TRUST & SAFETY

Quishing: Inside the Rise of QR Code Scams, and How to Stay Safe

The same thing that makes a QR code convenient, that you cannot see where it leads until you scan it, is exactly what scammers exploit. Here is how QR phishing works, and the simple habits that defeat it.

QR Lnkz Editorial6 min read
KEY TAKEAWAYS
  • Quishing is QR-code phishing: scammers exploit the fact that you cannot see a code’s destination until you scan it.
  • QR codes ride past email filters as images, and most people scan without checking where the link leads.
  • The core safe habit is a two-second check: read the address before you open it, and be wary of any code that arrives unexpectedly.
  • For anything to do with money, go direct: type the company’s known address or use its official app rather than scanning.

A QR code hides its destination by design. That is usually a feature: it keeps a long, ugly web address off your poster and turns it into a tidy square. But it is also the whole basis of a scam, because a link you cannot read is a link you cannot judge. The industry has a name for QR-code phishing now. It is called quishing, and it is growing fast.

The problem is serious enough that national authorities have been issuing public warnings for years.

2022
The year the FBI publicly warned that criminals were tampering with QR codes to redirect victims to malicious sites.[1]

Why does quishing work so well?

With an ordinary phishing link in an email, a careful person can hover over it, read the real address and spot that it is wrong. A QR code removes that check entirely. You point your camera at a square, and by the time you can read the address, you are already most of the way to the fraudulent page. The visual inspection that protects you from a bad link never gets a chance to happen.

That same property lets QR codes slip past defences built for text links. A code embedded in an email or a PDF is just an image, so filters that scan for dangerous URLs often miss it entirely. Attackers worked this out quickly, and the volume now moving through email is striking.

1.7 million
Unique malicious QR codes detected in email attachments over the six months to March 2025.[3]

What QR code scams are you most likely to meet?

Consumer-protection agencies describe a handful of patterns that come up again and again. Knowing the shapes makes them much easier to spot.

  • The sticker over the real code. A fraudulent code is printed and stuck on top of a legitimate one, in a car park, on a payment terminal or on a poster. Everything looks official, but the code underneath has been hijacked.
  • The unexpected delivery. A text or a card on the door says a parcel could not be delivered, with a code to reschedule. The code leads to a fake site that harvests your details or a small payment.
  • The urgent account problem. A message warns of a problem with an account and a code to fix it. Urgency is the tell: it is there to stop you thinking.
  • The code in the unexpected package. A parcel you did not order arrives with a code to identify the sender or arrange a return. Scanning it starts the fraud.
The common thread is not the code. It is the request that arrives with it: unexpected, urgent, and asking you to scan.

And the reason these work at scale is that most people simply do not check. Convenience has trained us to scan first and think later.

73%
Americans who scan QR codes without first checking where they lead, according to survey data.[4]

How can you stay safe without giving up QR codes?

You do not need to swear off scanning. You need a few small habits, and they are the same ones the FBI and consumer agencies recommend.

  1. Read the address before you open it. Most phone cameras preview the link when you scan. Pause and check the domain is the real one, and watch for lookalike spellings.
  2. Be suspicious of any code that arrives unexpectedly. A code in an out-of-the-blue text, email or package deserves no trust by default.
  3. Never enter passwords or card details on a page you reached by scanning a code, especially one you did not go looking for.
  4. For anything to do with money, go direct. Type the company’s known web address, or use its official app, rather than scanning a code to pay or to fix an account.
  5. Check physical codes for tampering. If a code looks like a sticker placed over another, or the edges are peeling, do not scan it. Ask a member of staff.

QR codes are not dangerous in themselves, any more than a link is. The risk lives in the same gap that makes them convenient, the moment between scanning and seeing. Close that gap with a two-second check, and the little square goes back to being what it was designed to be: a fast, harmless bridge to somewhere you actually meant to go.

Frequently asked questions

What is quishing?

Quishing is the industry name for QR-code phishing: a scam that exploits the fact that a QR code hides its destination by design, so a link you cannot read is a link you cannot judge. National authorities have been issuing public warnings about it for years.

Are QR codes safe to scan?

QR codes are not dangerous in themselves, any more than a link is. The risk lives in the gap between scanning and seeing, which a two-second check to read the address before you open it closes.

How do I know if a QR code is safe?

Read the address before you open it, since most phone cameras preview the link, and check the domain is the real one while watching for lookalike spellings. Be suspicious of any code that arrives unexpectedly, and check physical codes for stickers placed over them or peeling edges.

Why do QR code scams work so well?

A QR code removes the check you would do on a text link, because you cannot read the address until you are already most of the way to the page. Codes also slip past email filters as images, and survey data shows 73% of Americans scan without first checking where a code leads.

SOURCES

  1. FBI IC3, Cybercriminals Tampering with QR Codes to Steal Victim Funds (PSA, 2022)
  2. FTC Consumer Advice, Scammers hide harmful links in QR codes (2023)
  3. APWG, Phishing Activity Trends Report, Q1 2025
  4. NordVPN survey, via CNBC
  5. US Postal Inspection Service, Quishing
KEEP READING

One code you can re-point any time

Free while in beta, with no card required. Design a branded QR code, route each scan by day or time, and never reprint.

Get started free
All articlesExplore ideas