QR Code Scams (Quishing) 2026: How They Work and How to Stay Safe

QR Code Scams: The Tiny Square That's Stealing Thousands

A woman in the UK scanned a QR code at a parking lot. She thought she was paying for two hours. She ended up losing the equivalent of $16,000.

The code took her to a fake payment site that stole her card information. When her bank flagged the charges and blocked them, the scammers called her pretending to be the bank. They convinced her to open a new account, and the theft continued from there.

A man in Texas scanned a parking meter QR code and was charged $1.98. Seemed normal. Then $49.99 hit his credit card the next month. And the month after that. And the month after that. The company behind the charges wouldn't answer calls or emails. He had to cancel his card to stop the bleeding — $152 in fraudulent subscriptions from a two-dollar parking payment.

These aren't edge cases. This is where QR code scams are in 2026: polished, layered, and targeting the most mundane moments of your day. The official term is "quishing" — a mashup of QR and phishing — and according to McAfee's 2026 State of the Scamiverse report, Americans now spend 114 hours a year just trying to figure out what's real and what's fake online. QR codes are making that number worse.

Why QR Codes Are the Perfect Scam Vehicle

A QR code is just a quick doorway to a website, payment page, or app. That's handy when it's legit, and sketchy as hell when it isn't. Scammers love QR codes because you can't see the destination until after you scan, which means the usual "does this URL look cursed?" warning light gets skipped entirely.

Here's how the scam usually works: you get a text, email, flyer, mailer, or poster with a QR code, and it nudges you to scan right now because something is "urgent," "unpaid," or "at risk." Once you scan, the code can send you to a fake login page, a bogus payment portal, a malware download, or a support scam designed to make you hand over credentials or money. The gross little trick is that scammers often copy the look of a real business or agency so the page feels trustworthy. They also slap fake QR stickers over real ones in places like parking meters, menus, and posters — which is why "it looked official" is not a defense. It's part of the scam.

With a phishing email, you might notice that "bankofamerica-secure-verify.com" isn't the real Bank of America. You can hover over the link, squint at it, decide it looks off. With a QR code, you're completely blind until your phone loads the page. By then, you've already committed — your brain has shifted from "should I scan this" to "what does this page want from me," and the scammer has you on their turf.

McAfee found that 68% of Americans scanned a QR code in the past three months. Of those, 18% landed on a suspicious or unsafe page. And more than half of those people took risky actions — entering personal information, downloading an app, or connecting a digital wallet. Run that math and roughly one in ten Americans who scanned a QR code recently ended up doing something dangerous because of it.

The BBB's executive director for Metro New York put it bluntly: "We went from phishing to smishing to now quishing." Each evolution removes another layer of visible warning signs. Emails had suspicious links you could inspect. Texts had weird sender numbers you could question. QR codes have nothing — just a harmless-looking square. It's the same pattern playing out across every major scam category in 2026: scammers strip away the parts you used to be able to inspect.

Every Place They're Hiding Right Now

The reason quishing is growing faster than other scam types is that QR codes are physically everywhere, and scammers can place fake ones with nothing more than a printer, a sheet of sticker paper, and five minutes of unsupervised access.

Quick Glance: Where QR Code Scams Show Up

Parking meters and parking lots. This is the most reported variant and it's a masterpiece of simplicity. A scammer prints a sticker with a fake QR code and places it on or near a parking meter. When you scan it, the code leads to a fake payment page that collects your credit card number and often your license plate. You don't get proof of parking. Your car might get ticketed or towed for non-payment. And your card gets hit with recurring charges you never agreed to.

How to spot it: the fake code is usually on a sticker placed over the real one. Look for misaligned edges, different paper texture, peeling corners, or stickers that don't match the meter's design. Real city parking codes are typically printed directly on the meter or on official signage with consistent branding. If the QR code looks like it was slapped on by a raccoon with a printer, it probably was — functionally speaking.

Restaurant menus. Scammers replace real menu QR codes with fake ones that redirect to phishing pages or trigger malicious downloads. The red flag is any "menu" page that asks you to sign in, create an account, download an app, or confirm personal details. A real menu just shows you food. If the bruschetta requires a login, something has gone wrong.

Package delivery notices. You come home to a tag on your door or a slip in your mailbox saying you missed a delivery. There's a QR code to "reschedule." The page has vague delivery details — no tracking number, no carrier name, no package description — and pressure to act quickly because the package will be returned. Real carriers let you track through their official app. They don't need you to panic-scan a code from a flyer.

If your "package problem" can only be solved by scanning a code from a random notice, it's not logistics. It's phishing in a brown box.

Fake parking tickets. Scammers create realistic-looking parking violation notices and place them on windshields. The ticket includes a QR code to "pay your fine." The design is convincing enough that most people scan and pay without questioning it, especially if they're already stressed about a possible ticket. One version circulating in major cities even uses the correct city seal and a real-looking ticket number.

Utility bills and government compliance notices. The BBB received reports from business owners who got letters about "Corporate Transparency Act" reporting obligations that included a QR code leading to a fake government website. Utility scam versions claim your power or water service will be shut off unless you scan and pay immediately.

Here's the thing about real government correspondence: it tells you to verify through a known agency website or published phone number. It does not embed a mystery square that panic-sprints you into entering your credit card. Nothing says "government" like a flyer trying to panic-sprint you into scanning a mystery square — and that's exactly how you know it isn't.

Social media and email. QR codes in emails, DMs, and social media ads are harder to verify because you can't check for physical tampering. These often promise discounts, refunds, or rewards but quietly enroll you in recurring charges or harvest your login credentials. If you receive a QR code you didn't expect — even from someone you know — treat it like the suspicious link it is.

Cryptocurrency investment scams. QR codes direct victims to digital wallets where their money disappears into the blockchain. Romance scammers use them to guide victims through "investments" that are actually just transfers to the scammer's wallet. The BBB warns that because crypto transactions are conducted entirely online and are effectively irreversible, QR codes have become the preferred delivery mechanism.

How to Tell Real From Fake

The difference between a legitimate QR code and a scam is almost always physical — and almost always visible if you actually look.

Fake vs Real: Quick-Glance Checklist

A real QR code at a parking meter is printed directly on the meter or on official signage that matches the city's branding. The URL it opens matches the city's parking website or a known parking app. There's no urgency language. There's usually a web address printed alongside it so you can type it manually if you prefer.

A fake QR code is on a sticker. The sticker might be placed over the real code or next to it. The edges might be misaligned or peeling. The URL it opens is something like "parking-pay-verify.com" or "city-parking-portal.top" — plausible enough at a glance but not the actual city website. It often includes urgency language: "PAY NOW" or "SCAN TO AVOID FINE."

Same logic applies everywhere. Real restaurant menu codes open the restaurant's website. Fake ones open pages that ask for logins. Real delivery notices include specific tracking numbers. Fake ones are vague and urgent. Real government correspondence provides a .gov website and a phone number. Fake ones provide a QR code and a deadline.

What to Do Before You Scan Anything

Check for physical tampering. Two seconds of looking at a QR code before scanning it eliminates the most common attack vector. Stickers, overlays, misaligned codes, and different paper textures are all visible if you bother to look. Most people don't bother. That's the gap scammers exploit.

Preview the URL your phone shows you. When your phone scans a QR code, it displays the URL before opening it. Actually read it. If the domain is "parking-pay-verify.com" instead of your city's actual parking website, don't tap. If it's a shortened URL that hides the destination, don't open it. That URL preview is your last line of defense.

Use official apps instead of scanning. For parking, use the official city parking app or pay at the meter with your card. For restaurants, ask for a physical menu or search the restaurant's website directly. For packages, track through the carrier's official app. Skipping the QR code entirely eliminates the risk entirely. The most effective security measure is the one that removes the attack surface altogether.

Paste the URL into a scam checker before entering anything. If you've already scanned and the page is asking for payment info or login credentials, copy the URL from your browser bar and check it first. A domain registered three days ago pretending to be your city's parking authority will get flagged instantly.

Check any URL from a QR code at ScamSecurityCheck.com →

Pay with credit cards, never debit cards or payment apps. If you do fall for a fake QR payment page, a credit card gives you chargeback rights. A debit card pulls directly from your bank account with much weaker fraud protection. Zelle, Venmo, and Cash App offer essentially zero protection for scam payments.

What to Do If You Already Scanned One

If you scanned a QR code and entered personal or financial information on the page it opened, the clock is running.

Call your credit card company right now and tell them you entered your card on a fraudulent website. They'll cancel the card number, issue a new one, and begin reversing unauthorized charges. If you used a debit card, call your bank — the process is the same but slower, and your money may be temporarily gone during the investigation.

If you entered your card details on a suspicious page, read our guide on what to do after entering your credit card on a fake site for the full step-by-step recovery checklist.

Change passwords for any accounts you logged into through the QR code's destination page. If you used the same password anywhere else, change those too.

Run an antivirus scan on your phone if the QR code prompted you to download anything or if you noticed any unusual app installation.

Check your credit card and bank statements daily for the next 30 days. Small test charges ($1 to $5) often precede larger fraudulent purchases. If you see anything unfamiliar, report it immediately.

Report the scam. File with the FTC at reportfraud.ftc.gov and with the BBB's Scam Tracker at bbb.org/scamtracker. If it was a physical QR code in a public place, contact the business or city parking authority so they can remove it before the next person scans it.

The Bottom Line

QR codes aren't going away. They're too convenient, too embedded in how we pay, order, and navigate daily life. But that convenience is exactly what scammers are counting on — the split second where you scan without thinking because you've scanned a thousand codes before and nothing bad happened.

The safer habits are simple: don't scan QR codes from random texts, emails, or mailers unless you were already expecting them. Check for sticker tampering on signs, posters, and parking meters. If the scan opens a login or payment page, stop and verify the web address before entering anything. And treat urgency like a red flag, because scammers practically marinate in it.

The pause is free. The URL preview takes two seconds. The scan at ScamSecurityCheck takes five. Getting scammed takes months to undo.

Pause. Verify. Then scan nothing you wouldn't hand to a raccoon.

Sources: McAfee 2026 State of the Scamiverse Report, BBB Scam Tracker, BBB Metro New York, FTC Consumer Alerts, Guardio Research, NBC New York, The Independent