it into our free AI checker for an instant pattern analysis
No account needed Β· Free to try Β· Privacy-first
Check your message free βNo tool is a guarantee. AI pattern detection is a guide, not a verdict β always use your own judgment.
Common questions
Can a QR code itself install malware on my phone just by scanning?
Scanning a QR code alone does not install malware β it simply reads the encoded URL. The risk comes from what you do after the URL is revealed: visiting a malicious website and entering information, or being tricked into downloading an app from that site.
How can I tell if a parking meter QR code is fake?
Look for signs of a sticker placed over the original: raised edges, misaligned placement, or a slightly different finish. Some UK parking operators now include anti-tamper codes alongside QR codes. When in doubt, use the operator's official app or pay by phone using the number on the machine.