Last updated: March 2026 · By the susQR security team · Sources cited below
Quishing (QR code phishing) is no longer theoretical — it's happening daily across the United States and worldwide. Below are real documented attack patterns, each showing how attackers exploit the trust people place in QR codes.
1. Parking meter QR code scam
How it works: Attackers place fake QR code stickers on parking meters and pay stations. Drivers scan the code expecting to pay for parking, but are redirected to a phishing site that mimics the city's payment portal. The site collects credit card numbers and personal information.
Where it's happened: Austin TX, San Antonio TX, Houston TX, Chicago IL, and multiple cities across the UK. In Austin alone, over 100 modified parking meters were reported in a single incident.
Source: FBI Internet Crime Complaint Center (IC3) warning, January 2022; ongoing reports through 2025–2026.
2. Email QR code phishing (corporate targeting)
How it works: Attackers send emails containing QR codes instead of traditional phishing links. The email claims the recipient needs to "verify their identity," "update multi-factor authentication," or "review a document." The QR code bypasses email link scanners because the malicious URL is embedded in an image, not in the email body.
Why it's effective: Corporate email security systems scan text-based URLs but often can't analyze URLs embedded in QR code images. This technique saw a 587% increase between 2023 and 2024 (source: Check Point Research).
3. Restaurant table tent scam
How it works: Post-pandemic, many restaurants adopted QR code menus. Attackers place fake QR code stickers on restaurant table tents or printed menus, redirecting diners to phishing sites or fake "loyalty signup" pages that harvest personal data and payment information.
Variation: Some attacks redirect to fake Wi-Fi login portals that capture credentials for email and social media accounts.
4. Package delivery QR scam
How it works: A card is left at the victim's door or in their mailbox claiming a package couldn't be delivered. A QR code directs to a fake courier tracking page that asks for personal information and a small "redelivery fee" — stealing the payment details.
Where: Widely reported across the US, UK, and Australia. Often impersonates USPS, FedEx, Royal Mail, or Australia Post.
5. Crypto wallet phishing via QR
How it works: QR codes in social media posts, forums, or printed flyers promise airdrops, free tokens, or wallet recovery tools. Scanning leads to a fake wallet interface that asks users to enter their seed phrase or private key.
Impact: Cryptocurrency theft is irreversible. Once the seed phrase is captured, the entireattacker drains the wallet immediately.
6. EV charging station scam
How it works: Fake QR codes are placed on electric vehicle charging stations, replacing the genuine payment QR code. Drivers scan to pay for charging and are redirected to a fraudulent payment portal. This is a growing variant as EV adoption increases.
Where: Reported in the UK, France, Germany, and emerging in the US at public charging networks.
7. Wi-Fi network hijacking
How it works: QR codes in hotels, airports, or coffee shops claim to offer free Wi-Fi. Scanning the QR code automatically connects the device to an attacker-controlled network, enabling man-in-the-middle attacks that intercept unencrypted traffic including login credentials.
8. Government document / tax scams
How it works: Fake letters that appear to be from the IRS, state tax authorities, or other government agencies include QR codes directing victims to phishing sites that mimic official government portals. These sites request Social Security numbers, tax filing details, or bank account information.
Note: The IRS has specifically warned that it does not send QR codes in correspondence. Any tax-related letter with a QR code should be verified through official IRS channels (irs.gov).
How to protect yourself
- Always scan QR codes through a security checker like susQR before visiting the link
- Check for physical tampering — use the 7-step safety checklist
- Never enter sensitive information (passwords, payment details, SSN) on a page reached via QR code
- Learn the fundamentals — read the full quishing guide
References
- FBI IC3 Public Service Announcement: "Cybercriminals Tampering with QR Codes to Steal Victim Funds" (January 2022)
- Check Point Research: "The Rise of QR Code Phishing" — 587% increase in quishing attacks (2024)
- FTC Consumer Alert: "Scammers hide harmful links in QR codes" (December 2023)
- UK National Cyber Security Centre: QR code fraud advisories (2024–2025)