The New QR Code Scam Powered by AI — and How to Avoid It

Safety & scams Guide7 min read·Updated July 11, 2026
The short answer

Quishing is QR code phishing — scanning a fake code takes you to a site that steals your login or payment details. AI has made these scams easier to create and much harder to detect. The safest habits are previewing the URL before tapping, never entering payment or login information after scanning a QR code in a public place, and typing addresses manually when you're unsure.

You've probably scanned dozens of QR codes in the past year — to look at a restaurant menu, pay for parking, or check in somewhere. That little square is now one of scammers' favorite tools, and AI has made it dramatically easier for them to create convincing fake ones. The trick is called quishing, and it's spreading fast enough that the FBI and FTC have both issued warnings about it.

What Is Quishing?

The word combines "QR" and "phishing" — the broader category of scams that impersonate a trusted organization to steal your login or payment details.

Here's how it works: a scammer creates a QR code that, when scanned, takes you to a fake website that looks exactly like your bank, your city's parking payment portal, or a shipping company's tracking page. The page asks you to log in, confirm a payment, or verify your identity. If you do, your credentials or card number go straight to the scammer.

The reason QR codes are particularly effective for scammers is that email and text security filters are built to scan for suspicious text links — they're not built to read images. A fake QR code embedded in a PDF or an image attachment passes right through most filters undetected.

Where Fake QR Codes Show Up

Fake codes are turning up in some very ordinary places:

Parking meters. A sticker with a fake QR code gets placed over the legitimate payment code. You scan it, enter your credit card on a convincing fake "parking payment" page, and the meter never registers your payment.

Restaurant menus. Most QR menus are safe, but scammers have been caught placing stickers over the original codes. The fake version redirects to a page that might ask for your credit card "to reserve your spot" or offer a discount sign-up.

Package delivery texts. You get a text saying your delivery is delayed and asking you to scan a code or follow a link to reschedule. The URL leads to a fake page asking for your address and payment details.

Flyers and posters. Fake codes have appeared on community flyers — a "free gift card" or "exclusive offer" — placed in laundromats, libraries, and apartment building lobbies.

Emails and PDF attachments. A message from a supposed bank, utility, or delivery company contains a QR code asking you to "verify your account." This is the most common digital version, and the one most likely to slip past email security software.

Why AI Made This Much Worse

Before AI writing tools became widely available, a scam email was often easy to spot: clunky writing, grammatical errors, an odd request that didn't quite sound like how a real bank would communicate. That's no longer a reliable tell.

According to a July 2026 report, AI-powered phishing attacks jumped 14 times in a single month, and AI-generated phishing now makes up roughly 40% of all phishing attacks. Scammers are using AI to write perfectly professional emails, generate realistic-looking fake login pages, and create QR codes at scale — hundreds of slightly different versions targeting different people or regions.

The combination is especially effective: the email reads like it came from a real company, the QR code bypasses text-based filters, and the fake website looks identical to the real one. The only moment you have to catch it is when you check the URL the code actually points to.

How to Check a QR Code Before You Tap

You don't have to give up using QR codes entirely. You just need one quick habit: read the URL preview before you tap.

On iPhone: When you point your camera at a QR code, a small notification appears at the top of the screen showing the destination URL. Don't tap that notification immediately — read the address first.

On Android: Most Android camera apps show a small URL bar below the QR code frame. Read it before tapping.

What to look for in the URL:

  • Does the domain match the organization you'd expect? A city parking app might be "cityname.gov" or "parkXYZ.com" — it shouldn't be "parking-secure-pay.net" with a random domain you don't recognize.
  • Is there a long string of random characters in the URL? Legitimate QR codes for a menu or payment page usually have clean, short addresses.
  • Does the domain use subtle misspellings — "rnybank.com" instead of "mybank.com"? That extra letter is easy to miss at a glance.

Safe Habits Going Forward

Type addresses manually when you're uncertain. If a QR code in an email asks you to "verify your account" with your bank, don't scan it — open your bank's app or type the address you know into your browser. The FTC specifically recommends this as its primary guidance for QR code safety.

Never enter payment or login details after scanning a public code. If a parking meter, poster, or any public QR code asks for your credit card or password, stop. Legitimate parking apps and public payment systems let you pay through an established app you already have, or accept your card directly at the meter. They don't need you to enter your full card number on a website you reached via a QR sticker.

Check for stickers. Before scanning a QR code on a physical surface — a meter, a table card, a poster — look at whether the code is printed directly or has a sticker edge on top. A sticker placed over a legitimate code is the most common physical form of this scam.

Be extra skeptical of QR codes in emails. Real banks, utilities, and delivery companies rarely need you to scan a QR code. They have apps and websites you can reach directly. An unexpected email containing a QR code is a red flag even if the branding looks right.

What to Watch Out For

These habits will catch most quishing attempts, but no single check is foolproof. Scammers keep refining their technique, and the fake pages they build are sometimes visually indistinguishable from the real ones. If you've entered information after scanning a code and then felt uncertain, act quickly: change your password, call your bank, and report the incident at reportfraud.ftc.gov. The sooner you act, the better your chances of limiting any damage.

One thing this guide doesn't cover: AI-powered follow-up phone calls that sometimes accompany QR scams. A scammer may call shortly after you've scanned a code, claiming to "verify your payment" and asking for card details you didn't enter on the fake site. If you get an unexpected call right after scanning a QR code, hang up and call the organization directly using a number you look up yourself.

What to Try Next

Quishing is part of a broader wave of AI-powered scams hitting inboxes right now — How to Spot AI Phishing Emails covers the signs that a message wasn't written by a human. And if you're getting suspicious calls alongside suspicious messages, The Best AI Scam Call Blockers walks through the tools that can help filter them out.

Published July 11, 2026 · Updated July 11, 2026How we test →

Frequently asked questions

What is quishing?
Quishing is short for QR code phishing. Scammers place a fake QR code — on a sticker, in an email, or in a text message — that redirects you to a convincing fake website designed to steal your password, credit card number, or other personal information. The name combines 'QR' and 'phishing,' which is the broader category of tricks that impersonate trusted organizations to steal credentials.
Why do scammers use QR codes instead of regular links?
A regular phishing link shows the actual URL as text, which email security filters and cautious readers can often spot. A QR code is an image — your email security software scans text, not pictures, so a fake QR code embedded in a PDF or image attachment sails straight through most filters undetected. You also can't glance at a QR code and tell where it leads the way you can hover over a hyperlink on a desktop computer.
How do I preview where a QR code goes before I tap it?
On most smartphones, pointing your camera at a QR code shows a small URL preview banner before you tap anything — look for that preview and read it carefully. On iPhone, this appears as a notification at the top of the screen; on Android it shows just below the QR code frame. If the domain in the preview doesn't match the organization you expect (for example, 'parking-pay.net' when you expected your city's official parking app), don't tap.
Are QR codes on restaurant menus safe?
Most restaurant QR menus are completely legitimate — they lead to a PDF or a simple website the restaurant set up. The risk is a sticker placed over the original code, which is easy to spot: look for a sticker edge or slightly different paper layered on top of the printed code. If something looks like it's been added on, tell the staff and don't scan it.
What should I do if I already scanned a suspicious QR code?
If you tapped the link but did not enter any information, close the browser and you are almost certainly fine. If you entered a username and password, change that password immediately on every account where you use the same one, and enable two-factor authentication if you haven't already. If you entered a credit card number, call your bank right away to report it as potentially compromised. Report the suspicious code to the FTC at reportfraud.ftc.gov.
Can I trust QR codes in emails from companies I know?
Be cautious. Scammers specifically copy the branding of well-known companies — banks, delivery services, utilities — because a familiar logo lowers your guard. The FTC advises against scanning QR codes from unexpected emails, even if they look official. Instead, go directly to the company's website by typing the address yourself, or call the number on the back of your card.
Radim S.
Founder & editor

Radim is a software developer who spends his days building with AI and his evenings explaining it to family members who don’t care how it works — only what it can do for them. Every guide is tested by hand before it’s published.