How QR Code Attacks Work (And How to Stay Safe)
QR codes have become ubiquitous — restaurant menus, parking meters, product packaging, event tickets. Their convenience made us trust them implicitly. But that trust is exactly what cybercriminals exploit in a growing wave of attacks called quishing (QR phishing).
What Is Quishing?
Quishing combines "QR" and "phishing." Instead of sending you a suspicious email link, attackers place malicious QR codes in the physical world or in digital documents. When scanned, these codes redirect you to convincing fake websites designed to steal your credentials, financial information, or install malware.
The FBI reported a 300% increase in QR code fraud cases between 2023 and 2025, with losses exceeding $150 million in the US alone.
5 Real-World QR Code Attack Methods
1. Parking Meter Stickers
Criminals place fake QR code stickers over legitimate payment codes on parking meters. Victims scan the code thinking they're paying for parking, but they're actually entering their credit card details on a phishing site. This attack has been documented in over 40 US cities.
2. Restaurant Menu Overlays
During the pandemic, QR menus became standard. Attackers exploit this by placing transparent stickers with malicious QR codes over restaurant table tents. The fake code leads to a site that mimics a menu but requests payment info or app installation.
3. Fake Package Delivery Notices
You receive a card in your mailbox: "We tried to deliver your package. Scan to reschedule." The QR code leads to a phishing page impersonating a delivery service, requesting your login credentials and personal details.
4. Business Email QR Codes
Attackers embed QR codes in emails because QR codes bypass most email security filters. The email might claim to be from IT support asking you to "scan to verify your account" — leading to a credential harvesting page.
5. Public Wi-Fi QR Codes
Fake "Free Wi-Fi" QR codes in airports, cafes, or hotels can redirect you to a captive portal that installs a configuration profile on your phone, enabling man-in-the-middle attacks on all your traffic.
🧪 QR Safety Quiz
1. You find a QR code on a parking meter. What should you do first?
2. A QR code email from "IT Support" asks you to verify your account. What's the safest action?
3. After scanning a QR code, your phone shows a URL preview. Which URL is suspicious?
How to Protect Yourself
- Preview before tapping: Always check the URL your phone displays after scanning. Look for misspelled domains or suspicious characters.
- Check for tampering: On physical codes, look for stickers placed over the original. Legitimate codes are usually printed directly on the surface.
- Use built-in camera: Your phone's native camera app is safer than third-party QR scanner apps, which may have fewer security protections.
- Never enter credentials: If a QR code leads to a login page, close it and navigate to the site manually through your browser.
- Avoid QR Wi-Fi codes: Instead of scanning QR codes for Wi-Fi, ask staff for the network name and password directly.
FAQ
What is quishing?
Quishing is phishing via QR codes. Attackers replace legitimate QR codes with malicious ones that redirect victims to fake login pages or trigger malware downloads.
Can scanning a QR code install malware?
On most modern phones, simply scanning a QR code shows a URL preview first. However, if you tap the link, it can lead to a page that exploits browser vulnerabilities or tricks you into downloading a malicious app.
How can I tell if a QR code is safe?
Use your phone's built-in camera (not third-party apps), check the URL preview before opening, look for signs of tampering on physical QR codes, and never scan codes from untrusted sources.
Related Tools
- Password Generator — create strong passwords for accounts exposed via QR phishing
- Anatomy of a Phishing Attack