QR code scams: How to spot fake QR codes

QR codes are everywhere — from public spaces to product packaging — and their popularity is only increasing. Between 2022 and 2023, they were scanned nearly 27 million times worldwide, with usage projected to have risen another 22% by 2025. But the convenience they offer also comes with risk.

The simplicity that makes QR codes ideal for legitimate businesses are just as appealing to scammers. While they may look harmless, these pixelated squares can direct you to malicious websites designed to steal your personal information or infect your device.

What is a QR code scam?

QR code scams — commonly known as “quishing” (a combination of “QR code” and “phishing”) or barcode scams — use fraudulent QR codes to trick users into visiting malicious websites or downloading harmful content. The end goal is usually to steal personal information, install malware, or carry out financial fraud.

Because QR codes offer quick, effortless access to information, they’re easily exploited by scammers as a social engineering tool. A single scan can lead to compromised accounts, financial losses, or identity theft, so learning how to recognize fake or suspicious QR codes is essential for protecting your data and devices.

Legitimate vs. hijacked QR codes

Legitimate QR codes connect you to safe, intended destinations, like official websites, digital menus, or verified apps. Hijacked QR codes, on the other hand, are fake or tampered codes crafted by scammers, which masquerade as legitimate codes but redirect you to malicious websites, steal your personal information, or secretly install malware on your device.

How QR code scams work

QR scams work by disguising malicious links behind seemingly harmless QR codes, which scammers can generate quickly using free online tools. When scanned by a smartphone camera, these codes can redirect victims to fake websites, download malware on the scanning device, or open spoofed payment portals — all without revealing any obvious red flags at first glance.

Scammers plant these QR codes in places where people are likely to scan them: including emails, text messages, posters, menus, and even public transport ads. Once scanned, the code may lead the victim to a spoofed website that mimics a legitimate service, tricking them into entering their password, payment details, or other sensitive information.

This gives the scammer information they can use to take over online accounts, commit fraud, or steal the victim’s identity.

Why is quishing harder to spot than regular phishing?

Quishing is especially hard to detect compared to traditional phishing methods because QR codes conceal the destination URL. Unlike phishing emails that may contain suspicious links or language, a malicious QR code looks identical to a legitimate one. This lack of visual cues makes it nearly impossible to assess risk at a glance, allowing harmful links to slip undetected past both users and many spam filters.

These scams also often appear in trusted environments such as on menus, posters, or payment kiosks, where people tend to scan without hesitation. This combination of visual obscurity and familiar settings makes quishing an especially deceptive and effective tactic.

What can happen if you scan a fake QR Code

Scanning a malicious QR code can trigger serious consequences, often without any immediate signs of danger. Here are a few potential outcomes:

• You’re sent to a fake website: QR codes can take you to cleverly designed copies of legitimate sites where scammers collect any data you provide, using forms to capture your personal information under false pretenses to use in identity theft.
• Your financial information is compromised: After scanning, you might be asked to enter payment details for a special offer or to verify your account, only for those details to be stolen and used fraudulently.
• Your online accounts are hacked: The fake site may capture your login information, giving scammers access to your email, social media, or banking accounts.
• Your social media or email is hijacked: Once scammers access your social media accounts, they could use them to spread the scam to your contacts or for other fraudulent purposes.
• Malware is installed on your device: Some malicious QR codes automatically trigger downloads of spyware, ransomware, or other harmful software that can monitor your activity or lock your files.
• You're subscribed to unwanted services: Some scams automatically sign you up for premium services or subscriptions that charge your phone bill or connected payment methods.

8 examples of QR code scams and how to spot them

These real-world examples illustrate common situations where you might encounter QR code scams in your daily life, and how to recognize them before they cause harm.

1. Fake QR codes in public spaces

Scammers place counterfeit QR code stickers on parking meters, ATMs, bike rentals, and even tourist information placards. These codes usually redirect to payment pages that collect your credit card information or personal details.

2. QR code scams in restaurants and cafes

Fake menu QR codes on restaurant or cafe tables can direct you to convincing lookalike sites that steal payment information when you think you're ordering food or paying your bill. Some even add hidden fees or gratuities to your order.

3. Fake QR codes sent via phishing emails and text messages

Scammers send messages posing as trusted companies like Microsoft, Docusign, or your bank, claiming there's an issue with your account. The QR code phishing email or text claims to offer a quick way to resolve the problem, but is actually a ploy to compromise your privacy and security.

4. Fake QR codes in the mail

Scammers send physical mail or parcels (like Amazon packages) with QR codes claiming you've won a prize, need to verify a delivery, or have an outstanding bill to pay. These codes often lead to convincing fake websites designed to capture personal and financial information.

5. QR code scams on social media

Malicious QR codes are often distributed through direct messages, sometimes sent from hacked accounts of known contacts, as part of Facebook scams or Instagram scams. These codes might promise exclusive deals, account verification, or access to private content, but actually lead to credential theft or malware installation.

6. Cryptocurrency QR code scams

Cryptocurrency QR code scams present fake investment opportunities or digital wallet recovery services that ask you to scan a QR code to verify your information or claim earnings. In reality, the code initiates financial fraud through unauthorized transfers to the scammer’s digital wallet — a tactic also seen in CashApp scams and bank scams.

7. Fake QR code scanner apps

Some third-party QR scanner apps in app stores are actually malware in disguise. Once installed, they may access your contacts, track your activity,  or even access your camera or location data, all while appearing to function normally.

8. Pop-up ads with fake QR code scams

Website pop-ups might display QR codes claiming to offer discounts, verify your age, or unlock exclusive content. Scanning these codes may lead you to malware downloads or phishing sites that aim to steal your information.

Best practices to avoid QR code fraud

The warning signs can be tough to spot, but avoiding QR code scams is possible if you know what to look for. Follow these best practices to spot suspicious codes, help avoid common traps, and protect your personal information:

• Preview the URL before clicking: iOS and Android devices show a URL preview when you scan a QR code. Look for misspellings, suspicious domain names, or URLs that start with HTTP instead of HTTPS.
• Check for signs of tampering: Avoid QR codes that are poorly printed, misaligned, or clearly placed over another code.
• Consider the context: If a QR code seems out of place or has no clear purpose, don’t scan it to find out what it is.
• Watch for pressure tactics: Be cautious of urgent messages like “Scan now!” or “Offer expires soon.”
• Verify with a trusted source: If you’re ever unsure whether a QR code is fake, confirm with an employee or visit the website being advertised directly.
• Avoid third-party scanner apps: Use your phone’s built-in camera — third-party apps are generally unnecessary and can be risky.

What to do if you scanned a suspicious QR code

If you suspect you've scanned a malicious QR code, take these steps immediately to minimize potential damage:

• Disconnect from the internet: Turn on airplane mode or disconnect from Wi-Fi to prevent any malware from communicating with its control servers or transmitting your information.
• Scan your device for malware: Run a full security scan using reputable security software to detect and remove any malicious programs that somebody might have installed.
• Change passwords immediately: If you entered any login information following a quishing attack, immediately update the passwords for those accounts, starting with financial accounts, email, and any services that store sensitive data.
• Monitor your accounts: Check your financial statements and online accounts for any unauthorized transactions or suspicious activity that could indicate information has been compromised.
• Freeze your credit: If you shared sensitive personally identifiable information, consider placing a credit freeze to prevent scammers from opening new accounts in your name.
• Report the scam: Report the scam to the FTC and alert the business or location where you found the fraudulent QR code to help prevent others from falling victim.
• Consider an identity theft protection service: Services like LifeLock can help monitor your personal information and alert you to potential fraudulent use of your identity following a security breach.

Protect yourself against QR code scams

QR codes make life easier — but they can also put your personal information at risk if misused by scammers. LifeLock Standard helps you stay one step ahead with proactive identity protection that monitors for potential threats, alerts you to suspicious activity, and scans the dark web for unauthorized use of your data. Subscribe today to help ensure a quick scan doesn’t lead to long-term damage.

FAQs

Are all QR codes risky?

No, not all QR codes are risky — most are safe and used legitimately to facilitate everyday tasks like viewing menus, making payments, or accessing apps. However, because QR codes can hide malicious links, it's important to stay cautious. Only scan codes from trusted sources and avoid those in unexpected messages or unfamiliar public places.

How can I verify if a QR code is safe?

You can help verify a QR code’s safety by checking for signs of tampering (such as stickers placed over existing codes) and previewing the URL before opening it. Most smartphones display the destination link after scanning but before opening it, giving you a chance to assess whether it looks legitimate. When in doubt, avoid scanning and contact the organization directly through official channels to confirm the QR code’s authenticity.

What’s QRLjacking?

QRLjacking (QR code login jacking) is a sophisticated cyberattack in which scammers intercept and replicate legitimate login QR codes in real time. When you scan one of these hijacked codes — believing you're securely logging into WhatsApp Web, Telegram, or banking apps — you’re actually authenticating the attacker’s session instead.

Can QR codes infect your device without being scanned?

No, QR codes can’t infect your device unless you actively scan them. They’re simply images that store data, usually in the form of a web link. The risk comes after scanning, especially if you take further action, such as visiting a website, downloading an app, or entering personal information.