QR Code Fraud Is Surging & Millions Are Falling for It
Published: July 29th, 2025.
QR codes were designed to make life easier. They replaced printed menus during the pandemic, simplified parking payments, and offered instant access to digital services with just one scan. However, that same ease of use has become a vulnerability that cybercriminals increasingly exploit through a rising threat known as quishing.
Quishing, short for “QR phishing,” involves tricking people into scanning fake QR codes that direct them to fraudulent websites or trigger harmful downloads.
Once scanned, these codes can steal sensitive data like credit card numbers and logins or even install malware to hijack a device. And the threat is no longer theoretical.
In January, the Federal Trade Commission (FTC) warned about packages sent to consumers' homes that included a QR code and a note claiming the gift’s sender could be revealed by scanning the code. These codes often led to phishing websites that steal login credentials or install malware.
Just a few months later, in June, the New York City Department of Transportation alerted the public to a scam involving QR codes placed on parking meters. Fraudsters had been placing fake stickers with QR codes that redirected drivers to unauthorized payment portals.
Some users, believing they were paying for parking, entered credit card information directly into these spoofed sites. The city launched a full inspection of meters and urged residents to report any suspicious codes.
In July, Hawaiian Electric reported another wave of QR scams targeting businesses on Oahu. In these cases, scammers posed as utility workers and threatened to disconnect service unless payment was made immediately.
Victims were sent QR codes that appeared official, but scanning them led to fraudulent payment platforms. After following these directions, at least two businesses paid thousands in cash.
Quishing is particularly dangerous because of its stealth and familiarity. QR codes are now part of daily life for menus, tickets, payments, and promotions.
They’re so common that most people barely think twice before scanning one. And because the code masks the URL it leads to, it’s hard to know what you’re opening until it’s too late.
Unlike suspicious emails, which many users have learned to spot, QR scams exploit physical environments and everyday urgency.
Whether it’s a last-minute parking payment, a utility bill warning, or a package that appears harmless, these scams rely on speed and convenience to catch victims off guard.
How to stay safe from QR scams
- Security experts and public agencies alike urge caution when dealing with QR codes, especially in public or unverified settings. Here’s how to protect yourself:
- Be skeptical of QR codes in public spaces. Do not scan codes on parking meters, flyers, or signs unless you are sure they are official
- Avoid scanning QR codes from unsolicited packages or messages, even if they appear to be from reputable companies
- Look closely at where the QR code is placed. Fake codes are often slapped onto signs, kiosks, or public machines. If something looks off or out of place, trust your instincts
- Verify URLs before proceeding. Many smartphones display the web address after scanning a QR code, so look closely before clicking
- Do not enter personal or financial information on any site accessed through a QR code unless you have manually verified its legitimacy
- Use a secure QR code scanner that checks for unsafe links
- Enable two-factor authentication on accounts to reduce the risk of unauthorized access
- Report suspicious QR codes to local authorities, utilities, or relevant companies
QR codes aren’t going away. They’ve become part of how people interact with the world. But what was once just a shortcut to convenience is now also a potential gateway for fraud.
Scanning with intention and a healthy dose of skepticism can help keep you safe.