SCAM LIBRARY · PHISHING & LINKS

The malicious QR code ('quishing')

A scammer sends you a QR code (often by text, email, or posted somewhere public) that looks legitimate but secretly directs you to a fake website designed to steal your login details or payment information.

Documented by the FTC & FBI IC3 · reviewed 2026-07-06

How it works

You receive a message or notice with a QR code that claims to be from a trusted source—like your bank, a utility company, or a delivery service. The message creates a sense of urgency ('Verify your account now' or 'Confirm your package'). When you scan the code with your phone camera, you're taken to a professional-looking fake website that asks for your username, password, credit card, or other sensitive details.

Red flags

  • A QR code arrives unexpectedly in a text, email, or flyer, especially with urgent language.
  • The website that opens after scanning looks official but the web address (URL) in your browser looks odd or slightly misspelled.
  • You're asked to log in or enter financial information right after scanning—legitimate companies rarely do this via QR codes.
  • The message pressure feels unusual ('Act now or your account will be closed').

What to do

  • Do not scan QR codes from unexpected messages. Instead, go directly to the official website by typing the company's address into your browser yourself.
  • If you do scan a suspicious QR code and see a login page, close it immediately and do not enter any information.
  • Report the scam attempt to the Federal Trade Commission at reportfraud.ftc.gov.
Spotted this or lost money? Report it at reportfraud.ftc.gov. This is general educational information, not legal or financial advice — and ScamVet never asks for your identity or account details.