QR Code Security: How to Avoid Quishing Scams in 2026

QR codes are woven into daily life. You scan them at restaurants, parking meters, conference badges, product packaging, and bus stops. By 2026, an estimated 100 million Americans will scan a QR code at least once a month. But with that ubiquity comes a question that more people are starting to ask: are QR codes actually safe?

The short answer: QR codes themselves are neutral. They are a way to encode information -- usually a URL. The risk is not in the code. It is in where the code sends you, and whether you can tell the difference between a legitimate destination and a malicious one before it is too late.

This guide covers what you need to know about QR code security, the rise of "quishing" attacks, how to protect yourself and your business, regulatory considerations, and what the future of QR code security looks like.

What Is Quishing?

Quishing — a portmanteau of "QR" and "phishing" — is a social engineering attack where a malicious actor uses a QR code to redirect victims to a fraudulent website. The goal is the same as traditional phishing: steal credentials, install malware, or trick someone into making a payment to the wrong account.

What makes quishing particularly effective is that QR codes are opaque. Unlike a URL in an email (where you can at least hover to see the destination), a QR code reveals nothing about where it leads until after you scan it. And by the time your phone opens a browser, you are already on the attacker's page.

Why quishing is growing

Several factors are driving the rise of quishing:

• Trust conditioning: The pandemic normalized QR code scanning. People stopped questioning what they were scanning.
• Email filter bypass: Traditional phishing links get caught by spam filters. A QR code embedded in a PDF or image attachment bypasses text-based URL scanning entirely.
• Low cost, high reach: Printing a sticker with a malicious QR code and slapping it on a parking meter costs nearly nothing.
• Mobile vulnerability: Phones have smaller screens, making it harder to inspect URLs. Many mobile browsers truncate long URLs, hiding suspicious domains.
• Hybrid work environments: With employees moving between offices, co-working spaces, and remote setups, the number of unfamiliar QR codes they encounter daily has surged.
• QR codes in print media: Attackers now place malicious QR codes in fake flyers, counterfeit coupons, and even fake official correspondence, exploiting the trust people place in physical documents.

How quishing differs from traditional phishing

While the end goal is the same, quishing introduces several tactical advantages for attackers that traditional email phishing does not offer:

This asymmetry is why quishing is growing faster than almost any other phishing variant. It exploits a gap between how security tools are designed (to inspect text and links) and how QR codes deliver payloads (as images).

Real-World Quishing Attacks: Case Studies

These are not hypothetical scenarios. They have happened, and they keep happening. Understanding how real attacks unfold helps you recognize the patterns.

Parking meter scams across three continents

In cities across the US, UK, and Europe, criminals have placed fake QR code stickers on parking meters and pay stations. When drivers scan to pay, they are redirected to a convincing fake payment page that captures their credit card details. San Antonio, Austin, and Houston all reported widespread parking meter QR scams. In the UK, similar attacks targeted council car parks across multiple cities. By late 2025, variations appeared in Australia and Singapore, targeting both public parking and toll collection systems.

The attack is devastatingly simple: a criminal prints a QR code sticker linking to a phishing page styled to look like the local parking authority's payment portal, then places it directly over the legitimate code. Drivers, in a hurry to park, scan without a second thought.

Fake restaurant menus

Since restaurants widely adopted QR code menus during COVID, attackers have exploited the pattern. A sticker placed over a legitimate QR code on a table redirects diners to a phishing page that mimics the restaurant's ordering system — but skims payment data in the process. In some cases, the fake menu even works as a functional menu, forwarding orders to the real system while silently capturing credit card numbers. This "transparent proxy" approach means neither the diner nor the restaurant notices anything wrong until fraudulent charges appear days later.

If your business uses QR codes for menus, auditing your physical codes regularly is not optional — it is essential.

Microsoft 365 credential harvesting campaigns

In 2023 and 2024, security researchers documented a wave of quishing campaigns targeting corporate employees. Attackers sent emails impersonating IT departments, complete with company logos and formatting, containing a QR code with a message like "Scan to re-authenticate your Microsoft 365 account." The QR code led to a pixel-perfect replica of the Microsoft login page. Multiple organizations reported compromised accounts, and in at least one documented case, an attacker gained access to a company's SharePoint environment containing sensitive client data.

What made these attacks especially dangerous was that they targeted the device employees trust most — their personal phones — which sit outside the corporate security perimeter. Corporate email filters on the desktop caught nothing because the payload was an image, not a link.

Crypto and payment fraud

Scammers place QR codes at Bitcoin ATMs or share them in social media messages, claiming they link to a payment portal. Scanning the code initiates a transaction to the attacker's wallet. Once crypto is sent, it is gone. The FTC reported that consumers lost over $80 million to QR code payment scams in a single year, with crypto-related fraud making up a significant portion.

EV charging station attacks

A newer variant targets electric vehicle charging stations. Fake QR code stickers placed over legitimate payment codes redirect drivers to fraudulent payment portals. This was reported across several European countries in 2025, with the UK's National Cyber Security Centre issuing a specific advisory about the threat. The attack works particularly well because EV drivers are already accustomed to scanning codes at unfamiliar charging stations.

Supply chain QR code tampering

In a sophisticated 2025 attack documented by a European logistics firm, criminals intercepted product packaging during transit and replaced legitimate QR codes — used for warranty registration and product authentication — with codes redirecting to credential-harvesting sites. Customers who scanned to register their new product unknowingly submitted names, addresses, email accounts, and in some cases payment details to a criminal operation. The breach was not discovered for three months.

How to Spot a Malicious QR Code: 7 Warning Signs

Not every QR code is dangerous, but developing a habit of caution will protect you. Here are seven signs that something might be off.

URL Preview Features: Your Phone's Built-in Defense

One of the most effective defenses against quishing is a feature already built into your phone. Both iOS and Android now offer URL preview functionality when scanning QR codes with the native camera app.

How URL previews work

When you point your phone's camera at a QR code, the operating system decodes the QR data and displays a preview banner showing the destination URL before you navigate to it. This gives you a chance to inspect the domain, check for suspicious patterns, and decide whether to proceed.

On iOS (iPhone): The Camera app shows a yellow notification banner at the top of the screen displaying the URL. You must tap the banner to navigate — the phone does not automatically open the link. Starting with iOS 17, Apple added enhanced URL inspection that highlights the domain portion of the URL more prominently.

On Android: The behavior varies by manufacturer, but Google's camera app (and most third-party camera apps) show a floating chip or banner with the URL and a "Open" button. Newer Android versions include Google Safe Browsing integration that checks URLs against a known-phishing database in real time.

Limitations of URL previews

URL previews are helpful but not foolproof. They cannot protect you if:

• The displayed domain looks legitimate but is a lookalike (e.g., microsoft-verify.com vs microsoft.com)
• The QR code uses a legitimate URL shortener (like bit.ly) that masks the final destination
• The landing page appears safe initially but redirects after a delay

This is why URL previews should be one layer of defense, not your only one.

How Businesses Can Protect Their Customers

If you generate QR codes for your business, you have a responsibility to make them trustworthy. Your customers' security is directly tied to your brand reputation.

Use a trusted QR code generator

Not all generators are equal. Some free tools inject tracking pixels, redirect through ad networks, or use domains that get flagged by security software. Use a generator that provides clean, direct links with transparent redirect behavior. Learn more about choosing a reliable QR code generator.

Use dynamic QR codes

Dynamic QR codes give you control after printing. If your destination URL changes, gets compromised, or needs to be updated, you can change where the code points without reprinting. This is also crucial for incident response — if a landing page is compromised, you can redirect the QR code to a safe page within minutes rather than waiting to reprint physical materials.

Brand your QR codes

A well-designed, branded QR code is harder to counterfeit. When customers recognize your brand's visual style in the QR code itself (colors, logo, corner styles), a generic black-and-white sticker placed over it becomes immediately suspicious. This visual differentiation is your first line of defense against physical code replacement.

Add context around every code

Never place a QR code without explaining what it does. "Scan to view our menu" or "Scan to pay for parking — powered by [Company Name]" gives users the information they need to judge legitimacy. Context is what separates a trustworthy QR code from a suspicious one.

Monitor scan analytics

With dynamic QR codes, you can track scan patterns. A sudden spike in scans from an unexpected location might indicate that someone has copied your code or replaced it with a malicious one. Set up alerts for anomalous scan behavior — it could be the earliest indicator of a quishing attack targeting your brand.

Conduct regular physical audits

If you have QR codes in public spaces (storefronts, posters, parking areas), check them periodically. Look for stickers placed over your codes, and test them yourself to ensure they still lead to the correct destination. For high-traffic locations, consider weekly audits.

What to Do If Your Business QR Codes Get Spoofed

Discovering that someone has placed counterfeit QR codes over yours — or is distributing fake codes using your branding — requires an immediate, structured response.

Enterprise QR Code Security: Building a Corporate Policy

For organizations deploying QR codes at scale — across offices, events, retail locations, or marketing campaigns — ad hoc security measures are not enough. You need a formal QR code security policy.

Key elements of a QR code security policy

QR code security for events and conferences

Events and conferences present unique QR code security challenges. Attendees scan dozens of codes throughout the day — for check-in, session schedules, networking, and sponsor booths. This high-trust, high-volume scanning environment is attractive to attackers.

Best practices for event QR security:

• Print all QR codes directly on official event materials. Never use loose stickers that could be replaced.
• Use a single, recognizable branded QR code style across all event touchpoints.
• Include the destination URL in plain text next to the QR code so attendees can verify where it leads.
• Brief event staff on how to spot tampered codes and what to report.
• Monitor scan analytics in real time during the event for unusual patterns.

QR Code Tamper Detection: Physical Security Measures

Beyond digital safeguards, physical tamper detection can prevent or reveal QR code replacement attacks.

Tamper-evident materials

Print QR codes on materials that show visible damage when someone attempts to peel or cover them. Tamper-evident labels with holographic elements, fragile substrates that shred when removed, or void-pattern adhesives all make it obvious when a code has been interfered with.

Embedded verification elements

Include secondary verification alongside your QR code — a short URL printed in plain text, a unique code number, or a branded holographic sticker next to the QR code. This gives users a second way to verify legitimacy that an attacker would need to replicate.

Strategic placement

Place QR codes in locations that are visible to staff or security cameras. Codes in isolated, unmonitored areas are easier targets for replacement. In retail environments, position QR codes behind glass or in display cases where physical access is limited.

Regular rotation and versioning

For long-running deployments, consider rotating your QR codes periodically. Using dynamic codes makes this seamless — you can update the destination URL on a schedule without changing the physical code. Some organizations add version identifiers (a small printed date or version number next to the QR code) so staff can quickly verify during audits that the code has not been swapped for an older or unauthorized version.

Regulatory Compliance: GDPR, Data Collection, and QR Codes

QR codes that collect or process personal data are subject to data protection regulations. If your QR code leads to a form that captures names, emails, payment information, or any other personal data, you are a data controller under GDPR (in the EU) and similar frameworks elsewhere.

GDPR considerations for QR code deployments

• Transparency: Users must be informed about what data will be collected before they provide it. A QR code that leads to a data collection form must include clear privacy notices on the landing page.
• Lawful basis: You need a valid legal basis for collecting data via QR code interactions — typically consent or legitimate interest. Consent must be freely given, specific, informed, and unambiguous.
• Data minimization: Collect only the data you actually need. A QR code for viewing a restaurant menu should not require users to enter their email address.
• Right to erasure: If users submit data via a QR code form, they retain the right to request deletion of that data.
• Cross-border transfers: If your QR code redirects users to a server outside the EU, appropriate data transfer safeguards must be in place.

Data collection transparency

Even outside the EU, responsible QR code usage means being transparent about data collection. If your QR code tracks scan locations, device types, or timestamps, disclose this. If your dynamic QR code service collects analytics on scan behavior, ensure your privacy policy covers this. Users should never be surprised by what data a QR code interaction generates.

For a deeper look at how WiFi QR codes handle network credentials securely, see our dedicated guide.

Security Features of QR-Verse

Security is not an afterthought at QR-Verse. It is built into the product from the ground up.

What to Do If You Scanned a Suspicious QR Code

If you think you may have scanned a malicious QR code, act quickly. The first minutes matter.

The Future of QR Code Security

QR code security is evolving alongside the threats. Here is what is on the horizon — and what will change how we interact with QR codes.

Regulatory pressure intensifies

The EU's Digital Services Act and upcoming revisions to the ePrivacy Regulation are pushing for greater transparency in how QR codes handle user data. Businesses that generate QR codes may soon need to comply with stricter disclosure requirements about redirect destinations and data collection practices. In the US, the FTC has signaled increased attention to QR code fraud in its consumer protection agenda, and several states are considering legislation specifically addressing QR code scams in public infrastructure.

Secure QR code standards

Industry groups are working on standards for "signed" QR codes — codes that include a cryptographic signature verifying the creator's identity. Think of it as HTTPS certificates for QR codes. While this is still in the standards-development phase, it could fundamentally change how trust works in QR-based interactions. The FIDO Alliance and several payment industry groups are active contributors to these standardization efforts.

Built-in phone protections

Both Apple and Google have been improving their camera apps' QR scanning capabilities. iOS now shows a URL preview before opening a link, and Android is following suit with Safe Browsing integration. Future iterations will likely include real-time URL reputation checks — comparing the scanned destination against known phishing databases before the page loads — as well as visual indicators distinguishing verified from unverified QR code sources.

AI-powered threat detection

Security companies are deploying machine learning models that analyze QR code destinations in real time, checking for phishing indicators like recently registered domains, suspicious redirect chains, and pages that mimic known brands. These systems are getting better at detecting sophisticated attacks that use legitimate-looking domains and convincing page designs. This kind of automated protection will increasingly be built into both scanning apps and enterprise security platforms.

Blockchain-verified QR codes

Some projects are exploring using blockchain to create an immutable registry of legitimate QR codes. When a QR code is generated and registered on-chain, scanners can verify its authenticity against the registry. While still experimental, this approach could provide a decentralized trust layer for high-value use cases like payments, identity verification, and supply chain tracking.

The practical adoption timeline for blockchain-verified QR codes remains uncertain, but early pilots in pharmaceutical supply chains and luxury goods authentication suggest the concept has legs in industries where counterfeiting carries high stakes.

Frequently Asked Questions

The Bottom Line

QR codes are as safe as the intentions behind them. The technology is neutral — it is a bridge between the physical and digital worlds. The question is not whether QR codes are safe. It is whether you know how to use them safely, and whether the businesses deploying them are doing so responsibly.

For consumers, the key is awareness: check URLs before interacting, be wary of codes in unexpected places, use your phone's built-in URL preview, and never enter sensitive information on a page you reached via an unfamiliar QR code. Treat QR codes with the same caution you would apply to clicking links in emails.

For businesses, the key is responsibility: use trusted generators, brand your codes, provide context, monitor for tampering, and have an incident response plan ready. Your customers' trust is on the line every time they scan one of your codes. If you need help getting started, visit our Help Center or browse the FAQ.

Security is not a feature you bolt on later. It is a foundation you build from the start.