What is a QR code scam (quishing)?

A QR code scam is any attack that uses a QR code as the delivery vehicle. The QR can be on a sticker, a flyer, an email, a hijacked dynamic QR, a screen at a kiosk, or printed on physical merchandise. The attacker's goal is usually one of three things: take you to a phishing site, join your phone to a malicious network, or get you to approve a transaction (crypto, payment, credential release) that benefits them. The term 'quishing' (QR phishing) is industry shorthand; the FBI and FTC have issued public advisories about it since 2024.

Are QR codes themselves dangerous?

No. A QR code is just an encoding of text — like a really compact way to type a URL. The danger is in what the text instructs your phone to do: open a URL, join a network, approve a transaction. The same scams are possible with a typed URL or a tap-to-pay terminal; QR just makes the attack faster because you scan without reading. The defense is the same defense as for any URL or terminal: read what's there before you act.

How do I check a QR before scanning?

Use a scanner that decodes the QR and shows you the destination BEFORE opening it. That's what our scanner at check.qr.abundera.ai does — drop the QR (image, paste, or camera), and it shows you the decoded payload, the redirect chain, who controls the destination, and reputation flags. Then you decide whether to open the URL or take the action. Most built-in phone scanners just open the URL; you want one that pauses first.

Which QR scams should I worry about most in 2026?

The biggest-volume scam is still sticker-swap on parking meters, restaurant menus, and EV chargers — physical sticker over the legitimate QR, link to a fake payment page. After that: evil-twin Wi-Fi at airports and conference centres; passkey-QR phishing where an attacker tricks you into pairing a passkey to their device; authenticator-export theft (someone borrowing your phone for 'a quick photo' to export your Google Authenticator codes); and crypto drainer QRs at NFT events. Boarding-pass photo posting on social media is also surprisingly common — IATA's barcode encodes the booking reference that lets attackers cancel or modify the trip.

Field guide

QR code scams to watch for in 2026

A QR code is just an encoded string. The danger isn't the format, it's what the string tells your phone to do, and that you usually scan without reading. Here are the ten attacks happening right now, what each one looks like in the wild, and how to spot it before you tap.

Check a QR now → QR standards we decode →

1. Sticker swap on parking meters, menus, and EV chargers

What it looks like: A small adhesive sticker placed neatly over the legitimate QR on a parking meter, restaurant menu, EV charging station, or self-checkout terminal. The sticker QR looks identical to the genuine one. Scan it and you land on a payment page that looks like the city's or the restaurant's. Pay, and the money goes to the attacker. Several large US cities had this hit them in 2023-2024 (San Antonio, Austin, Houston); EV-charger stickers exploded in 2024-2025.

How to spot it: Look at the QR. Is it printed directly on the surface (engraved, painted, embedded under laminate)? Or is it a sticker? Run a fingernail along an edge — if it lifts, it's a sticker. Genuine parking-meter and EV-charger QRs are almost always permanent. For menus, ask the server which payment page is real; legitimate operators are happy to confirm. And drop the QR into our scanner before you tap pay — the decoded destination is the giveaway.

Read more: EMVCo merchant payment QRs →

2. Evil-twin Wi-Fi at airports, hotels, and conference centres

What it looks like: A printed card or sticker advertising free Wi-Fi: "Airport_Free_WiFi", "Starbucks_Guest_2", "ConferenceGuest". Scan the QR, your phone joins the network, you have internet. But the network is an attacker's phone hotspot running in the same room. They proxy your traffic to the real internet so nothing feels broken, but they see DNS queries, SNI hostnames, any HTTP-fallback traffic, and they can serve fake captive portals asking for credentials.

How to spot it: Verify the SSID matches what the venue posts officially. Airports list their guest Wi-Fi name on the official airport website; hotels list it at the front desk. Lookalike names (extra characters, swapped letters, "Free" appended) are the attack signature. Our scanner flags lookalike SSIDs against a list of high-mimicry brand names. When in doubt, just use mobile data.

3. Passkey-QR phishing

What it looks like: You're signing into a site on a desktop. The site shows a QR to pair your phone's passkey. An attacker who tricked you to the wrong site shows you their QR — pairing your passkey to THEIR active login on the real site. They're now signed into your account. The CTAP 2.2 hybrid transport (the standard behind passkey QRs) is cryptographically sound; the attack is purely on the human side, getting you to scan a QR from a screen that isn't really the site you think it is.

How to spot it: Before scanning a passkey QR, confirm the page's URL in your browser address bar. Phishing sites often use a typosquat (extra hyphen, swapped letters, .co instead of .com). The passkey QR itself is fine; the question is whether the page showing it is real. Also: passkey QRs are short-lived (under a minute typically) — a QR sitting on a static help-desk page for hours is suspicious.

4. Authenticator export theft

What it looks like: Someone borrows your unlocked phone for "a quick photo." They open Google Authenticator, tap Transfer Accounts → Export, generate a QR, and photograph it with their phone. Then they hand yours back. That QR contains every authenticator seed (Google, AWS, GitHub, your bank, your crypto exchange) base64-encoded in a protobuf. They can now generate your 6-digit codes for every account, forever, until you reset each one.

How to spot it: The defense isn't spotting the QR, it's never letting it be generated. Don't hand over an unlocked phone. If you need to share something, do it yourself. Also: most authenticator apps now require biometric unlock on the export flow, but Google's didn't until late 2023 and old phones may still skip it. If you suspect this happened, treat it as a full breach — reset 2FA on every account you have in the authenticator.

5. Boarding-pass photo posting

What it looks like: A traveller posts a photo of their boarding pass on Instagram or LinkedIn — "off to Tokyo!" The PDF417 barcode (or QR) on the pass encodes the airline booking reference (PNR) and ticket number in plaintext. An attacker who screenshots the photo decodes the barcode, looks up the booking on the airline's site (PNR + last name is usually enough), and can cancel the trip, change the seat, view the full itinerary, or trigger refund flows.

How to spot it: Don't post photos of boarding passes. If you must, blur or crop out the barcode AND the booking reference (usually printed somewhere as a 6-character alphanumeric code). The QR/barcode is a perfect attack target because it's machine-readable from any phone screenshot.

6. Driver-license barcode harvesting

What it looks like: A bar, club, vape shop, dispensary, or age-restricted retailer scans the PDF417 barcode on the back of your driver's license to "check your age." That barcode encodes EVERY attribute on the license in plaintext — name, address, DOB, license number, height, weight, eye colour. Some operators retain that data, sell it to marketing aggregators, or have it stolen in breaches. A real bouncer needs to know one thing: are you of legal age. They don't need your address.

How to spot it: Ask what's being scanned and why. Some venues only need to confirm age; others (large clubs in some jurisdictions) are legally required to retain data. Push back if the venue is small and informal. If you have a mobile driver license, use it — mDLs support selective disclosure (the bar can ask just "over 21? yes/no" without seeing your DOB).

7. Crypto drainer QRs at NFT events and physical art

What it looks like: A QR at an NFT meetup, gallery opening, conference booth, or printed inside physical art purports to mint you a free NFT or claim an airdrop. Scan it, the QR opens a WalletConnect session or a deep-link to your wallet app, and you're asked to sign a transaction. The transaction approves a malicious contract to drain every token in your wallet. Drainer kits are commodity software; the QR is just the delivery mechanism.

How to spot it: Read the transaction prompt in your wallet before signing. If it asks for token approvals (especially setApprovalForAll or unlimited approve spend) for a contract you don't recognize, refuse. Free-NFT-claim QRs at random booths are not worth the risk. Use a separate "hot" wallet with minimal balance for any in-person interactions; keep your real assets in a wallet you never connect to QR sessions.

8. Sticker over a charity / donation QR

What it looks like: A flyer for a real charity is posted in a public space. An attacker covers the donation QR with their own sticker pointing to a wallet they control, or a fake donation page. Donations go to the attacker. This is most common around natural disasters and major news events — the legitimate charity is publicising hard, the attacker piggybacks.

How to spot it: Same as #1 — is the QR a sticker over the printed version, or part of the original print? Also, donate by typing the charity URL into your browser yourself, or use the charity's official app. QR codes are convenient but they aren't a chain of trust.

9. Counterfeit product-passport QR

What it looks like: A QR on a textile, battery, electronic device, or piece of furniture claims to be the product's EU Digital Product Passport (ESPR requirement, phasing in 2027-2030). Scan it and a slick web page shows you the product's provenance, recycled content, sustainability claims. None of it is real — the manufacturer of the counterfeit just paid for a generic DPP-styled landing page. As DPP rolls out, expect this to scale: regulators are still building the EU registry that anchors authenticity.

How to spot it: Check whether the issuer field in the DPP resolves to a registered EU economic operator. The EU Commission has not yet published the consolidated registry as of mid-2026; until then, treat DPP claims as advisory rather than verified. Our scanner extracts the issuer field and the DPP server URL so you can do that lookup.

10. Hostile mDL verifier asking for too much

What it looks like: You present your mobile driver license (mDL) at a bar or retail counter. Their verifier app asks for full name, full DOB, license number, address, AND photo when the transaction only needs age verification. You approve out of habit. Now a small business has your full identity on file, retained for who-knows-how-long, sold to who-knows-whom. The standard requires the wallet to show you the request list — but it doesn't stop you from approving blanket disclosures.

How to spot it: Read the request prompt. If the verifier wants more than the transaction needs (a bar asking for your address, a retail clerk asking for your license number), decline and ask for the minimal version (age_over_21 only). If they refuse, you have a policy decision: hand over more than necessary, or walk away. The standard is on your side; the verifier-side ecosystem isn't yet regulated.

What to do if you already scanned something bad

Payment site: If you entered card details, contact your bank now to flag the transaction and reissue the card. Don't wait for the charge to clear.
Wi-Fi: Forget the network on your phone. Run a quick check of recently-used apps for prompts asking for credentials. Change passwords on anything you used while connected, especially anything that fell back to HTTP.
Passkey: Sign into the affected account, go to security settings, list active passkeys, remove anything you don't recognize. Reset your password too if the site offers it.
Authenticator export: Treat this as a full breach. Reset 2FA on every account that was in the authenticator. Start with high-value (bank, email, crypto exchange, GitHub, AWS).
Boarding pass posted: Contact the airline, change the booking reference if possible, set up a flight-status alert so you'll notice if someone modifies the booking.
Crypto drainer signed: Move remaining assets to a new wallet immediately. Revoke contract approvals on every chain you used (revoke.cash and similar tools handle most chains). The drained tokens are usually unrecoverable.

Check before you scan

Drop any QR (image, paste, or camera) into our scanner. You'll see the decoded payload, the redirect chain if it's a URL, who can change the destination going forward, and reputation flags. The decision is yours; the information is on the screen before you act.

Open scanner →