A dangerous new scam is quietly sweeping across the United States, and all it takes is a quick scan of a QR code to potentially empty your bank account.
Cybersecurity experts are warning of a sharp rise in ‘quishing,’ a form of phishing that uses malicious QR codes to trick users into handing over personal information, credit card details, and banking credentials.
According to a recent report, more than 26 million Americans have already been duped by the scam, and the number is rising rapidly.
QR codes, or ‘quick response’ codes, are commonly used by businesses to allow customers to access websites, menus, or payment portals simply by scanning the code with a smartphone.
But criminals are now exploiting this convenience by placing counterfeit QR codes over real ones in high-traffic areas, such as parking meters, public transportation signs, restaurant tables, and even on delivery packages.
Dustin Brewer, senior director of proactive cybersecurity at BlueVoyant, said: ‘The most dangerous part is they are hiding in plain sight. Attackers can just print their own QR code and paste it over a real one, and you’ll never know the difference.’
Once scanned, the fraudulent QR codes often lead to lookalike websites designed to steal login credentials or financial data. Others may install malicious software onto the user’s phone without them realizing it.
Experts said many fake codes are printed on low-quality stickers or appear slightly misaligned when pasted over legitimate ones. If the design seems inconsistent with a brand’s usual look or appears to be hastily added, it could be a red flag.
A QR code is a type of barcode that, when scanned with a smartphone, can open a website, display a message, or make a payment
‘These scams are low-effort but have a very high return,’ Brewer said. ‘Because QR codes are now everywhere, from gas pumps to flyers, people do not question them. That’s exactly what scammers are counting on,’ he warned.
In Miami, city officials uncovered fake QR codes at seven different locations and removed more than 7,000 fraudulent stickers earlier this year.
The city’s Parking Authority reported that scammers had been placing counterfeit QR codes on parking meters, tricking drivers into entering their credit card information on fake payment websites that closely mimicked official portals.
The scam extends beyond public infrastructure. In one case reported by the Federal Trade Commission (FTC), victims received mysterious packages containing fake ‘gifts’ and a QR code labeled with a message prompting them to scan to find out who sent it.
Instead, the code redirected users to phishing websites disguised as delivery return forms, which then requested login credentials or credit card information.
Experts have also raised concerns that some of these fake QR codes can install malware onto users’ phones, granting attackers full remote access without the victim’s knowledge.
These malicious programs can silently collect sensitive data, track activity, or even hijack device functions.
A recent report from cybersecurity firm Malwarebytes found that 70 percent of iPhone users have scanned QR codes to make or complete a purchase, compared to 63 percent of Android users.
Quishing (QR code phishing) is a scam where criminals exploit these harmless-looking symbols to trick people into visiting fake websites
Cybersecurity specialists also warn that attackers are embedding malicious QR codes into PDF attachments in phishing emails.
Some of these emails impersonate trusted companies such as Microsoft or Adobe, further increasing the likelihood that unsuspecting recipients will scan the code and fall victim to the scam.
In one of the ongoing scam, reported by Cisco, fraudsters are emailing QR codes disguised as a two-factor authentication reset requests to thousands of employees, tricking them into handing over internal access.
To protect yourself, experts suggested to never scan QR codes from unknown sources, especially in emails, texts, or physical mail.
Since most smartphones now display a preview of the website before opening it, cybersecurity experts recommend always checking that the link begins with ‘https://’ and appears to be a legitimate web address.
If the URL is misspelled, unfamiliar, or suspicious, officials warn: do not click.
Users should also be wary of QR codes found on public surfaces or signage, especially if they appear tampered with, are printed on stickers, or do not match the branding around them.
According to cybersecurity officials, a genuine QR code from a business will often include the company’s logo, colors, or a short description of what to expect when scanning.
For example, museums and educational institutions increasingly label QR codes with preview information to help guide visitors.
If scanning a QR code prompts a login reset, a request for two-factor authentication details, or an offer that seems unusually generous, experts say it’s likely a scam.
One rising tactic involves phishing pages disguised as Microsoft login portals or fake multifactor authentication resets, which can trick users into handing over sensitive credentials.
With global QR code payments expected to surpass $3 trillion in 2025, cybersecurity analysts warn that these scams will only continue to rise unless public awareness catches up.
Officials are urging Americans to stay vigilant and double-check any QR code, even those that appear official, before scanning.
‘QR codes weren’t built with security in mind,’ said Rob Lee, chief researcher at the SANS Institute. ‘They were built to make life easier, which also makes them perfect for scammers.’
