Imagine scanning a QR code on a parking meter to pay for your spot โ€” and unknowingly handing your bank details to a scammer. This is exactly what thousands of people are experiencing in 2026 through a new attack method called QR code phishing (also known as "quishing").

๐Ÿ“Š Key stat: Microsoft reported a 146% increase in QR code phishing attacks between January and March 2026. It is now the fastest-growing phishing method globally.

What is QR Code Phishing?

QR code phishing is when a scammer hides a malicious link inside a QR code. When you scan it with your phone, instead of going to a legitimate website, you're taken to a fake login page designed to steal your password, credit card number, or other sensitive information.

The dangerous part: your eyes cannot see the URL hidden inside a QR code before scanning it โ€” unlike a normal link where you can hover and check the address.

Where Are These Fake QR Codes Being Placed?

  • Parking meters โ€” Scammers stick fake QR stickers over the real ones
  • Restaurant menus โ€” Fake "scan to order" codes
  • Package delivery notices โ€” "Scan to reschedule your delivery"
  • Emails and PDFs โ€” QR codes embedded in fake invoices, HR documents
  • WhatsApp and SMS โ€” "Scan this code to verify your account"
Advertisement

How to Protect Yourself from QR Phishing

1. Preview the URL before opening

Most modern phones show a URL preview when you hover over a QR code โ€” do not tap "Open" immediately. Read the URL first. If it looks suspicious (random characters, unknown domain, misspelled brand name), do not proceed.

2. Check the domain carefully

Legitimate brands like SBI, Amazon, or PayPal will always use their actual domain (sbi.co.in, amazon.in). Be suspicious of anything like sbi-verify-kyc.xyz or amazn-pay.com.

3. Do not scan QR codes from strangers

If someone sends you a QR code via WhatsApp, SMS, or email unexpectedly โ€” especially asking you to "verify your account" or "claim a prize" โ€” treat it as suspicious. Real companies rarely ask you to scan QR codes for account verification.

4. Check physical QR codes for tampering

If scanning a QR code in a physical location (restaurant, parking, shop), look for signs of tampering โ€” a sticker placed over the original code is a red flag.

โš ๏ธ Remember: The padlock (HTTPS) on a website does NOT mean it is safe. Phishing sites can and do use HTTPS. Always verify the domain name carefully.

What to Do if You Already Scanned a Suspicious QR Code

  1. Do NOT enter any information on the page that opened
  2. Close the browser immediately
  3. If you entered a password, change it immediately from a different device
  4. If you entered banking details, contact your bank right away
  5. Report the QR code to the platform (WhatsApp, email provider, etc.)

Received a suspicious link from a QR code?

Paste the URL into our free scanner to check if it's a phishing site โ€” no signup needed.

๐Ÿ” Check the URL Now โ€” Free

Final Thoughts

QR codes are genuinely useful, but the same feature that makes them convenient โ€” hiding the destination URL inside an image โ€” also makes them a perfect tool for phishers. The solution is not to stop scanning QR codes, but to slow down for two seconds and preview the URL before you open it.

Stay skeptical of unexpected QR codes, especially ones asking for login credentials or payment information. When in doubt, go directly to the official website by typing the address manually in your browser.