AQRHub
There's A QR code for that.™

QR code scams are rising: how to spot a fake and stay safe

QR codes are everywhere now. On parking meters, restaurant tables, flyers, and packaging. That convenience has a downside. Scammers have started using fake QR codes to steal money and personal information, and most people never think to check.

This scam even has a name: quishing (QR phishing). The FBI and FTC have both issued public warnings about it, and the numbers are climbing. A 2026 study from KeepNet Labs found that 26 percent of all malicious links are now sent through QR codes. NordVPN reports that 73 percent of Americans scan QR codes without checking where they lead, and more than 26 million have already been sent to malicious sites.

Here is how quishing works, how to spot it, and how to protect yourself and your customers.

How QR code scams work

A scammer creates a QR code that points to a fake website or a malicious download. Then they get you to scan it. The trick is that a QR code looks like random squares. You cannot read it with your eyes, so you have no idea where it leads until you have already tapped through.

The most common versions:

  • A sticker placed over a real code. Scammers print their own QR code as a sticker and put it over the legitimate one on a parking meter, a restaurant table, or a payment terminal. You scan what looks official and land on a fake payment page. New York City's transportation department has warned about exactly this on parking meters.
  • A fake code in a public place. A flyer offering a prize, a poster for a giveaway, a "scan to review us" card. The code sends you to a page that harvests your login or card details.
  • A code in an email or text. You get a message that looks like it is from your bank, a delivery service, or the IRS, asking you to scan a code to verify your account or track a package. Scammers favor this because a QR code slips past the email filters that would normally flag a suspicious link. The code leads to a convincing fake login page.
  • A code on fake packaging or a letter. Scammers mail official-looking notices, or leave them on cars, telling you to scan to pay a fine or identify a package. The FTC and USPS have both warned about unexpected packages arriving with a QR code inside.

Six ways to spot a fake QR code

You do not need to be technical to protect yourself. A few habits catch almost every scam.

  • Check for a sticker. Before you scan a code in public, look closely. If it is a sticker placed over another code, or the edges are peeling, do not scan it. Real codes are usually printed directly on the surface.
  • Preview the link before you open it. Most phone cameras show the web address at the top or bottom of the screen when you scan. Read it before you tap. If it looks off, misspelled, a random string, or not the business you expected, stop.
  • Watch for lookalike addresses. Scammers use URLs that are almost right. A missing letter, an extra word, a strange ending. If your bank is examplebank.com and the code leads to examplebank-secure-login.net, it is fake.
  • Be suspicious of urgency. Scams push you to act fast. "Your account will be locked," "pay this fine today," "claim before it expires." A legitimate business rarely forces you to scan and pay in a panic.
  • Never enter passwords or payment details from a scanned code. If a code takes you to a login or payment page you did not expect, close it. Go to the company's real website or app directly and log in there.
  • When in doubt, do not scan. If a code is in a weird spot, on an unexpected letter, or something feels wrong, trust that. Type the web address yourself instead.

What to do if you already scanned one

Scanning a code is not the dangerous part. The risk begins when you enter information on the page it opens. If you scanned something suspicious:

  • Close the page right away. Do not fill out any forms, enter passwords, or confirm any payment.
  • If you entered login details, change that password immediately on the real service, and turn on two-factor authentication.
  • If you entered card or bank information, contact your bank to flag the account and watch for unauthorized charges.
  • Report it. File with the FTC at reportfraud.ftc.gov and, if money or identity theft is involved, the FBI at ic3.gov. If the fake code was on public signage, tell the business or authority so they can remove it.

What this means for your business

If you use QR codes to reach customers, scams do not just hurt consumers. They erode trust in every code, including yours. A customer who got burned once hesitates to scan anything.

You can build that trust back with a few practices:

  • Print your codes directly on your materials, not as loose stickers, so they are harder to tamper with.
  • Add a short label like "Scan to see our menu" so people know what to expect and can tell a fake from the real thing.
  • Use a custom domain, so when someone previews the address before scanning, they see your own business name, not a random string. This alone makes your codes look trustworthy and helps them stand out from scam codes.
  • Check your printed codes periodically, especially anything in a public place, to make sure no one has covered them with a sticker.

Want customers to trust your codes?

Set up a custom domain for your QR codes so the preview shows your business name.

See plans →

Why the source of your QR code matters

Not all QR codes are equal. A code from a throwaway free tool can break, expire, or route through link shorteners that make the destination harder to verify. A dynamic QR code from a reputable provider gives you control: you own the destination, you can update it without reprinting, and a custom domain shows customers exactly where they are going.

That last part is the quiet security benefit. When your code previews as your own custom domain instead of a generic redirect, customers can see it is really you. That is the difference between a code people trust and one they hesitate over.

The bottom line

QR code scams work because codes are unreadable to the human eye and people scan without thinking. The fix is simple: slow down, preview the link, watch for stickers and urgency, and never enter sensitive details from an unexpected code. If you run a business, make your own codes easy to trust, print them cleanly, label them, and use a custom domain.

A QR code should make life easier, not riskier. A few seconds of caution keeps it that way.

Try AQRHub free. Print codes people trust, no credit card needed.

Get started free

You might also like

Security

The Hidden Security Risks of Free QR Code Generators

How To

Custom Domains for QR Codes: Why They Matter and How to Set One Up

QR Code Basics

Free vs Paid QR Code Generators: What You Actually Get

Share this post

Share on Facebook Share on LinkedIn Share on X