What Is Quishing? How QR Code Scams Work and How to Avoid Them

AndyC 22 January 2026

You thought you were scanning a menu. 
Or paying for parking. Or checking a package notice taped to your door. A quick scan, a familiar logo, a page that loads instantly on your phone.

qr code illustration

You thought you were scanning a menu. 

Or paying for parking. Or checking a package notice taped to your door. A quick scan, a familiar logo, a page that loads instantly on your phone. 

Nothing about it felt risky. 

That’s exactly why QR code scams are spreading so quickly. 

QR codes have become part of everyday life. They’re on restaurant tables, public signs, emails, mailers, and payment screens. We’re taught to treat them as shortcuts—faster than typing a URL, easier than downloading an app, safer than clicking a link. 

Scammers know that. 

Instead of asking you to click something suspicious, they ask you to scan something ordinary. Once you do, you can be routed to fake login pages, payment requests, or malicious sites designed to steal your information before you realize anything is wrong. 

This tactic has a name: quishing.

And as QR codes continue to replace links in the real world, understanding how quishing works is essential to staying safe online. 

What Is Quishing? 

Quishing is a form of phishing that uses QR codes instead of clickable links to trick people into visiting malicious websites or giving up sensitive information. 

The term combines QR and phishing, and it reflects a simple but dangerous shift in scam tactics: instead of asking you to click, scammers ask you to scan. 

Once scanned, a fake QR code can lead to: 

  • Credential-harvesting login pages 
  • Payment requests or fake invoices 
  • Malware downloads 
  • Fake customer support portals 
  • Subscription traps 

Because QR codes don’t show a visible URL before you scan, they remove one of the most important scam warning signs people rely on. 

Common QR Code Scams to Watch Out For

While quishing attacks vary, most fall into a few predictable patterns.

1. Fake parking and payment QR codes

Scammers place stickers over legitimate parking meter QR codes. When scanned, victims are taken to fake payment pages that steal card details.

Red flag: A QR code that asks for full payment details without redirecting to a known parking or city service.

2. Restaurant menu swaps

Fraudsters replace real menu QR codes with fake ones that redirect to phishing pages or malicious downloads.

Red flag: A menu page that asks you to “sign in,” download an app, or confirm personal details.

3. Delivery and package alerts

Flyers or door tags claim you missed a delivery and instruct you to scan a QR code to reschedule.

Red flag: Vague delivery details and pressure to act quickly.

4. Fake account security warnings

QR codes claim your bank, streaming service, or email account needs verification.

Red flag: Any QR code that demands immediate action for “security reasons.”

5. Subscription traps and fake offers

Some QR codes promise discounts, refunds, or rewards but quietly enroll users in recurring charges.

Red flag: Fine print that’s hard to find, or missing entirely.

What Makes Quishing Especially Dangerous

QR scams succeed not because people are careless, but because they exploit trust and routine.

Unlike traditional phishing emails, quishing:

  • Happens offline and online at the same time
  • Often appears in trusted physical locations
  • Feels faster and more “legit”
  • Bypasses visual link inspection

Once a victim lands on a fake site, the damage can escalate quickly, from stolen credentials to drained accounts to identity theft.

How to Spot a Fake QR Code Before You Scan

You don’t need to avoid QR codes entirely, but you do need to slow down.

Check the physical context

Is the QR code taped on, scratched, or layered over another code? That’s a common tactic.

Look for branding inconsistencies

Misspellings, generic logos, or mismatched colors are red flags.

Preview the link

Most phone cameras now show the URL before opening it. Take a second to read it.

Be skeptical of urgency

Any QR code that pressures you to act immediately deserves extra scrutiny.

How to Protect Yourself From QR Scams

Step 1: Treat QR codes like links

A QR code is a shortcut to a website. Apply the same caution you would to any link.

Step 2: Avoid entering sensitive information

Legitimate services rarely ask for passwords, payment info, or personal details via QR codes.

Step 3: Use mobile security tools

Security software can help detect malicious sites and block risky downloads before damage is done.

Step 4: When in doubt, go direct

Instead of scanning, manually visit the official website or app you trust.

What to Do If You Scanned a Suspicious QR Code

If you think you interacted with a malicious QR code:

  • Stop engaging with the site immediately
  • Do not enter additional information
  • Monitor your financial accounts for unusual activity
  • Change passwords if credentials were entered
  • Run a security scan on your device, check out our free trial
  • Report the incident to the business or location involved

Early action can limit long-term fallout.

Frequently Asked Questions

What is quishing in simple terms?
Quishing is phishing that uses QR codes to trick people into visiting fake or malicious websites.

Are QR codes inherently unsafe?
No, but they can be exploited. The risk comes from where they lead, not the code itself.

Can scanning a QR code install malware?
In some cases, yes, especially if it prompts a download or redirects to a malicious site.

Are QR scams increasing?
Yes. As QR codes become more common, scammers are increasingly using them to bypass traditional defenses.

The post What Is Quishing? How QR Code Scams Work and How to Avoid Them appeared first on McAfee Blog.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , ,

More Stories

This Week in Scams: Fake Brand Messages and Account Takeovers

AndyC 18 January 2026

McAfee and Pat McAfee Turn a Name Mix-Up Into a Push for Online Safety

AndyC 16 January 2026

McAfee’s Scam Detector Earns Third Major Award Within Months of Launch

AndyC 16 January 2026

Google Ends Dark Web Report. What That Means and How to Stay Safe

AndyC 16 January 2026

How to Spot a Fake GLP-1 Weight-Loss Drug Before You Buy

AndyC 16 January 2026
Who Decides Who Doesn’t Deserve Privacy?

McAfee Earns 29th Consecutive AAA Rating From SE Labs

AndyC 14 January 2026

You may have missed

What Is Quishing? How QR Code Scams Work and How to Avoid Them

AndyC 22 January 2026
Crooks impersonate LastPass in campaign to harvest master passwords

Crooks impersonate LastPass in campaign to harvest master passwords

AndyC 22 January 2026
VoidLink shows how one developer used AI to build a powerful Linux malware

VoidLink shows how one developer used AI to build a powerful Linux malware

AndyC 22 January 2026
Enterprise-Grade Identity Verification for AI-Enhanced Workflows 

Pro-Russian denial-of-service attacks target UK, NCSC warns

AndyC 22 January 2026
SHARED INTEL Q&A: AI retrieval systems can still hallucinate; deterministic logic offers a fix

SHARED INTEL Q&A: AI retrieval systems can still hallucinate; deterministic logic offers a fix

AndyC 22 January 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.