SCAM LIBRARY · PHISHING & LINKS
The malicious QR code ('quishing')
A scammer sends you a QR code (often by text, email, or posted somewhere public) that looks legitimate but secretly directs you to a fake website designed to steal your login details or payment information.
Documented by the FTC & FBI IC3 · reviewed 2026-07-06
How it works
You receive a message or notice with a QR code that claims to be from a trusted source—like your bank, a utility company, or a delivery service. The message creates a sense of urgency ('Verify your account now' or 'Confirm your package'). When you scan the code with your phone camera, you're taken to a professional-looking fake website that asks for your username, password, credit card, or other sensitive details.
Red flags
- A QR code arrives unexpectedly in a text, email, or flyer, especially with urgent language.
- The website that opens after scanning looks official but the web address (URL) in your browser looks odd or slightly misspelled.
- You're asked to log in or enter financial information right after scanning—legitimate companies rarely do this via QR codes.
- The message pressure feels unusual ('Act now or your account will be closed').
What to do
- Do not scan QR codes from unexpected messages. Instead, go directly to the official website by typing the company's address into your browser yourself.
- If you do scan a suspicious QR code and see a login page, close it immediately and do not enter any information.
- Report the scam attempt to the Federal Trade Commission at reportfraud.ftc.gov.