Phishing Defense
QR Code Phishing Safety: How to Check Links Before You Scan or Pay
A practical quishing safety guide for homes and small teams: link preview, payment QR checks, login warnings, reporting, and safer QR-code habits.
- Use source-backed steps before account recovery becomes urgent.
- Prioritize MFA, backups, device updates, and phishing-resistant habits.
- Save only the guides you need; no account is required.
Updated May 30, 2026. QR-code phishing, often called quishing, changes with mobile apps and payment flows. The safest habit is not to fear every code; it is to slow down before entering credentials, approving payments, downloading apps, or trusting a shortened link.
QR codes are convenient because they remove typing. That convenience is also the risk: a code can hide the real destination until your phone opens it. Attackers abuse that moment in parking meters, flyers, package notices, email attachments, fake invoices, restaurant tables, and workplace posters. The code may lead to a fake login page, a payment page controlled by a criminal, a malicious app prompt, or a form designed to collect personal information.
The scan-before-you-trust model
| Situation | Safer action | Warning sign |
|---|---|---|
| Restaurant menu | Check that the code is part of the official table material | Sticker placed over an older code |
| Parking or payment | Use official app/site from app store or typed URL when possible | Urgent fee, odd domain, no receipt trail |
| Email QR code | Treat like any link in email | Sender pressure, unexpected login, attachment-only code |
| Workplace poster | Verify through internal channel | Code requests password or MFA approval |
| Package notice | Go to carrier site manually | Short link, surprise customs fee, generic tracking page |
Step 1: preview the destination
Most modern phone cameras preview the domain before opening it. Pause there. You are looking for the expected organization, spelling, and context. A restaurant code should not send you to a random file-sharing domain. A bank code should not send you to a shortened URL. A workplace code should not ask for credentials unless the destination is clearly your organization’s approved sign-in page.
If the preview is hidden, shortened, or strange, do not continue. Search for the official site manually, open the known app, ask staff, or use another payment route.
Step 2: inspect physical tampering
The FBI has warned about criminals tampering with QR codes to redirect payments or steal data. In public places, look for stickers placed over signs, codes that do not match surrounding design, poor print quality, and payment instructions that differ from official machines or staff instructions. A sticker does not prove fraud, but it is enough reason to verify before paying.
For small businesses, inspect customer-facing QR codes regularly. Keep master copies, train staff to notice overlays, and give customers a non-QR alternative for payment or menus.
Step 3: never let a QR code bypass login judgment
A QR code that opens a login page deserves the same skepticism as an email link. Do not enter passwords because a page looks familiar. Check the domain, use a password manager to detect mismatches, and prefer opening the service from your saved bookmark or official app. Multifactor authentication helps, but attackers may still try to trick you into approving a prompt.
For work accounts, report suspicious QR login attempts to security or IT. Do not experiment with credentials to see what happens.
Step 4: handle payment QR codes conservatively
Payment codes deserve extra caution because the error can be immediate. Before paying, confirm merchant name, amount, URL, and receipt path. If the QR code is on a parking meter, compare it with the official city or operator instructions. If the code asks for unusual personal details before payment, stop.
Use payment methods with dispute support where possible. Avoid saving card data into a one-off page reached only through a code. If you already paid and suspect fraud, contact the payment provider quickly and preserve the link, screenshot, location, time, and transaction record.
Step 5: report and recover cleanly
If you entered a password, change it from a known-good device and official site. If you reused that password, change every reused account. If you approved MFA, contact the service or workplace security team. If money moved, call the bank or payment provider. Report consumer scams to the FTC and cybercrime to appropriate channels such as IC3 when relevant.
For businesses, add QR phishing to security awareness without making it theatrical. The message is simple: preview, verify, avoid unexpected logins, and report suspicious physical tampering.
Quick QR safety checklist
- Preview the domain before opening.
- Prefer official apps, bookmarks, or typed URLs for payments and logins.
- Check for stickers over public codes.
- Do not install apps from a QR prompt unless you can verify the official store listing.
- Let your password manager warn you when a login domain is wrong.
- Report suspicious codes instead of testing them with real credentials.
Bottom line
QR codes are not the enemy; invisible trust is. Treat a QR code as a hidden link that needs context. If the destination, request, or physical code feels off, use a known route instead. The extra ten seconds are cheaper than recovering a password, payment, or work account.