NewSecurity Audit Kit — audit your business in 15 minutes.Launch $49· limited time offer
QR Code Scanner

Scan the QR before you scan the QR.

Quishing — QR-code phishing — tripled in 2024. Parking meters, EV chargers, restaurant menus, and brushing packages all carry malicious codes now. Photograph the QR, upload it to Cautellus, and we'll resolve the destination before it ever touches your device.

Six places a QR code can ruin your day.

PARK

Parking-meter overlays

Scammers paste a sticker QR over the real one on parking meters and kiosks. The fake routes payment to a credential-harvesting site instead of the parking authority. Reported across San Francisco, Austin, Atlanta, and the UK.

CHRG

EV charging-station QRs

Fake QR codes on EV chargers route to a fake payment page that captures your credit card without ever starting a charge. Hit Tesla Supercharger lots, ChargePoint kiosks, and mall stations through 2024-2026.

MENU

Restaurant menu QRs

Stickers on tabletops or in printed menus take you to a fake "online order" page that captures your card. Real restaurants almost never use QR codes that require payment outside their normal POS.

POST

USPS brushing QR codes

You receive an unexpected package containing a QR code "to find out who sent it." The QR routes to a credential-harvesting page or installs a wallet drainer. Tied to large-scale Chinese brushing operations.

TIX

Fake event ticket QRs

Counterfeit concert, sports, or festival tickets with QR codes that look legitimate but resolve to fake gate-check pages — capturing your real ticket's barcode so the scammer can use it instead.

INV

Invoice & "pay now" QRs

Emailed invoices and printed bills include a "scan to pay" QR that redirects to a fake banking page. The legitimate vendor never sees the money; you find out 30 days later when collections calls.

What Cautellus does to a QR before you ever tap it.

  • Resolves the QR's destination URL — including through every redirect hop — without opening it on your device.

  • Cross-checks the destination domain against known phishing, malware, and wallet-drainer databases.

  • Detects lookalike domains (usps-track.vip, chargepoint-pay.io) that abuse Unicode tricks and homoglyphs.

  • Inspects whether the destination is a payment page, login form, or APK/exe download — and flags accordingly.

  • Surfaces OS-specific risk: a link that's safe on iPhone may auto-install a profile on Android, or vice-versa.

Six rules that always hold.

  1. 01

    Always preview the URL. Your camera app shows the destination before you tap — read it. If you can't see a destination, do not tap.

  2. 02

    Match the domain to the brand. usps.com is real. usps-track.vip is not. chargepoint.com is real. chargepoint-pay.io is not.

  3. 03

    Never enter card or login info through a QR-code destination. If a parking app needs payment, type its URL into your browser yourself.

  4. 04

    Treat stickers as suspicious. A QR sticker pasted over another QR on a meter, kiosk, or sign is the #1 quishing pattern.

  5. 05

    If a package shows up with a "scan to identify sender" QR, do not scan it. Report the brushing to USPIS at uspis.gov/report.

  6. 06

    When in doubt, photograph the QR and run it through Cautellus instead of letting your camera open it.

Questions.

What is quishing?

Quishing is QR-code phishing — using a malicious QR to redirect to a credential-harvesting page, fake payment site, or malware download. Quishing reports tripled in 2024 per the APWG.

How do I check if a QR code is safe?

Photograph the QR and upload to Cautellus instead of letting your camera open it. The scanner resolves the destination URL, follows redirects, and checks the landing page against phishing databases without opening the link on your device.

Are parking-meter QRs safe?

Most are — but scam stickers pasted over the real one are common in major US and UK cities. Safer pattern: type the parking authority URL yourself, or use the city's official app.

What is USPS brushing and how do QRs fit?

Brushing is receiving a package you didn't order. The newer variant includes a "scan to find out who sent it" QR that routes to phishing or wallet drainers. Don't scan — report at uspis.gov.

Is it free?

Your first scan is free, no account needed. Unlimited scans require Cautellus Plus at $9.99/mo after a 7-day free trial that requires a card and auto-renews unless cancelled.

Don't scan blind.

Upload any QR code — Cautellus resolves the URL before it touches your phone.

Run a QR check