How Cybercriminals Use Fake QR Codes to Steal Your Information

Fact-checked by the SnapMessages editorial team

Fake QR code scams are a fast-growing form of cyberattack where criminals overlay or distribute counterfeit codes in public spaces, emails, and text messages to harvest personal data. According to the FTC’s consumer alert on QR code fraud, these schemes are specifically designed to bypass traditional spam filters because they use image-based payloads rather than text links.

The threat has intensified in 2025 as QR codes became embedded in everyday infrastructure — parking meters, restaurant menus, package delivery notices, and even hospital check-in forms.

How Do Fake QR Code Scams Actually Work?

Criminals execute fake QR code scams by substituting a legitimate code with one that points to a malicious URL, typically a spoofed login page or a silent malware download trigger. The swap happens in seconds and is invisible to the human eye — a fraudulent sticker placed over a parking meter QR code looks identical to the original.

The attack chain typically unfolds in three steps. First, the victim scans the code with a smartphone camera. Second, the phone’s browser opens a convincing replica of a trusted site — a bank, a delivery service, or a government portal. Third, any credentials, payment details, or personal data entered are transmitted directly to the attacker’s server.

Quishing: QR Phishing via Email

A specific variant called quishing embeds fake QR codes inside email attachments or corporate communications. Because the malicious payload is an image rather than a hyperlink, most enterprise email security gateways fail to flag it. Check Point Research found that quishing attacks increased by over 587% in a single six-month period, making it one of the fastest-growing phishing vectors in enterprise environments.

Where Do Criminals Deploy Fake QR Codes?

Fake QR codes appear in both physical and digital environments, often targeting high-traffic, low-scrutiny situations where users scan quickly without thinking. The FBI has issued specific warnings about several recurring placement vectors.

Common physical locations include parking meters, restaurant table tents, public transit fare machines, retail point-of-sale terminals, and event check-in booths. In each case, the attacker either replaces the legitimate code with a sticker or tampers with printed signage. The FBI’s Internet Crime Complaint Center (IC3) advisory on QR code tampering specifically warns about parking payment stations as a primary target.

Digital Delivery Channels

Online, criminals distribute fake QR code scams through phishing emails, SMS messages (a tactic that overlaps with smishing attacks), social media posts, and fake package delivery notifications. Fraudulent codes also appear in PDF invoices sent to businesses, targeting accounts payable staff who scan codes to confirm payment portals.

What Information Can Criminals Steal Through a Fake QR Code?

A single scan of a malicious QR code can expose login credentials, payment card numbers, device identifiers, and geographic location data — all within seconds of the redirect occurring. The scope of data theft depends on what the victim does after landing on the spoofed page, but some attacks harvest data passively without any user interaction.

Credential harvesting is the most common outcome. Victims land on convincing replicas of bank portals, Microsoft 365 login screens, or government service pages and enter usernames and passwords. Once captured, these credentials are sold on dark-web marketplaces or used immediately for account takeovers. This connects directly to broader mobile security risks — understanding how spyware operates on phones helps explain why some QR code redirects silently install tracking software alongside credential theft.

Silent Drive-By Downloads

More sophisticated attacks use the redirect to trigger a drive-by download — malicious code that installs automatically when a vulnerable mobile browser loads the page. This requires no user input beyond the initial scan. The installed payload can function as stalkerware, keylogger, or a banking trojan.

How Can You Spot and Avoid Fake QR Code Scams?

You can avoid fake QR code scams by previewing the destination URL before tapping, checking for physical tampering, and using a QR scanner app that displays the full URL before redirecting. Most modern iOS and Android cameras show a URL preview — reading it carefully before proceeding is the single most effective defense.

Physical inspection matters. Look for sticker overlays that sit slightly above the surface, misaligned edges, or codes that appear freshly printed on otherwise worn signage. If a QR code at a public location prompts you to enter payment information, independently navigate to the organization’s official website instead of following the redirect.

Technical Protections to Enable Now

Enable Safe Browsing on your mobile browser — both Google Chrome and Apple Safari include real-time phishing detection that can intercept known malicious domains after a QR redirect. Keep your phone’s operating system fully updated, since drive-by download attacks frequently exploit patched vulnerabilities. For a broader understanding of how your messaging and browsing data can be intercepted, reviewing how end-to-end encryption protects your messages provides useful context on where data exposure begins.

• Always preview the full URL before tapping a QR-generated link.
• Inspect physical QR codes for sticker overlays or surface tampering.
• Never enter payment or login data on a page reached via an unexpected QR scan.
• Use a dedicated QR scanner app with built-in URL safety ratings.
• Report suspected fake QR codes to the FTC at ReportFraud.ftc.gov or the FBI’s IC3.

What Should You Do If You Scanned a Fake QR Code?

If you suspect you scanned a malicious QR code, act within the first 30 minutes — change exposed passwords immediately, contact your bank to freeze affected cards, and run a mobile security scan. Speed is critical because stolen credentials are often tested against other accounts within minutes of capture.

Disconnect from Wi-Fi and mobile data briefly if you believe a drive-by download occurred — this can interrupt malware calling home to a command-and-control server. Then run a reputable mobile antivirus application. Understanding how malicious software gets installed on phones without your knowledge helps you recognize behavioral signs of compromise, such as unexpected battery drain or unfamiliar background processes.

File a report with the FTC at ReportFraud.ftc.gov and with the FBI’s Internet Crime Complaint Center. If financial data was entered, place a fraud alert with Equifax, Experian, or TransUnion immediately to flag unauthorized credit applications.

Frequently Asked Questions

Can my phone get hacked just from scanning a QR code?

Yes, scanning a malicious QR code can result in a drive-by download if your mobile browser contains an unpatched vulnerability. You do not need to enter any information — simply loading the redirected page can trigger code execution on some devices. Keeping your operating system and browser fully updated significantly reduces this risk.

How do I tell if a QR code is fake before scanning it?

Physically inspect the code for sticker overlays, misaligned printing, or surface damage that looks inconsistent with surrounding materials. Once scanned, read the full URL preview before tapping — legitimate businesses use their own branded domains, not shortened URLs or random strings. If anything looks unfamiliar, do not proceed.

Are fake QR code scams common in email?

Yes — the quishing variant specifically embeds fraudulent QR codes in corporate emails and PDF attachments to bypass text-based spam filters. Check Point Research documented a 587% increase in quishing incidents in one measured period, with Microsoft 365 and Google Workspace credentials as the primary targets.

What is the difference between quishing and regular phishing?

Quishing is phishing that uses a QR code image as the attack vector instead of a clickable hyperlink. Because email security tools typically scan text and URLs rather than decode embedded images, quishing emails reach inboxes that would block traditional phishing links. The outcome — credential theft or malware delivery — is identical.

Is it safe to scan QR codes at restaurants and parking meters?

It can be, but you should always verify the destination URL matches the business’s official domain before entering any data. High-traffic public locations such as parking meters are specifically called out in FBI warnings as frequent targets for physical QR code tampering. When in doubt, type the business’s web address directly into your browser.

Should I use a third-party QR scanner app instead of my phone’s built-in camera?

A dedicated QR scanner app that displays a safety rating for the destination URL adds a useful layer of protection beyond the built-in camera preview. However, no tool eliminates risk entirely — the built-in camera preview plus your own URL inspection is effective for most users. Avoid obscure scanner apps that request excessive device permissions.