Quishing is QR code phishing — a scam where attackers hide a malicious link inside a QR code. When you scan the code, your phone opens a fake website designed to steal your passwords, payment details, or personal information. The word is a blend of "QR" and "phishing."

How does a quishing attack work?

A scammer sends or posts a QR code with an urgent message — an unpaid toll, a failed delivery, a parking ticket, or a bank alert. Because the link is hidden inside the image, email filters often miss it and you can't see the destination before scanning. Once you scan, you land on a spoofed login or payment page that captures whatever you enter.

How can I tell if a QR code is a quishing scam?

Be suspicious of any QR code that arrives unexpectedly by text or email, creates urgency, or asks for payment or login details. Check the destination URL before the page loads, watch for misspelled or look-alike domains, and never enter credentials on a site you reached only through a scanned code.

How do I protect myself from quishing?

Don't scan QR codes from unexpected texts, emails, or stickers placed over existing codes. Use a security scanner like ScanLikely that reveals and analyzes the destination URL before opening it, go to official websites directly instead of through a code, and enable multi-factor authentication so a stolen password isn't enough.

What Is Quishing? QR Code Phishing Explained (2026 Guide)

Quishing, defined

Quishing (a blend of QR and phishing) is a scam where attackers hide a malicious link inside a QR code. When you scan the code, your phone opens a fake website built to steal your passwords, payment details, or personal information. It's the same goal as email phishing — trick you into handing over data — but the link is disguised as a harmless square of pixels.

The reason it works is simple: you can't read a QR code with your eyes. A bad link in an email is something you can hover over and inspect. A bad link inside a QR code is invisible until you've already scanned it, and by then the page may already be loading.

Why quishing is exploding

QR code phishing has gone from a niche trick to one of the fastest-growing scam categories. Reports of quishing have climbed roughly 587% since 2023, and the trend keeps accelerating:

CNBC reported QR phishing attacks increased fivefold in 2025.
Keepnet tracked quishing emails jumping from 47,000 in August to over 249,000 by November of the same year.
The FTC has warned that scammers hide harmful links in QR codes, including stickers placed over legitimate codes on parking meters.

Two things drive the surge. First, QR codes slip past the email security filters that are built to catch malicious URLs — a code is just an image. Second, people scan first and think later, so the usual "don't click that link" instinct never gets a chance to fire.

What quishing scams look like

Almost every quishing message uses urgency to make you act before you think. The most common ones right now:

Failed delivery notices. A text or email saying a package couldn't be delivered. Scan to reschedule — and land on a fake UPS, FedEx, or USPS page asking for a small fee and your card number.
Toll and parking violations. A message claiming you owe an unpaid toll or have a citation, with fees growing by the day. BleepingComputer documented confirmed parking-ticket cases.
Bank and account alerts. "Suspicious activity detected — scan to verify." The code goes to a near-perfect clone of your bank's login page.
Government and IRS impersonation. Messages claiming you owe taxes or must verify your identity with a government agency.
Sticker overlays. A physical QR code printed over a real one on a parking meter, restaurant table, or poster, quietly redirecting payments to the scammer.

How to spot a quishing attempt

You don't need to be a security expert. Watch for these signals:

A QR code arrives unexpectedly by text, email, or DM.
The message pushes urgency — a fine growing, an account locked, a package held.
Scanning it asks you to log in or enter payment details.
The destination is a look-alike domain (misspellings, extra words, or odd subdomains like irs-gov-payment.com).
A printed QR code looks like a sticker placed over another code.

How to protect yourself from quishing

Treat unexpected QR codes like unexpected links. If you didn't ask for it, don't scan it on reflex.
Check the destination before it opens. Use a scanner like ScanLikely that reveals and analyzes the real URL before the page loads, instead of scanning and hoping.
Go direct. If a message claims to be from your bank, a delivery service, or a government agency, open their official site or app yourself rather than using the code.
Verify tickets and tolls independently. Look up the citation number on your city or state's official site. Real ones are in the system; fakes come up empty.
Turn on multi-factor authentication so a stolen password alone isn't enough to get into your accounts.

What to do if you've already scanned one

If you only opened the page, close it and don't enter anything. If you typed a password, change it right away and enable multi-factor authentication. If you entered card or bank details, contact your bank immediately and report it as fraud. Then report the scam to the FBI at ic3.gov and the FTC at ReportFraud.ftc.gov.

How ScanLikely stops quishing

ScanLikely is built for exactly this. When you scan a QR code, it analyzes the destination URL before the site ever opens — flagging spoofed domains, freshly registered phishing sites, and suspicious redirect chains. Instead of a generic "this might be unsafe" warning, you see where the code actually leads and whether it's safe to continue. The few seconds it takes is the whole defense against quishing.

Frequently asked questions about quishing

Is quishing illegal? Yes. Quishing is a form of fraud and identity theft, which is illegal in the U.S. and most countries. Victims should report it to the FBI (ic3.gov) and the FTC.

Can an iPhone or Android get hacked just by scanning a QR code? Scanning alone usually just opens a link — the danger is what you do next. The harm comes from entering credentials or payment info on the fake page it loads, or from downloading something it prompts you to install.

Is quishing the same as phishing? It's a subtype. Phishing is the broad category of tricking people into revealing data; quishing is phishing delivered through a QR code instead of a clickable link.

For real-world cases and ongoing scam alerts, see the ScanLikely blog, and learn how hidden links work in our guide to safely expanding shortened URLs.

Scan QR codes safely with ScanLikely

See where every QR code really leads before it opens. Free on iOS and Android.