That QR Code Might Be a Trap
Fake QR codes are showing up on parking meters, restaurant tables, and in your inbox. Here's how quishing works and how to avoid it.
A few weeks ago I was about to pay for parking in Reykjavík. There was a QR code sticker on the meter — scan to pay, nice and convenient. But something was off. The sticker was slightly crooked, placed on top of what looked like another sticker underneath.
I peeled the corner. Sure enough: a legit QR code from the parking company was hiding under a fake one that someone had stuck on top.
If I'd scanned the fake code without thinking, I'd have been taken to a convincing payment page that would have harvested my card details. This is happening everywhere, and most people have no idea.
Quishing Is Exploding
"Quishing" — QR code phishing — has gone from a niche curiosity to a mainstream attack vector. The mechanics are simple: replace a legitimate QR code with a malicious one, or put a QR code somewhere people trust it, and wait for someone to scan.
What makes it effective is that QR codes are essentially invisible URLs. You can't look at a QR code and tell where it goes. With a regular phishing link in an email, you can at least hover over it and see a suspicious domain. With a QR code, you're trusting a pattern of black and white squares.
And we've been trained to trust them. The pandemic accelerated QR adoption massively — restaurant menus, event tickets, vaccine passes, payment systems. Scanning a QR code feels routine and safe. Attackers know this.
Where Fake QR Codes Show Up
The physical world attacks are the most devious because people don't expect phishing outside their inbox.
Parking Meters and Payment Kiosks
This is the most common one I've seen. Attackers place stickers over legitimate QR codes on parking meters. You scan, you land on a page that looks exactly like the real parking app's payment screen, you enter your card number. They get your payment details, you get a parking ticket because you never actually paid.
Cities across Europe and North America have reported this. Some municipalities have switched back to traditional payment methods because of it.
Restaurant Menus
Many restaurants still use QR code menus since COVID. Attackers swap out the table tent or slap a sticker over the existing code. You scan expecting a menu and get redirected to a phishing page — sometimes one that asks for your email or payment info under the guise of "placing a mobile order."
Package Deliveries
Fake delivery notices with QR codes left on your door or in your mailbox. "We missed you! Scan to reschedule delivery." The code leads to a page requesting personal information.
Flyers and Posters
Free Wi-Fi QR codes posted in coffee shops, airports, or co-working spaces. You scan to connect, and instead you're directed to a credential-harvesting page or prompted to install a "VPN profile" that routes your traffic through an attacker's server.
Email and Documents
This one's sneaky. Attackers embed QR codes in email bodies or PDF attachments. Why? Because email security filters are excellent at detecting malicious URLs in text — but most of them can't read what's inside a QR code image. It bypasses the filter entirely.
I've seen these disguised as corporate security alerts ("Scan to verify your account"), HR documents ("Scan to view your benefits"), and even fake multi-factor authentication setup flows.
Business Cards and Networking Events
Fake business cards left at conferences with QR codes that link to malware downloads instead of LinkedIn profiles. Low volume, but highly targeted.
Why QR Phishing Works So Well
Regular phishing has natural friction. You see a URL, you might notice it's misspelled. Your email client might flag it. Your browser might warn you.
QR codes remove almost all of those checkpoints:
No URL preview. You can't see where the code leads before scanning. By the time the URL appears on your screen, most people have already tapped it.
Bypasses email security. QR codes in emails look like images to automated scanners. The malicious URL is encoded in the image, not in the email text. Most security tools don't decode QR images in real time.
Crosses the digital-physical boundary. We've been trained to spot phishing in digital contexts — suspicious emails, weird links. But a QR code on a physical object at a legitimate location? That feels trustworthy. Our guard is down.
Social context does the convincing. A QR code on a parking meter is convincing because you're standing in front of a parking meter. A QR code in a restaurant is convincing because you're in a restaurant. The physical environment provides the social engineering.
Easy to deploy at scale. Printing stickers costs almost nothing. An attacker can cover dozens of parking meters in a city in one night. No need to compromise email servers or build elaborate digital infrastructure.
How to Protect Yourself
1. Check Before You Scan
Before scanning any QR code in a physical location, look at it. Is it a sticker placed over something else? Does it look like it belongs there, or was it added after the fact? Is the material and print quality consistent with the rest of the signage?
This takes two seconds and catches most physical QR attacks. The attackers rely on speed — they want you to scan without looking.
2. Preview the URL Before Tapping
Both iOS and Android show you the URL a QR code points to before you navigate. On iPhone, the Camera app displays the link at the top of the screen. On Android, it appears as a notification or overlay.
Read it before you tap. Check that the domain makes sense. If you're paying for parking and the URL goes to parking-pay-now.xyz instead of the official parking company's domain, don't tap it.
Watch for lookalike domains: paybyphone-secure.com instead of paybyphone.com, or q-park-payment.info instead of q-park.com. Attackers register domains that look plausible at a quick glance.
3. Use the Official App Instead
If a QR code is meant to take you to a payment service or a specific app, skip the QR code entirely. Open the app directly from your phone. Most parking apps let you enter a location code manually. Most restaurant ordering apps let you search by name.
This is the single most effective defense: don't let QR codes be your entry point to anything involving money or credentials.
4. Never Enter Credentials After Scanning
If a QR code lands you on a page that asks for a login, stop. Legitimate services almost never use QR codes to direct you to login pages. They use QR codes for linking to menus, making payments within an app you're already logged into, or sharing contact info.
If you need to log in, navigate to the site directly through your browser or the official app.
5. Be Extra Suspicious of QR Codes in Emails
If you receive an email with a QR code, treat it with the same suspicion you'd give a suspicious link. Actually, treat it with more suspicion — legitimate companies rarely send QR codes in emails. There's no reason to; they can just include a regular link.
If the email claims to be from your bank, your employer, or a service you use, go directly to their website or app. Don't scan the code.
6. Watch for HTTPS
After scanning, check the URL in your browser. The site should use HTTPS (you'll see the lock icon). A phishing site can have HTTPS — free certificates are easy to get — but the absence of it is a clear red flag.
7. Use a QR Scanner That Shows URL Details
Your phone's built-in camera works fine for scanning, and it shows you the URL before opening. Some third-party QR scanner apps do extra validation — checking the domain against known phishing databases. This is a nice bonus, but reading the URL yourself is more reliable than any automated check.
What Your Phone Already Does
Modern smartphones have some built-in protections:
- iOS Safari and Chrome check URLs against Google's Safe Browsing database. If the site is known to be malicious, you'll get a warning.
- Android shows the URL before navigating and flags known bad sites.
- Both platforms sandbox the browser — scanning a malicious QR code doesn't automatically compromise your phone. You'd need to actually enter information or download something.
The danger isn't the scan itself. It's what you do after the scan. A QR code can't install malware on your phone just by being scanned (despite what some breathless news articles claim). The risk is that you willingly hand over information to a fake site.
If You Already Scanned a Suspicious QR Code
If you only scanned and saw a weird page but didn't enter anything — close it and move on. Clear your browser history for that tab if you want to be thorough, but you're likely fine.
If you entered payment information — contact your bank immediately and request a card freeze or replacement. Monitor transactions for the next few weeks. If the attacker got your card details, they typically start with small test charges before going bigger.
If you entered login credentials — change the password on that account right now, directly through the official site. Enable two-factor authentication if you haven't. Check for any suspicious activity on the account — connected sessions, forwarding rules, authorized apps.
If you downloaded and installed something — that's more serious. Run a malware scan, check your installed apps for anything you don't recognize, and consider it compromised until you've confirmed otherwise.
The Bigger Problem
QR code phishing highlights a fundamental tension in security: convenience and security pull in opposite directions.
QR codes are convenient. They replaced apps, menus, paper tickets, and payment terminals with a simple scan. But that convenience came at the cost of visibility. We traded readable URLs for opaque squares, and we traded digital caution for physical trust.
This isn't going away. QR codes are too embedded in daily life to disappear. The answer isn't to stop scanning — it's to scan the way you click links. With a moment of thought, a glance at the URL, and a healthy dose of skepticism.
The same instinct that makes you hover over a link before clicking should kick in when you point your camera at a QR code. Build that habit now, because attackers are betting you won't.
Quick Reference
| Situation | What to Do |
|---|---|
| QR code on parking meter or kiosk | Check for stickers on top of stickers; use the official app directly |
| QR code in email or PDF | Don't scan it; go to the site directly |
| QR code at restaurant or cafe | Scan but read the URL before tapping; verify the domain |
| QR code asks for login after scanning | Stop — navigate to the service directly instead |
| QR code on random flyer or poster | Treat like a stranger handing you a USB drive — skip it |
| You entered info on a suspicious site | Freeze cards, change passwords, enable 2FA immediately |