Skip to content

QR code scams (quishing)

Written & reviewed by Reuben Schultz, FounderLast updated 2 July 2026

QR code scams — also called 'quishing' — use a QR code instead of a visible link to send you to a fake login or payment page, or to download malware. Because people trust QR codes and can't read where they lead, a scam sticker, email or text can be hard to spot until it's too late.

This guide explains how the scam works, the warning signs to watch for, and what to do if you've been caught out. Got a specific message in front of you? Check it now and get an instant verdict.

How this scam works

Instead of a link you can read, the scammer gives you a QR code — on a sticker placed over a real one (on a parking meter, table or poster), in an email or text, or on a flyer. Scanning it opens a web address you can't see in advance, usually a fake page that mimics a real login or payment screen to capture your card details, banking logins or passwords — or it prompts you to download a malicious app or to 'link a device' so the scammer can get into your accounts. The QR code hides the destination, which is exactly why it works. Example — a scam might be a sticker reading "Scan to pay for parking" placed over the genuine code, sending you to a lookalike payment site.

What the scam looks like

These composed examples show how the scam typically reads, with the tells that give each one away. Compare them against anything you've received.

Example scam QR code lureExample only. Not a real message.

A sticker on a parking meter reads 'Meter card reader out of order. Scan to pay for parking and avoid a fine.' The code opens a payment page at parking-pay-au[.]example styled like the council's, asking for your card number, expiry and security code.

What gives it away:

  • A sticker stuck over or beside the official signage is the classic move; check whether the code is printed on the meter or pasted on
  • The address after scanning is a lookalike, not the council's or operator's official site
  • Pay through the operator's official parking app or a web address you type yourself; a broken meter never requires a scanned code
Example scam QR code lureExample only. Not a real message.

Subject: Your statement is ready. As part of our security upgrade, links are no longer included in emails. Scan the QR code below to view your statement and confirm your account details within 48 hours.

What gives it away:

  • The QR code exists to hide a link that would look wrong if you could read it; filters and eyes both miss what's inside an image
  • 'Confirm your account details' plus a deadline is credential-harvest language
  • Open the account by typing the organisation's official address yourself; a real statement will be there
Example scam QR code lureExample only. Not a real message.

A flyer on a venue table says 'Order and pay at your table: scan here.' The code prompts you to install an ordering app from outside the official app store, then asks you to link your card to activate it.

What gives it away:

  • Apps should only ever come from the official app store, never via a QR code
  • Genuine table ordering opens a normal web page or an official store listing, not a sideloaded install
  • A card-linking request from an app you've never heard of is the harvest itself

Who gets targeted, and when

Anyone who scans QR codes in daily life, which now covers paying for parking, opening menus, joining Wi-Fi and viewing bills. Drivers at pay-by-app parking are a favourite physical target, while office workers are reached through QR codes embedded in phishing emails, placed there because many security filters read links but not images. Once card details go in, the losses land the same on everyone.

QR scams run year-round because the hooks are everyday ones: parking, menus, bills and account alerts. Physical sticker campaigns cluster wherever crowds do, around events, tourist precincts and busy car parks, and email-based QR phishing rises whenever a big brand's billing cycle gives the fake message a believable pretext.

How to spot it

  • A QR code on a sticker that looks stuck over the original, or on an unexpected email, text or flyer
  • Scanning the code opens a login or payment page — check the web address before entering anything; it should be the official site, not a lookalike
  • A prompt to download an app or 'link a device' after scanning, rather than going to a normal web page
  • Pressure to scan and pay quickly, or a QR code where you'd expect to type a known web address yourself
  • A shortened or unfamiliar URL after scanning that doesn't match the organisation it claims to be from

What to do if you have been targeted

  1. Don't scan QR codes from unexpected emails, texts or stickers — and check a physical code hasn't been pasted over the real one
  2. Reach payment and login pages by typing the official web address yourself or using the official app, rather than through a scanned code
  3. Download apps only from the official app store, never via a QR code
  4. If you entered details on a page reached by a QR code, change those passwords, contact your bank if you shared card or banking details, and turn on multi-factor authentication
  5. Report it to Scamwatch or the Australian Cyber Security Hotline

Where to report it

  • ScamwatchReport the scam to the ACCC's national scam service.
  • ReportCyberReport cybercrime and financial loss to the police.
  • ACMAComplain about scam texts and spam SMS, email or calls.
  • Forward to 7226 (SCAM)Forward the scam SMS to short code 7226 so carriers can block the source.
  • IDCAREFree identity and cyber support if your details were taken.

How to protect yourself

  • Check physical QR codes before scanning; a sticker pasted over the original is the biggest giveaway
  • Read the web address after scanning and before typing anything; a lookalike domain means stop
  • Prefer the official app or a typed web address for parking, bills and payments; treat a scanned code as a convenience, not a credential
  • Never install an app via a QR code; go to the official app store yourself
  • Treat QR codes in unexpected emails and texts as suspect; they exist to hide the link

QR code scams (quishing) in 2026

QR code scams have grown steadily as Australians get comfortable scanning first and thinking later. Current activity splits in two: physical stickers on parking meters, posters and letterbox flyers that route small payments to lookalike sites, and emails that embed a QR code where a link would normally sit, precisely because many security filters inspect links but not images. The destinations rotate through fake payment pages, fake sign-ins and prompts to install apps from outside official stores. The constant is that the code hides the address, so the reliable defence is to read the URL after scanning and to reach any payment or login page by a route you chose yourself.

Related brands targeted by this scam

Scammers often impersonate these names in qr code scams (quishing). Here's how to tell a genuine message from a fake:

Check a suspicious message now

Paste the text or email you're unsure about and get an instant verdict — qr code scams (quishing) included, free.

See all free scam checker tools →

Frequently asked questions

What is 'quishing'?

Quishing is phishing that uses a QR code instead of a written link. The code hides the destination, so scanning it can take you to a fake login or payment page, or trigger a malicious download, without you seeing the web address first.

Are QR codes on parking meters or tables safe to scan?

Be careful — scammers stick fake QR codes over genuine ones in public places like car parks. If you can, pay through the official app or by typing the known web address yourself rather than scanning a code, and check that a sticker hasn't been placed over the original.

I scanned a QR code and entered my details — what now?

Change the password for any account you logged into, and contact your bank straight away if you entered card or banking details. Turn on multi-factor authentication, watch for unauthorised activity, and report the scam to Scamwatch.

Can scanning a QR code by itself hack my phone?

Scanning normally just reveals a link or prompt; the damage comes from what happens next, such as entering details on a fake page, installing an app from outside the official store, or approving a 'link a device' request. That means you usually get a moment to check. Use it: read the address the code opened, and back out if it isn't the official site.

How do I report a QR code scam in Australia?

Report it to Scamwatch at scamwatch.gov.au, and to ReportCyber at cyber.gov.au if you lost money or an account was accessed. If the code was a sticker in a public place, tell the venue, council or parking operator so it can be removed before it catches the next person. If it arrived by text, forward the message to 7226 (spells SCAM).

Related scam types

Other scams hitting Australians right now — know the warning signs:

Sources

This guide is general information, not legal or financial advice — if you've lost money, contact your bank and the reporting channels above straight away.