QR Codes Are Everywhere — And So Are the Attacks
Five years ago, scanning a QR code was an afterthought. Today, QR codes are how we pay for parking, board flights, access restaurant menus, join Wi-Fi networks, and authenticate to bank accounts. That ubiquity has made them irresistible to attackers. The FBI, the UK National Cyber Security Centre, and dozens of national CERTs have all issued warnings about "quishing" — phishing attacks delivered via QR codes — in the past 18 months. According to one industry report, quishing incidents grew 280% between 2024 and the first quarter of 2026.
The attack is effective precisely because QR codes are designed to be convenient: you point your camera, you trust the result, you move on. The bad actors exploit that trust. The good news: the defenses are simple, and the habits are easy to build.
How Quishing Actually Works
A typical attack flow: a sticker with a malicious QR code is placed over a legitimate one (on a parking meter, a restaurant menu board, an email flyer). The victim scans, expecting to be taken to a payment page or a menu. Instead, they land on a clone of a login screen — a bank, a Gmail login, a Microsoft 365 portal. They enter their credentials, the attacker harvests them in real time, and the victim is redirected to the real site, none the wiser.
Variants include QR codes that directly trigger a payment (in regions where mobile payments are deeply integrated), codes that download a malicious APK, and codes that add a contact record to your phone with a phone number owned by the attacker (used for subsequent vishing).
The First Defense: Read Before You Click
Modern iOS and Android camera apps do not auto-open QR codes anymore. They preview the URL first, then wait for the user to tap. This is your single most important line of defense. Train yourself to actually read the preview before tapping. The single biggest red flag is a URL that does not match the context: a "parking meter QR" pointing to a domain that ends in something other than the city or operator's domain is the most common scam pattern.
The Second Defense: Look at the Physical QR Code
Sticker-over attacks have a tell. If the QR code looks like it has been stuck over another one, if it is on a surface that is normally smooth and is now slightly raised, or if it is significantly newer than the rest of the surface — be skeptical. In restaurants, ask staff for a paper menu instead. In parking lots, use the official operator's app rather than scanning the meter.
The Third Defense: Use a Dedicated QR Scanner With Warnings
The default camera app on modern phones is conservative — it will not open a URL without user confirmation. Some third-party QR scanner apps are less safe. If you scan QR codes often (for work, for inventory, for event check-in), prefer a scanner that integrates with a known URL reputation service and will warn you about newly registered domains or known phishing hosts.
The Fourth Defense: Never Log In From a QR Code
No legitimate service will ask you to scan a QR code in order to log in to that same service. Banks, email providers, social networks — they all use the QR code to authenticate a device, not to authenticate a user. If a "login screen" appeared after a QR scan, it is fake. Close the tab, open the app directly, and verify the message you were supposedly sent.
The Fifth Defense: Check the URL Structure
Attackers use several tricks to make malicious URLs look legitimate:
- Lookalike domains: micros0ft-login.com instead of microsoft.com. The zero replaces the "o".
- Subdomain spoofing: login.microsoft.com.attacker.com — the actual domain is attacker.com, but the prefix tricks the eye.
- Punycode tricks: Using Cyrillic or other unicode characters that look like Latin letters. Your browser may render the address bar with the real (lookalike) characters, but the underlying domain is different.
- URL shorteners: bit.ly/xxxxxx and t.co/xxxxxx can hide the destination. A preview tool (built into most scanners) reveals it before you tap.
Safe Scenarios: When QR Codes Are Trustworthy
Not all QR codes are dangerous. Trusted contexts include QR codes printed on official event badges you are wearing, on boarding passes generated by airlines you booked with directly, on packaging of products you just purchased, and on payment screens you initiated from your banking app. The pattern: the QR code is presented in a context where the source is already known and trusted.
Unsafe Scenarios: When to Walk Away
Skip scanning when the code is on an unsolicited flyer, on a sticker covering another code, on a public surface in a high-traffic area (parking meters, EV chargers, public transit), or in an email from an unknown sender. The "convenience" is not worth the risk.
What to Do If You Scanned a Bad QR Code
- Disconnect: If you entered any credentials, change the password for that account immediately from a different device.
- Enable 2FA: If you did not already have two-factor authentication on the affected account, enable it now — this is the single most effective control against credential theft.
- Check device permissions: If the malicious page asked for notifications, location, camera, or contacts access, revoke those in your phone settings.
- Watch for follow-on attacks: After a credential leak, expect a wave of vishing calls or smishing messages pretending to be from the affected service's "security team". Verify any such contact by hanging up and calling the official number yourself.
- Report it: In the US, report to the FTC at reportfraud.ftc.gov. In the UK, report to Action Fraud. In other regions, your national CERT is the right point of contact.
The Takeaway
QR codes are a genuinely useful technology, and we are not going back to typing long URLs on tiny phone keyboards. The price of that convenience is a small amount of vigilance. Read the URL preview every time, never log in from a scanned code, and trust your instincts when something feels off. A two-second pause before tapping a link is the cheapest insurance policy in cybersecurity.