Skip to content
Independent consumer protection publication Educational guidance — not legal or financial advice

Protection Guide

QR Code Phishing Scam: What to Do If You Scanned a Suspicious Code

· Rachel Torres
QR code phishing scam what to do guide

Rachel Torres

Cybersecurity Editor · Austin, TX, USA

QR code phishing — also called quishing — tricks you into scanning a code that opens a fake login page, installs malware, or initiates an unauthorized payment. Because phones open links instantly, victims have less time to spot a suspicious URL.

Where QR Phishing Appears in 2026

  • Parking meters and pay stations with stickers covering the official code
  • USPS and delivery notices claiming a package needs a fee
  • Restaurant table tents replacing legitimate menu QR codes
  • Email and PDF attachments when your mail client cannot click links directly
  • Event flyers and crypto giveaways promising free tokens
  • Public Wi-Fi setup signs in coffee shops and airports

QR Code Scam Red Flags

  • Codes on stickers placed over an existing label
  • URLs that do not match the expected company domain after scanning
  • Pages asking for banking passwords, Social Security numbers, or card CVVs
  • Urgent language: “account suspended,” “pay customs fee today”
  • Requests to install an unknown app or profile on your phone
  • Codes received unexpectedly by email or text from strangers

What to Do If You Already Scanned a Code

  1. Do not enter credentials — close the browser tab immediately if the page looks wrong.
  2. If you logged in, change that password now from the official app or website (typed manually).
  3. Enable two-factor authentication on email, banking, and social accounts.
  4. Run a malware scan if you downloaded a file or installed a profile.
  5. Monitor bank and credit accounts for 30–90 days.
  6. Report the phishing URL to the FTC and your carrier if the code arrived by text. See smishing examples and Amazon impersonation texts.

How to Scan QR Codes Safely

  • Preview the URL before opening — iOS and Android show the destination first.
  • Prefer typing official website addresses for banking and government services.
  • Peel back stickers on parking meters; use the city’s official payment app.
  • Never scan codes from unsolicited emails — go directly to the vendor site.
  • Keep phone software updated to patch browser vulnerabilities.

Frequently Asked Questions

Can a QR code hack my phone without me doing anything?

Simply scanning opens a link — it does not silently root your device. Risk escalates when you enter passwords or install untrusted apps.

Is quishing the same as smishing?

Smishing uses text links; quishing uses QR codes. Both lead to credential theft. Many campaigns combine both.

Should I report fake QR stickers in public?

Yes — notify the venue, parking authority, or postal inspector. Photos help investigators track fraud rings.

Think you were targeted? Get step-by-step help or report the scam.

Related Guides

Helpful resources:

Scam Types · Stay Safe · Get Help · Report a Scam