Back to Resources

Are QR Codes Safe? How to Spot 'Quishing' (QR Phishing) Scams

QR codes are convenient, but scammers know that too. Learn how quishing attacks work, where fraudulent codes commonly appear, and how to protect yourself when scanning.

Snapkit Team
6 min read

The Dark Side of QR Convenience

QR codes have a trust problem—or rather, people trust them too much.

When you see a QR code on official-looking signage, your instinct is to scan first and think later. That's exactly what scammers are counting on. Unlike a suspicious email link where you can hover to see the URL, a QR code hides its destination until after you've scanned.

This has given rise to "quishing"—QR code phishing—and it's becoming alarmingly common.

What Is Quishing?

Quishing combines QR codes with traditional phishing tactics. The attacker creates a malicious QR code that, when scanned, directs victims to a fake website designed to steal credentials, install malware, or trick them into providing sensitive information.

The attack works because:

  • QR codes are opaque—you can't tell where they lead by looking at them
  • People associate QR codes with legitimate businesses
  • Scanning feels low-risk compared to clicking email links
  • Mobile browsers often show truncated URLs, making fake sites harder to identify

A well-executed quishing attack replaces a legitimate QR code with a malicious one, or places fraudulent codes in locations where people expect to find real ones.

Where Quishing Attacks Happen

Scammers are creative, but certain locations and scenarios see more quishing attempts than others:

Parking meters and payment terminals. Attackers place stickers with fake QR codes over legitimate payment codes. You think you're paying for parking; you're actually entering your credit card on a scam site.

Restaurant tables. During the pandemic QR menu boom, some restaurants reported fraudulent code stickers appearing on their tables. Guests scanned what they thought was the restaurant's menu and landed on phishing pages or malware download prompts.

Public notices and flyers. A flyer for a "free community event" with a QR code to register might actually harvest personal information. Bulletin boards in laundromats, libraries, and community centers are easy targets.

Emails pretending to be legitimate services. Banks, shipping companies, and government agencies don't typically send QR codes via email—but phishing emails do. "Scan to verify your account" is a red flag.

Social media posts. Scammers share QR codes promising free giveaways, exclusive content, or prize redemptions. The codes lead to credential theft pages or app install prompts.

Compromised legitimate materials. Sometimes attackers target the source. If a small business uses a printed flyer template they downloaded from a sketchy site, that "template" might already contain a malicious code.

How to Protect Yourself

The good news: a few simple habits dramatically reduce your risk.

1. Preview the URL Before Opening

Most smartphone cameras and QR scanning apps show you the URL before navigating to it. On iPhone, the link appears at the top of the screen. On Android, you'll see a preview notification.

Always check:

  • Does the domain look legitimate? (paypal.com vs paypa1-secure.com)
  • Is it using HTTPS?
  • Does the URL structure make sense for what you're expecting?

If anything looks off—random strings of characters, misspelled brand names, unusual domain extensions—don't open it.

2. Be Skeptical of Physical Stickers

Legitimate businesses usually print QR codes directly on their materials, not as stickers placed on top. If a code looks like it's been added after the fact—especially on parking meters, payment terminals, or restaurant tables—be suspicious.

Look for:

  • Edges that don't align with the surface
  • Different paper or material quality
  • Codes placed over what might be another code underneath
  • Signs of tampering or recent application

When in doubt, ask staff if the code is legitimate or find another way to access the service.

3. Don't Scan Codes from Unsolicited Sources

Random flyers, social media posts from accounts you don't know, and emails you weren't expecting are high-risk sources. The more unexpected the QR code, the more cautiously you should treat it.

Ask yourself: why is there a QR code here? If you can't come up with a reasonable answer, don't scan.

4. Use Your Browser's Security Features

If you do scan a code and land on a page asking for personal information, payment details, or login credentials, your browser may help you spot problems:

  • Check for the padlock icon (HTTPS)
  • Look at the full URL in the address bar
  • Be wary of pop-ups or download prompts
  • If your browser warns you about an unsafe site, trust it

Modern browsers are pretty good at flagging known phishing domains. Don't ignore their warnings.

5. Keep Your Phone Updated

Security updates patch vulnerabilities that malicious sites might exploit. A fully updated phone is less susceptible to drive-by malware installations triggered by visiting a malicious URL.

This won't stop credential phishing (where you manually enter information), but it reduces the risk of automated exploits.

What to Do If You Think You've Been Scammed

If you scanned a suspicious code and entered information or downloaded something:

For credential theft:

  • Change passwords immediately for any accounts you entered credentials for
  • Enable two-factor authentication if you haven't already
  • Monitor your accounts for unauthorized activity
  • Consider a credit freeze if you provided financial information

For malware downloads:

  • Delete any apps you don't recognize that were recently installed
  • Run a security scan if your phone supports it
  • In severe cases, factory reset may be necessary
  • Watch for unusual battery drain, data usage, or behavior

Report it:

  • Report the scam to local authorities if you lost money
  • File a complaint with the FTC (in the US) or equivalent agency
  • Alert the business whose brand was impersonated
  • If you found a physical sticker, report it to the property owner

QR Codes Aren't Inherently Dangerous

Here's the important caveat: QR codes themselves are just data storage. They don't contain viruses, can't hack your phone by themselves, and don't do anything until you act on the information they contain.

The risk is in what you do after scanning—visiting the URL, entering information, downloading files. A healthy skepticism about what you're being asked to do protects you regardless of whether the request came from a QR code, an email, or a person on the phone.

Creating and using QR codes for your own purposes—linking to your website, sharing Wi-Fi credentials, putting a code on your business card—is completely safe. The codes you generate don't carry any hidden risks.

The threat comes from codes created by others with malicious intent. Stay alert, preview before you click, and trust your instincts when something feels off.

The Bottom Line

QR codes are tools. Like any tool, they can be used helpfully or harmfully. The convenience that makes them useful for legitimate purposes also makes them attractive for scammers.

Be a skeptical scanner. Check URLs before navigating. Question codes in unexpected places. These habits take seconds and can save you from significant headaches.

When you're ready to create QR codes for your own use—codes you control, linking to destinations you trust—Snapkit makes it simple and free. Just make sure the people scanning your codes know they can trust them.

Ready to create your QR code?

Try Snapkit's free QR code generator - no signup required.

Generate QR Code