QR code scams (quishing): how to stay safe

What is "quishing"?

Quishing is phishing that uses a QR code instead of a clickable link. Because a QR code is just a pattern of squares, you cannot tell where it leads until you scan it - and by then your phone may already be opening a fake website. Scammers love this: it slips past the "hover to check the link" habit that protects you in email.

Where QR scams show up

• Stickers placed over real codes - on parking meters, EV chargers, restaurant menus, and posters. The scammer's code sits on top of the legitimate one.
• Fake invoices and letters - a "missed delivery" or "unpaid toll" notice with a QR code to "resolve" it.
• Emails - a QR code in an attachment or image, used to dodge the link scanners that protect your inbox.
• Too-good deals - a flyer promising a prize or discount if you "scan to claim."

How to scan safely

1. Preview the link before opening it. Most phone cameras show the URL first - read it. Does the domain match the company you expect?
2. Watch for look-alike domains. paypa1.com or canadapost-delivery.info are not the real thing.
3. Be suspicious of physical codes in public. Check for a sticker placed over another code. When in doubt, type the address yourself instead.
4. Never enter passwords or payment details on a page you reached by scanning a code you did not expect.
5. Check the link first. If you are unsure where a code leads, decode it and run the address through our QR Code Checker before you trust it.

If you already scanned and entered details

Treat it like any phishing: change the password you entered (and anywhere you reused it), turn on two-factor authentication, and if you shared card details, call your bank. A QR code is just a link - the same caution applies.