How does QR code phishing (quishing) work?

Attackers place malicious QR codes in public locations (parking meters, restaurant tables, posters) or send them via email and text. When scanned, the QR code directs to a fake login page that harvests credentials or initiates a payment to the attacker.

Can a QR code install malware just by scanning it?

Modern smartphones decode QR codes via the camera app and only show a URL preview. iOS 18 and Android 15 show the full URL before navigating. As long as you review the URL and don't install unknown profiles or apps, scanning alone is generally safe — the danger is in the page you land on.

How do I safely scan a QR code?

Use your phone's built-in camera app (not a third-party scanner). Preview the URL before tapping — look for misspelled domains, mismatched service names. Never download an app from a QR code. For parking payments, use the official app rather than scanning the meter code.

Phishing Awareness

📷 QR Code Phishing (Quishing): Why Scanning That Code Could Cost You

By Sophie Laurent, Cybersecurity Awareness Trainer, Trusty Password · 1 June 2026 · 7 min read · 1390 words

QR Code Phishing (Quishing): Why Scanning That Code Could Cost You

QR code phishing — quishing — grew 320% in 2026 according to the QRLJacking Threat Report. Attackers place malicious QR codes in physical locations (parking meters, restaurant tables, public notice boards) and digital channels (email attachments, PDFs, social media posts), redirecting scanners to credential harvesting pages.

Why it works: Smartphone users have been trained to scan QR codes without scrutiny. The pandemic-era shift to contactless menus and payments normalised QR code usage, but users never adopted a security mindset around scanning. A QR code hides its destination URL behind a matrix of black squares.

The Most Common Quishing Attacks

Fake Parking Payment Codes

Parking meter quishing is the fastest-growing subtype. Attackers place their own QR code sticker on top of the legitimate meter's QR code. Motorists scan and are taken to a convincing payment page that captures credit card details and registration information. Major cities including London, New York, and Sydney have reported parking quishing incidents in 2026.

Fake Restaurant Menu Codes

Attackers replace legitimate restaurant QR code tent cards with their own version. When a diner scans to view the menu, they're redirected to a page that requests phone number, email, and payment details to "confirm the reservation." The attack exploits social context — dining out creates a relaxed, trusting environment where security awareness is lowest.

Fake Package Delivery Codes

Sent via email or text: "Your parcel is ready. Scan the QR code below to confirm delivery." This combines the delivery hook from smishing with the technical novelty of QR codes. The victim scans on their phone, where the smaller screen makes URL inspection harder.

How to Scan QR Codes Safely

Use built-in camera apps — iOS and Android camera apps show the URL before navigating. Third-party scanners may not warn you
Always preview the URL — look for typosquatted domains (amaz0n.com instead of amazon.com)
Never download apps from QR codes — always use the official app store
Check for tampering — if a physical QR code looks like a sticker placed over another code, don't scan it
Use a QR scanner with security features — apps like Kaspersky QR Scanner and Avast QR Scan check URLs against known threat databases

Stay Safe with Strong Passwords →

📷 QR Code Phishing (Quishing): Why Scanning That Code Could Cost You

QR Code Phishing (Quishing): Why Scanning That Code Could Cost You

The Most Common Quishing Attacks

Fake Parking Payment Codes

Fake Restaurant Menu Codes

Fake Package Delivery Codes

How to Scan QR Codes Safely

More Password Security Tools

🔗 Recommended Security Tools

📷 QR Code Phishing (Quishing): Why Scanning That Code Could Cost You

QR Code Phishing (Quishing): Why Scanning That Code Could Cost You

The Most Common Quishing Attacks

Fake Parking Payment Codes

Fake Restaurant Menu Codes

Fake Package Delivery Codes

How to Scan QR Codes Safely

Related Articles

📧 How to Spot a Phishing Email Before You Click

💬 ChatGPT Share Links Abused in LLMShare Phishing Campaign

🔐 Which MFA Methods Actually Resist Phishing?

More Password Security Tools

🔗 Recommended Security Tools