Safe scanning rule
- Inspect where the code appeared and whether a sticker covers another code.
- Preview the destination address before opening it.
- Do not log in, pay, install an app or grant permissions unless you independently verify the destination.
- For parking, deliveries, banking and accounts, open the official app or type the known website yourself.
Red flagUnexpected QR code
Red flagUrgent login or payment
CheckFull destination URL
Safer routeOfficial app or typed site
What is quishing?
Quishing means phishing through a QR code. The code can send a phone to a spoofed sign-in page, fake payment page, malicious download or other harmful destination. The FTC warns that scammers may cover legitimate parking-meter codes, send codes in unexpected texts or emails, or create a false problem that pressures people to scan quickly.
The code itself cannot prove trust
A professional-looking QR code can point anywhere. Verify the organisation and destination separately before entering credentials, card details or a payment.
Common QR-code scam situations
| Situation | Safer response |
|---|---|
| Parking meter or public sign | Check for a sticker covering the original code and use the official parking app or typed address. |
| Unexpected package with a QR code | Do not scan to discover the sender; the FTC and FBI warn about this brushing-scam variation. |
| Email/text says scan to fix an account | Open the company's official app or known website yourself. |
| QR code requests cryptocurrency or instant payment | Stop and independently verify the recipient and reason. |
| Restaurant menu or event code | Preview the domain and do not install an unrelated app or grant unusual permissions. |
Before opening a QR destination
- Use the phone camera's preview and read the complete domain carefully.
- Look for misspellings, extra words, shortened URLs and unrelated domains.
- Ask whether the message is unexpected or creates urgency.
- Never assume a code is safe because it contains a familiar logo.
- Keep the phone operating system and security updates current.
If you already scanned the code
Simply scanning or previewing a link is different from entering information, installing software or approving a payment. Close the page if it looks suspicious. Do not download files, allow notifications, grant permissions or continue through warnings.
If you entered a password, paid or installed something
- Change the exposed password immediately using the official app or typed website; change reused passwords too.
- Turn on strong two-factor authentication and review active sessions.
- Contact the bank or payment provider immediately for an unauthorised payment.
- Remove suspicious apps and permissions, update the phone and run supported security checks.
- Save the QR code, URL, messages, receipts and screenshots, then report the scam to the relevant authority.