QR Code Scam (Quishing) 2026: How to Scan Safely
Key Takeaways
- Treat QR codes like links and preview the destination.
- Avoid unexpected QR codes in messages or packages.
- Check for tampering in public places.
- Change passwords fast if you entered credentials.
If you cannot see the destination, do not scan. If you must scan, preview the URL first and verify the request through an official channel before you sign in or pay.
{{component-cta-custom}}
Why QR code scams are just link scams with better camouflage
QR codes hide the destination until you scan. That removes the one safety habit people still have: reading the URL before they click.
Most QR scams do not need malware. They just need you to land on a page that looks official enough for you to sign in or pay.
A QR code is a link you cannot see. If you cannot verify the destination, you are trusting the scammer’s routing.
In 2026, the danger is often the redirect chain. You scan a code, it bounces through tracking domains, and you only see the final destination after you are already primed to trust it. Use scanners that show the URL before opening, and do not sign in or pay unless you can confirm the real domain.
What makes a QR code risky
Redirect chains: you may not see the real destination until the final hop.
Overlays: stickers on public codes are an easy way to swap destinations.
Login and payment prompts: the moment you type or pay is where losses happen.
Unexpected context: packages and messages with QR codes are common pretexts.
Preview discipline: if you cannot preview and confirm the domain, do not proceed.
What the QR code is trying to get you to do
Public QR code: check for stickers or overlays before scanning.
QR code in a message: treat as suspicious and verify through official apps instead.
QR code asks you to log in: verify the domain carefully or avoid.
QR code asks for payment: use official apps and trusted paths only.
Common scripts you will see (and how to handle them)
A parking meter QR code looks like it was covered
Tampering is common because it is easy to place a sticker.
Instead, do not scan it. Use the official parking app or pay through the official kiosk flow.
A QR code arrives in a text about delivery
Message-based QR codes often aim to get you to a lookalike page.
Instead, verify through the retailer or carrier app you already use.
You scanned and the page asks you to sign in
Sign-in prompts are where the damage happens.
Instead, stop and verify the domain. If unsure, close it and use the official app instead.
If you already clicked or replied, what matters now
If you scanned and logged in: change the password immediately and enable two-step verification.
If you paid: contact your issuer and monitor transactions.
If the code was in public: report it to the venue so it can be removed.
Assume redirects: verify the final domain through official apps you open yourself.
When it is worth reporting, and who to report to
FTC guidance:Scammers hide harmful links in QR codes
Report tampering: notify the business or venue where the code is displayed.
Related guides
How to Verify a Brand Website Before You Sign In or Pay
Unknown Number Link? How to Verify Without Clicking
Sources
FAQs
Can a QR code install malware?
A QR code usually opens a link. The risk comes from the page you open and what you do next. Avoid downloads and verify the URL first.
Is it safe to scan QR codes in public?
Be cautious. Check for tampering and preview the destination before opening.
What should I do if I scanned a code and logged in?
Change your password immediately and enable two-step verification. Review account activity for unfamiliar sessions.
How can I tell if a QR code is fake?
Look for stickers or overlays, and preview the URL for misspellings or strange domains.
Should I use my camera app to scan?
Use trusted scanners that show you the URL before opening. Avoid scanners that auto-open links.
How can Guardio help?
Guardio can warn you about suspicious links and lookalike pages before you interact.
