QR code scams: what to check before scanning

Your eyes are no longer protecting you

You have spent years training yourself not to click suspicious links. You hover. You check domains. You look for the subtle misspelling. That habit has protected you — until now.

QR codes eliminate the visual inspection step entirely. When you point your camera at a QR code, the destination URL is invisible until after the code has been processed. By the time your camera shows you where it leads, your phone is already loading it. And that half-second of preview most people don't read — that's exactly where attackers hide.

Security researchers have dubbed QR-based phishing "quishing." It has exploded in prevalence since 2022 because it bypasses email link-scanning tools, anti-phishing filters, and human habit. Corporate security teams are struggling to respond to it. For individuals, the risk is even higher.

Where QR scams appear — and why you won't expect them

• Parking meters and public kiosks — a criminal places a printed QR sticker precisely over the legitimate one. You pay your parking fee to their account. This has been documented in cities across the US, UK, and Europe.
• Restaurant and café menus — table QR codes replaced with fraudulent ones, redirecting to fake Wi-Fi login pages that harvest credentials
• Email and SMS — images of QR codes sent as phishing messages. Image-based delivery bypasses text-based link scanners completely.
• Delivery failure notices — physical mail with "collect your parcel" QR codes sent to homes. The letters look genuine. The QR leads to a credential harvesting page.
• Tax authority fraud — physical letters impersonating the IRS, HMRC, or national revenue authorities. Detailed, official-looking, with a QR code to "verify your details."
• Charity collection fraud — fake donation QR codes at events or on social media

What to do before you scan anything

• Check physical integrity — is the QR code a sticker placed over something else? Look for lifted edges, misalignment, or a slightly different texture.
• Evaluate the context — a parking meter QR that opens a webpage asking for your credit card details is suspicious. A parking meter QR should only request payment through the city's official system.
• Read the preview URL before tapping — most cameras show a URL before opening. Stop. Read it. Does the domain match the organization it claims to represent? Is there a suspicious subdomain? Does it include random characters?
• HTTPS is not safety — a padlock means the connection is encrypted. It does not mean the site is legitimate. Attackers routinely use HTTPS.
• Don't scan QR codes in unsolicited emails or texts — a QR code in an unexpected message is almost always an attempt to bypass link-scanning tools. Use the organization's app or official website directly instead.

If you already scanned it

Do not enter any information on the page that opened. Take a screenshot and note the URL. If the page asked for login credentials or payment details — and you entered them — treat this as a compromise immediately: change the relevant password, contact your bank if financial data was entered, and check your account activity.

Submit the URL to MountainShield for advisory review. We can assess the domain age, hosting patterns, and known threat indicators before you take any further action.

The uncomfortable reality

QR codes were designed for convenience. Attackers redesigned them for deception. In a world where your phone camera is a doorway, you need something standing on the other side that you trust. That is what we are here for.