QR code security: phishing patterns and safer defaults

QR codes are convenient.

They are also one of the easiest ways to hide a destination from a human until the last possible moment.

That is why QR code security is no longer just a niche topic for payment terminals or restaurant menus. It now touches:

• email phishing
• public signage scams
• parking and payment fraud
• package scams
• mobile-device risk
• account takeover flows
• branded login spoofing
• business signage and print safety

This is also why searches around this topic have split into many different intents:

• are QR codes safe
• QR code phishing
• quishing meaning
• QR code scam in email
• parking meter QR code scam
• fake QR code sticker scam
• can QR codes install malware
• safe QR code practices for business
• should I trust QR codes in restaurants or public spaces
• secure QR code generator best practices

A high-quality page on this topic needs to answer all of them.

So this guide does two things:

1. It explains how malicious QR code campaigns actually work.
2. It gives safer defaults for both scanners and publishers.

That split matters. Most content only tells users to “be careful.” That is too vague to be useful.

The better question is:

what defaults reduce risk before a user is under pressure to make a fast decision?

Why QR code scams work so well

QR codes remove the part of web security where people visually inspect a link before clicking.

With a normal link, a cautious user may notice:

• a suspicious domain
• a misspelling
• a URL shortener
• a strange subdomain
• an odd top-level domain

With a QR code, that judgment often happens later, on a phone, after the scan has already happened.

The UK NCSC notes that QR phishing is increasing in email and highlights three reasons attackers like it:

• the code disguises the link
• not all security tools inspect images the same way they inspect visible links
• users often scan with a personal phone that may not have the same protections as a work device

That is the core threat model.

A QR code is not magic. It is just a delivery mechanism that:

• hides the destination until scan time
• shifts trust decisions to mobile
• compresses user attention into a smaller screen and faster action flow

That combination is ideal for phishing.

Are QR codes themselves dangerous?

Not inherently.

The format itself is just an encoding method. A QR code can point to:

• a normal website
• a payment page
• a Wi-Fi join string
• contact information
• an app store page
• a login page
• a deep link
• a file download

The danger comes from what happens after the scan.

That distinction matters because it changes how businesses should think about QR code safety.

The right question is not:

• “are QR codes safe?”

It is:

• “how trustworthy is the destination, the context, and the action being requested?”

What is quishing?

Quishing means QR code phishing.

Instead of sending a clickable link, an attacker sends a QR code that leads to:

• a spoofed login page
• a fake payment page
• a credential reset trap
• a malware or app-install flow
• a fake document or file-sharing page

Microsoft describes QR code phishing as one of the fastest-growing email-based attack types and notes that these emails often use realistic prompts such as password resets or two-factor authentication requests.

That pattern is especially effective because the QR code can look less suspicious than a raw URL. To a rushed user, it can even feel more official.

The biggest QR code phishing patterns

To rank broadly and be genuinely useful, this page needs to go beyond one scam story. The major patterns are different enough that people search them separately.

1. QR codes in phishing emails

This is now one of the most important search surfaces around QR security.

Common bait includes:

• password expiration warnings
• MFA reset prompts
• secure document access
• payroll or HR notices
• invoice review requests
• voicemail access
• package-delivery issues
• account verification prompts

Why it works:

• the QR code hides the URL
• users may trust the corporate-looking design
• the scan happens on mobile, where users are often outside normal security workflows
• the follow-up page can look like Microsoft, Google, Okta, Adobe, DocuSign, or another familiar service

The NCSC explicitly warns that users should be cautious about QR codes in emails, and the FTC advises people not to scan QR codes in unexpected email or text messages, especially when there is pressure to act quickly.

Best defensive default

Treat a QR code in an unexpected email the same way you would treat a suspicious login link.

Better yet, treat it as more suspicious than a normal link, because it is asking you to switch devices and lower your guard.

2. Public signage and parking meter QR scams

This is one of the most visible consumer scam patterns.

It often works like this:

• a criminal places a sticker over a legitimate QR code
• the fake code points to a payment site the victim does not recognize
• the victim assumes the code belongs to the meter, machine, menu, or sign
• money or card details are captured through the fake site

The FTC specifically warns that scammers may cover legitimate QR codes on parking meters with their own codes. The NCSC also notes that QR-related fraud often shows up in open public spaces such as stations and car parks.

Why this pattern is effective

Physical context creates borrowed trust.

People assume:

• “this code is attached to a real machine”
• “this is in a regulated public place”
• “someone would have removed it if it were fake”

That trust is often misplaced.

Best defensive default

If the action involves money, login details, or personal data:

• inspect the sign physically for stickers or tampering
• preview the destination if your phone supports it
• verify the domain before paying
• prefer official apps or manually typed official websites for repeat services like parking

3. Package, delivery, and brushing-style QR scams

The FBI warned in 2025 about unsolicited packages containing QR codes that prompt recipients to provide personal or financial information or to grant access that can expose the phone to compromise.

This pattern works because curiosity is strong. People want to know:

• who sent the package
• why it arrived
• whether it is a prize, gift, or mistaken delivery
• whether they need to confirm or reschedule something

In some variants, the package has no sender information, which nudges the recipient toward scanning.

Best defensive default

Do not scan QR codes from unknown packages or unexplained inserts. If the package is real, there should be another legitimate way to identify the sender without trusting a mystery code.

4. Fake payment and invoice QR flows

QR payments are normal in many markets. That is exactly why they are attractive to attackers.

Common patterns include:

• fake invoice QR codes
• altered bill or statement QR codes
• replaced payment signage
• checkout redirection to fake payment portals
• charity or donation QR fraud

Why this pattern is dangerous:

• victims are already expecting to pay
• the code creates a fast path to a mobile payment page
• the page can feel legitimate because mobile checkouts are already minimal by design

Best defensive default

Do not trust a QR code just because the surrounding invoice looks professional. Verify:

• the business identity
• the destination domain
• the payee details
• the official payment route already listed on the company’s known website

5. Branded login spoofs and enterprise credential theft

This is the pattern security teams should care about most.

QR phishing is no longer only a consumer nuisance. The January 2026 FBI/IC3 alert on Kimsuky described malicious QR codes used in targeted spearphishing campaigns that led victims to credential-harvesting and fake Google login pages. The advisory also notes that quishing can originate on unmanaged mobile devices outside normal EDR and network inspection boundaries and can support MFA-resilient identity intrusion paths.

That is a serious shift.

The issue is no longer just “someone scanned a bad code.” It is:

• mobile-first credential theft
• session theft risk
• account persistence
• lateral phishing from compromised mailboxes
• business-email compromise pathways

Best defensive default

For enterprise users, the safest assumption is simple:

never enter work credentials after scanning an unexpected QR code.

If a message claims you must scan to sign in, reset MFA, or access a secure document, verify the task through a known internal route first.

Why mobile makes QR attacks worse

Many phishing defenses were built around desktop workflows:

• hover the link
• inspect the URL
• rely on browser protections on a managed device
• let the email gateway rewrite or scan the link

QR flows break that pattern.

Users often move from:

• a managed inbox
• to an unmanaged or less-protected phone
• to a small-screen browser
• to a branded phishing page
• to an input field for credentials or payment details

That handoff reduces both visibility and control.

It also makes follow-up deception easier. A user may think:

• “I am on my phone, so this login flow is supposed to look different.”

That assumption helps attackers.

Safer defaults for people who scan QR codes

The point of a “safer default” is not perfect security. It is lowering the chance of a bad decision under time pressure.

Use these defaults.

1. Be more suspicious of QR codes in email and text than in normal web pages

This sounds backwards at first, but it is the right rule.

An email QR code is often trying to bypass your normal habit of looking at the destination first. If the sender wants you to visit a website, they can usually give you the website in plain text too.

2. Preview the destination before opening it

Many phones show the destination URL before you proceed. Use that pause.

Check for:

• misspellings
• swapped letters
• extra subdomains
• unfamiliar domains
• shortened URLs you cannot easily validate

If the domain matters, verify it independently.

3. Do not authenticate, pay, or install from a surprise scan

This one rule blocks a large portion of real damage.

Do not enter:

• passwords
• MFA codes
• card details
• bank information
• corporate credentials

And do not install apps or profiles after a QR scan unless you already know exactly why you are doing it.

4. Prefer the built-in QR scanner on your phone

The NCSC recommends using the QR scanner that comes with your phone instead of a third-party scanner app downloaded from an app store.

That is a strong default because extra QR apps create another trust surface you often do not need.

5. If the request is urgent, slow down more

The FTC highlights urgency as a common manipulation tactic in QR scams.

Messages like these should raise suspicion:

• act now
• payment overdue
• suspicious activity detected
• package held
• scan immediately to restore access
• verify now to avoid account lock

Urgency is not proof of fraud. But it is a strong reason to verify through another channel.

Safer defaults for businesses that publish QR codes

This is where many articles are too thin. They focus only on the person scanning. But businesses and developers also control risk through how they publish QR codes.

If you generate QR codes for menus, posters, invoices, kiosks, packaging, onboarding, or support flows, these defaults matter.

1. Use HTTPS destinations on domains people already trust

Do not send users to:

• obscure subdomains
• unrelated domains
• aggressive shortener links
• chains of redirects you do not govern

The safer the destination looks, the easier it is for users to verify it.

2. Print the fallback URL in human-readable text

This is one of the best defaults and one of the most underused.

Put the plain destination near the code. For example:

• example.com/pay
• example.com/menu
• example.com/activate

That does three things:

• gives users a non-scan fallback
• makes domain verification easier
• makes sticker replacement or tampering more obvious

3. Avoid asking users to log in immediately after scanning unless absolutely necessary

This is a trust problem.

If users are trained to expect login screens after scanning codes, attackers benefit. Where possible:

• use QR codes for navigation, not authentication
• add a visible explanation of what the code does
• keep sensitive actions behind known destinations the user can also reach manually

4. Avoid URL shorteners unless you truly need them

Shorteners reduce user trust because they hide destination identity. That is the exact problem QR codes already create. Combining both is usually unnecessary.

5. Protect physical signs against tampering

If you operate public QR signage:

• inspect signs regularly
• watch for stickers placed over codes
• use tamper-evident materials when practical
• place codes where unauthorized replacement is more noticeable
• rotate field inspections into normal operations, especially for payment flows

This matters most for:

• parking
• vending
• kiosks
• check-in desks
• public posters
• self-service payments

6. Own the destination operationally

A QR code is not “done” once printed. Someone should own:

• the destination URL
• redirects
• TLS status
• landing-page content
• expiration behavior
• analytics governance
• abuse monitoring

This is especially important when agencies, vendors, or marketing teams create QR campaigns that outlive the original project owner.

Should businesses send QR codes in emails?

Sometimes. But they should do it reluctantly and carefully.

Because quishing is now a well-known attack pattern, email QR codes carry more suspicion than they used to. That means businesses should assume users are right to distrust them.

Safer email pattern

If you must include a QR code in email:

• also include the plain destination URL
• explain why the QR code is needed at all
• avoid credential collection immediately after scan
• avoid pressure language
• use domains recipients already know
• give a manual fallback path through the official website or app

For many cases, a normal link is better than a QR code.

QR codes and shortened links

This is an underrated risk pattern.

A QR code already obscures the destination from the human eye. A shortener obscures it again. That means the user gets almost no meaningful trust signal until they are already in motion.

For ranking and usability reasons, this page should be explicit:

QR code + shortener is usually a bad trust combination.

There are exceptions, such as controlled internal campaigns with clear branding. But as a public default, branded readable destinations are better.

Can a QR code install malware?

A QR code itself is just encoded data. But the destination can lead to:

• a malicious site
• an app download
• a configuration prompt
• a spoofed page that tricks the user into installing something
• permission requests that expose device data or accounts

The FTC warns that a malicious QR destination could lead to malware exposure, and the FBI warns users to take precautions before authorizing phone permissions or access to sites and applications after scanning.

So the practical answer is:

• the square image is not the malware
• the scan can still lead you into a malware or compromise path

Are restaurant and menu QR codes safe?

Usually, but not automatically.

The NCSC notes that QR codes in places like pubs and restaurants are probably safe in most cases, while open public spaces such as stations and car parks are higher-risk environments.

That distinction is useful.

A restaurant menu QR code is lower risk when:

• it points to the restaurant’s known domain
• the signage looks consistent
• there is no payment or login pressure
• there is a printed fallback URL

It becomes riskier when:

• it asks for payment immediately
• it prompts for credentials
• the code appears to be a sticker placed over something else
• the destination domain does not match the venue

A practical decision framework

Use this when deciding whether to trust or publish a QR code.

If you are the person scanning

Ask these questions:

1. Was I expecting this QR code?
2. What action is it asking me to take after scanning?
3. Can I verify the destination independently?
4. Does it involve credentials, money, or app installation?
5. Would the company have another official route for this action?

If the stakes are high and the answer is unclear, stop and verify another way.

If you are the business publishing the code

Ask these questions:

1. Will users recognize the destination domain immediately?
2. Is there a readable fallback URL next to the code?
3. Could a user complete this action without scanning?
4. Have we made physical tampering obvious or harder?
5. Who owns the destination after the code is printed?

These questions prevent a lot of avoidable trust problems.

Common anti-patterns

Using QR codes to force mobile login for routine account actions

This trains users to accept a phishing pattern.

Printing codes without a visible domain

Users need a trust cue they can inspect without scanning.

Using aggressive redirect chains and shorteners

This makes verification harder and incident response messier.

Treating public QR signage as static forever

Physical QR deployments need inspection and ownership.

Asking users to act urgently after scanning

Urgency is exactly what scammers use. Legitimate flows should reduce pressure, not imitate it.

What to do if you scanned a suspicious QR code

If you scanned but did not submit anything:

• close the page
• do not download anything
• do not grant permissions
• verify the official site independently
• consider reporting the code if it was in a public or workplace context

If you entered credentials or payment details:

• change the password immediately on the real site
• revoke or review active sessions if available
• enable or re-check MFA on the legitimate account
• monitor payment activity
• contact the affected organization through a known real support path
• report the scam through the relevant security or fraud channel

If it involved a work account, escalate it to security quickly. Fast reporting matters more than embarrassment.

Which Elysiate tools fit this page best?

The most natural internal links here are:

• Free QR Code Generator
• SVG QR Generator
• QR tools hub
• Converter

This article also supports nearby content such as:

• QR code formats
• signage best practices
• menu QR deployment
• payment QR design
• safe destination and redirect patterns

Final takeaway

QR code security is not about panicking over every black-and-white square.

It is about recognizing that QR codes hide intent until scan time. That makes them useful for convenience and useful for deception.

The safest defaults are not complicated:

• distrust unexpected QR codes in email and text
• preview the destination before opening it
• verify domains independently for money or login actions
• avoid credential entry after surprise scans
• use built-in phone scanners
• publish QR codes with readable fallback URLs and trusted destinations
• inspect physical signs where tampering is possible

For consumers, that is usually enough to avoid the most common scams. For businesses, it is enough to design QR experiences that do not accidentally train users into phishing behavior.

FAQ

Are QR codes themselves dangerous?

No. A QR code is just encoded data. The real risk is the destination or action behind it, such as a spoofed website, malicious payment flow, or app-install prompt.

What is quishing?

Quishing is QR code phishing. Attackers replace visible links with QR codes so victims scan first, inspect less, and often continue the flow on mobile.

Are QR codes in public places always unsafe?

No. Many are legitimate. But open public spaces such as stations, car parks, and unattended payment points deserve more caution because they are easier places for criminals to tamper with signage or overlay stickers.

Should I trust QR codes in emails?

Only with caution. Unexpected email QR codes are a known phishing pattern. When in doubt, use the company’s official website or app directly instead of scanning.

How can businesses make QR codes safer?

Use HTTPS destinations on recognizable domains, print the fallback URL in readable text, avoid unnecessary shorteners, minimize login prompts after scanning, and protect physical signage against tampering.

What should I do after scanning a suspicious QR code?

If you did not submit anything, close the page and verify independently. If you entered credentials or payment details, change passwords on the real site, review sessions and payments, and report the incident quickly.

References

• NCSC — QR Codes: what's the real risk?
  https://www.ncsc.gov.uk/blog-post/qr-codes-whats-real-risk

• FTC — Scammers hide harmful links in QR codes to steal your information
  https://consumer.ftc.gov/consumer-alerts/2023/12/scammers-hide-harmful-links-qr-codes-steal-your-information

• FBI — Unsolicited Packages Containing QR Codes Used to Initiate Fraud Schemes
  https://www.fbi.gov/investigate/cyber/alerts/2025/unsolicited-packages-containing-qr-codes-used-to-initiate-fraud-schemes

• FBI/IC3 — North Korean Kimsuky Actors Leverage Malicious QR Codes
  https://www.ic3.gov/CSA/2026/260108.pdf

• Microsoft — Protect your organizations against QR code phishing with Defender for Office 365
  https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/protect-your-organizations-against-qr-code-phishing-with-defender-for-office-365/4007041

• ISO/IEC 18004 — QR Code
  https://www.iso.org/standard/62021.html