QR code scams rise as 73% of Americans scan without checking

By now, many of us have used QR codes as a way to quickly access menus, check into places, and make payments. But now, these convenient and contactless methods have become an easy target for cybercriminals. There has been a recent surge in “quishing” attacks, which are a form of phishing that uses QR codes instead of traditional methods like emails, text messages, and phone calls.

Quishing is proving effective, too, with millions of people unknowingly opening malicious websites. In fact, 73% of Americans admit to scanning QR codes without checking if the source is legitimate. As experts warn, this growing trend could put people’s personal information and money at risk.

The rise of quishing is concerning

NordVPN’s security researchers report that fake QR codes have tricked over 26 million people into visiting malicious websites. These codes hide in plain sight, too. In one case, they were stuck on top of payment portals, sending unsuspecting individuals to sites meant to steal their personal and financial data (e.g., passwords and credit card information). Some even installed malware on people’s phones.

Even government agencies have taken notice. The FTC warned the public earlier this year that cybercriminals are now attaching harmful QR codes to packages and sending them to people. The New York City Department of Transportation issued warnings about fake QR codes appearing on parking meters of all places. Even Hawaii Electric chimed in, as they noticed scammers are using QR codes to steal payments.

These tactics mirror the ATM skimmer scam, where criminals place keypads designed to log keystrokes over an ATM to steal card information. But with QR codes, this tampering is harder to spot and easier to implement.

QR codes are quickly becoming the biggest security risk

The original purpose of QR codes was to track auto parts, so making them secure wasn’t part of the plan. Their widespread use today has made them irresistible to scammers. Unlike traditional phishing methods, they make it easy for cybercriminals to hide their destination until scanned, removing an important layer of user scrutiny.

Hackers are leveraging this ambiguity to deploy Remote Access Trojans (RATs) and infiltrate personal devices, including military networks. More than 26% of malicious links now come via QR codes, according to KeepNet Labs, a cybersecurity company specializing in AI-driven phishing simulation and human risk management. Soon, quishing will outpace conventional phishing.

How to protect yourself from quishing

If you scan QR codes regularly, you might be panicking. But don’t be, since the same tricks for avoiding phishing scams can also work here.

1) Verify the source before scanning

Pause and consider the origin of every QR code before you pull out your phone. Quishing thrives on people scanning codes found on public signage, restaurant tables, packages, or payment terminals without questioning their authenticity. Cybercriminals often cover genuine QR codes with malicious ones that redirect users to fake websites meant to steal personal and financial information. Always ask yourself: Do I trust this location or the person who provided this QR code? If in doubt, don’t scan.

2) Use strong antivirus software

Install strong antivirus software across all your devices. Look for a solution that offers real-time protection, regularly updated threat databases, and built-in web protection. These tools can help detect malicious content hidden in QR codes and block dangerous websites that might automatically open after scanning. Since QR codes are increasingly used by cybercriminals to spread malware like Remote Access Trojans (RATs), having strong antivirus software in place is essential. To stay fully protected, make sure the software is set to update automatically and scan regularly.

3) Assess the physical QR code

Inspect the QR code’s placement. Sophisticated scammers physically overlay fake QR codes on legitimate signs, especially on payment kiosks, parking meters, and package labels. If the QR code looks tampered with or is a sticker poorly placed over another code, avoid scanning it, as this is a common quishing tactic to redirect you to a malicious site.

4) Scrutinize the web link before proceeding

After scanning any QR code, double-check the URL before clicking through. One of quishing’s dangers is that QR codes obscure their destination until scanned. If the web address looks suspicious, misspelled, unusually long, or filled with random characters, close the browser immediately. Never enter sensitive details like passwords or credit card information on a site you weren’t expecting to visit.

5) Reduce the personal data scammers can exploit

Quishing attacks are far more convincing when scammers already know something about you. Details like your name, phone number, address, or even where you shop are often pulled from data broker sites and public databases. That information lets criminals create QR code scams that feel legitimate and personalized.

Using a reputable personal data removal service helps shrink that digital footprint. These services work to find and remove your personal information from hundreds of data broker websites where scammers gather intel to craft targeted attacks. While no service can erase everything from the internet, ongoing monitoring and repeated removals make it much harder for criminals to build believable QR code lures around your identity.

The less information about you floating around online, the fewer tools scammers have to make a fake QR code feel real.

While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time.

Is your personal information exposed online?

Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.

6) Enable two-factor authentication (2FA)

Even if attackers capture your credentials via a fake QR code, two-factor authentication creates an extra barrier. Always activate 2FA on your accounts, especially for email, banking, and other sensitive services. It thwarts many of the most damaging results of phishing, including those initiated by QR code scans.

7) Access websites directly instead of scanning QR codes

Whenever possible, manually navigate to websites instead of using a QR code, especially for payments, reservations, or account access. Searching for an event, restaurant, or service online reduces the chance of being tricked by a malicious redirect or fraudulent site.

8) Update device operating systems and apps

Frequently update your phone’s operating system and apps. Criminals often exploit software vulnerabilities, and manufacturers regularly issue security patches. Up-to-date devices are less susceptible to malware installed via malicious QR codes.

9) Report suspicious activity

If you encounter what you believe to be a fraudulent QR code or fall victim to a quishing attempt, report it immediately to the organization involved and your local authorities or consumer protection agency. Your report helps others avoid similar attacks and keeps organizations alert to evolving scam tactics.

By applying these steps, you make it significantly harder for cybercriminals to use QR codes as a gateway to your personal or financial information. In a world where 73% of Americans scan QR codes without checking the source, increased caution is your first and best line of defense against the quishing surge.

Related Links:

• How to safely scan a QR code using your smartphone
• How fake Microsoft alerts trick you into phishing scams
• Beware of the new sneaky parking QR code scam

Kurt’s key takeaways

QR codes are super convenient, but the risks they bring are becoming impossible to ignore. And you can count on scammers getting more creative as time goes on. That doesn’t mean you have to stop using QR codes altogether, it just means staying informed and cautious is a must, because QR codes aren’t going anywhere anytime soon.

Will you avoid QR codes from now on, or will you be extra cautious moving forward? Let us know in the comments.

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

Copyright 2025 CyberGuy.com.  All rights reserved.  CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.