QR Code Scams: How to Verify Any Code Before You Scan


Table of Contents
A sticker on a parking meter. A "missed delivery" flyer taped to a door. A calendar invite from IT asking you to rescan your MFA. All three can carry the exact same payload: a QR code that leads somewhere you never agreed to go.
That's quishing — QR code phishing — and it's had a breakout year. Microsoft's own telemetry showed a triple-digit jump in QR-code phishing attempts in the first quarter of 2026 alone, and Google's June 2026 fraud advisory flagged a new twist: QR codes now getting paired with adversary-in-the-middle (AITM) attacks that clone a real login flow, MFA prompt included, and walk off with your session cookie while you think you just re-authenticated.
Most guides on this topic stop at "don't scan random codes." That's not useful advice — you can't tell a code is random just by looking at it. What you can do is treat every QR code the way you'd treat an unfamiliar phone number or a suspicious domain in any other OSINT case: verify before you trust. This guide walks through exactly how.
Why QR Code Scams Work So Well
A regular phishing link gives something away before you click it. Hover over it in an email and the real domain shows in the status bar. Even on mobile, a long-pressed link reveals its destination. Years of security awareness training have conditioned people to check that.
A QR code erases that entire habit. The destination is encoded as a pattern of black and white squares — completely unreadable until a camera decodes it, and by then most phones have already offered to open it. There's no hover state. No preview text. No moment of friction. You point, it resolves, and you're on a page before you've had time to think about whether you should be.
That's the entire mechanism behind the QR code scam boom. It isn't a new attack — it's the same credential-harvesting and payment-fraud playbook that's existed for years, just moved to a delivery method that skips the one defense most people actually use.
Where Quishing Is Showing Up in 2026
The image-based delivery also does something clever from the attacker's side: it slips past filters built to scan text. Most corporate email security tools parse the words and links inside a message body. A QR code embedded as an image, or buried inside a PDF attachment, often sails through untouched — which is exactly why researchers have tracked a steady shift toward QR codes hidden in "invoice," "e-signature," and "security update" PDF attachments rather than in the email text itself.
In practice, the campaigns I see cluster into a handful of repeat patterns:
- Parking meters and pay stations — a professionally printed sticker goes over the real code, redirecting to a cloned payment page that captures the card number
- Restaurant and retail QR menus — an overlay sticker swaps the ordering link for a phishing page or a fake "loyalty survey" that harvests personal data
- Package delivery flyers — a door tag claims a missed delivery and asks you to scan to "reschedule," landing you on a page asking for a small redelivery fee and your card
- Corporate email lures — a fake MFA reset, benefits enrollment form, or e-signature request with the QR code standing in for the usual link
- Event badges and giveaways — a booth or conference table QR that promises a prize but actually harvests contact details or app permissions
The common thread isn't the channel. It's urgency plus a plausible reason to scan right now, without thinking.
The OSINT Method: How to Investigate a QR Code Before You Scan
Here's the part most consumer advice skips. You don't need to avoid QR codes entirely — you need a five-minute verification habit, the same instinct an investigator applies to any unverified identifier. Treat the code like a phone number or an email address showing up in a case: it's a lead, not a destination.
Step 1: Let Your Phone Preview It — Don't Let It Open
Both iOS and Android decode a QR code and show you the resolved URL in a preview banner before anything opens. That banner is your first checkpoint, and it's the one step most people scroll past out of habit. Read the full domain, not just the first few characters. A banner reading "parking-city-pay.com" instead of your city's actual parking authority domain is the scam ending before it starts.
Pro Tip: If the preview shows a shortened link (bit.ly, tinyurl, or a similar redirector), stop there. A shortener hides the real destination on purpose, and legitimate parking authorities, restaurants, and delivery services almost never need one.
Step 2: Decode It Without Your Camera App
For anything you're even slightly unsure about — an emailed PDF, a mailer, a sticker that looks slightly off — don't use your phone's camera at all. Screenshot the code and run it through a browser-based decoder that only extracts the encoded text, without navigating anywhere. This is the same principle as inspecting a suspicious file in a sandbox rather than double-clicking it on your own machine: you want the data, not the execution.
Step 3: Expand Any Shortened URL
If the decoded link is shortened, unshorten it before doing anything else with a free expander tool. This shows you the true destination domain without ever loading the page. If the expanded link still looks unfamiliar or mismatched — a payment processor domain when you expected a government or company site — that's the investigation ending in your favor.
Step 4: Run the Domain Through a Reputation and WHOIS Check
This is where quishing analysis overlaps directly with standard OSINT background work. Paste the full URL into a free scanner like urlscan.io or VirusTotal — both will show you the site's technology stack, a live screenshot, and any existing malware or phishing flags, without your device ever touching the actual page.
Then check domain age. A quick WHOIS lookup tells you when the domain was registered. I've said this in nearly every fraud investigation I've run: a domain registered days or weeks before it showed up in front of you is one of the strongest single red flags in any OSINT case, QR-based or not. Legitimate parking authorities and restaurant chains aren't standing up new domains the week before you scan their code.
Step 5: Sandbox It Before You Trust It
A live-scan tool like urlscan.io doesn't just check reputation — it actually renders the page in an isolated environment and gives you a screenshot of what loads, including any login form, payment field, or redirect chain. That lets you see exactly what a victim would see, without entering a single character yourself. If the "rendered" page asks for a password, card number, or MFA code before you've done anything, you have your answer.
Step 6: Check for Physical Tampering
For codes in the physical world — parking meters, menus, posters — the verification starts before you even pull out your phone. Look for a sticker sitting slightly askew, a different print texture or gloss than the surrounding signage, or adhesive residue peeking out from an edge. A code that's been printed directly onto the original signage is far less likely to be a swap than one that's clearly been stuck on afterward.
Watch Out: A padlock icon and "https://" in the address bar do not mean a site is safe. Free SSL certificates are trivial to obtain, and most quishing pages carry valid encryption. Encryption protects the connection, not the intent behind the page.
Red Flags That Should Stop You Before You Scan
A handful of signals show up across nearly every campaign I've reviewed:
- The code appeared somewhere it wouldn't normally be needed (an emailed PDF for a routine notice, a sticker layered over an existing code)
- Scanning triggers urgency language — "act now," "confirm within 24 hours," "avoid a fine"
- The resolved link is shortened or the domain doesn't match the organization it claims to represent
- The page asks for a password, MFA code, or full card details immediately, with no account context
- The request arrived through a channel that organization doesn't normally use for that purpose
Any single flag deserves a second look. Two or more together is enough reason to close the page and verify through the organization's official app or site directly.
What to Do If You Already Scanned and Entered Information
If you've already entered payment details or credentials on a page you now suspect was fraudulent, speed matters more than anything else.
Contact your bank or card issuer immediately to flag the transaction and, if needed, freeze or reissue the card — this is far easier to reverse within the first hours than after a statement closes. If you entered a password anywhere on the page, change it immediately on the real account and turn on multi-factor authentication if it isn't already active, since the whole point of the AITM-style quishing variant is stealing a live session even through MFA. File a report at the FTC's ReportFraud.ftc.gov and, for anything involving financial loss, at the FBI's IC3.gov. Keep a screenshot of the original code and the page it led to — timestamps and visual evidence make any dispute or report far more actionable.
Key Takeaways
Quishing succeeds because it removes the one habit most people actually rely on: previewing a link before opening it. The fix isn't avoiding QR codes — it's rebuilding that same preview habit around them. Read the resolved URL before opening. Expand any shortened link. Run anything uncertain through a reputation scanner and a quick WHOIS check. Sandbox it if you're still unsure. And for physical codes, give the sticker a second look before you give it your camera.
Ten seconds of verification is the entire defense. Most people just haven't been shown where to point that ten seconds yet.
Frequently Asked Questions
What is quishing?
Quishing is QR code phishing — a scam where a malicious link is hidden inside a QR code instead of a normal text link. Because the destination is encoded as an image, it bypasses the usual habit of previewing a link and often slips past email security tools built to scan text rather than images.
How can I check if a QR code is safe without scanning it?
Screenshot the code and run it through a browser-based QR decoder that only extracts the text. Expand any shortened link, then paste the full URL into a free scanner like urlscan.io or VirusTotal to check its reputation and see a live screenshot before you ever visit the page yourself.
Can scanning a QR code actually install malware?
Yes, in some cases. If the resolved link prompts a file download or app install rather than a webpage, scanning can lead to malware installation. Most quishing campaigns aim for credential or payment theft on a fake page, but malicious downloads do appear, particularly in campaigns targeting corporate devices.
Are QR codes on parking meters and restaurant tables safe to use?
Not automatically. Fraudulent sticker overlays on parking meters and restaurant QR codes have been reported across the US, UK, and Australia, redirecting victims to fake payment pages. Check for a sticker sitting slightly askew or a different print texture before scanning, and preview the resolved link either way.
What should I do if I already scanned a malicious QR code and entered my card details?
Contact your bank or card issuer immediately to flag or freeze the card, change any password you entered on the real account, and enable multi-factor authentication if it wasn't already active. File a report at ReportFraud.ftc.gov and, for financial losses, at IC3.gov, and keep a screenshot of the code and page as evidence.

Passionate OSINT investigator and cybersecurity professional with over 3 years of experience. Expertise in web penetration testing, background checks, fraud detection, and uncovering digital fingerprints. Providing verified truth in the digital shadows.
Need a
ProfessionalInvestigation?
If this case sounds familiar, I can help. Get a confidential consultation today.
