Scanning that QR code can leave you vulnerable. Here’s how to protect yourself
Fast Company Tech
by Michael GrothausFebruary 28, 2026
QR codes have become a convenience of modern life. Just scan the black and white mosaic with your phone’s camera and you can do everything from connect to your hotel room Wi-Fi to pay for that public parking space to pull up a restaurant menu.
But QR codes can also leave you vulnerable. That’s because scammers, organized criminal gangs, and shady nation-states are using the unassuming tech to get you to hand over your data unwittingly. Here’s how they’re doing it, and how you can protect yourself.
People love the convenience of QR codes—but so do scammers
It’s hard to believe that something nefarious can lie within a QR code, but it can. In order to understand why, it helps to know how a QR code works. Short for “quick response code,” a QR code is essentially a more advanced version of UPC “bar” codes that have been found on packaged products for decades.
An old-school UPC code (short for “universal product code”) is a one-dimensional image composed of vertical bars of different widths that represent different numbers. When the barcode is scanned, the numbers are read and compared with a database to identify the related product.
QR codes are two-dimensional images with glyphs of various sizes that store not just numbers, but text. When scanned, your phone extracts the encoded information and can act on it. For example, QR codes often embed URLs, allowing you to scan, say, a parking meter to launch a webpage where you can pay online.
For sure, this is a lot more convenient than manually typing a URL into your phone’s browser to load the payment page. But our desire for—and unquestioning acceptance of—this convenience is now being exploited by scammers through what has become known as “quishing.”
The growing threat of quishing
Increasingly, everyone from scammers to nation-states are trying to exploit our willingness to use QR codes. They do this by embedding malicious links in them and sending them to a person via email, often purporting to be from their bank or an online service they use. Alternatively, individual malicious actors have been known to print QR codes with malicious links embedded and physically place them over authentic QR codes on parking meters, restaurant tables, and in hotel rooms.
Unsuspecting individuals then scan these QR codes, not realizing that the URL embedded in them leads to a scam site designed to mimic the real one. These look-alike sites are designed to steal the user’s login credentials, credit card details, or other sensitive data.
If this sounds a lot like the old school phishing we’ve been dealing with since the dawn of the internet, that’s because it is—just updated for a QR-coded world, hence the term “quishing.”
How to protect yourself from fake QR codes
Quishing is becoming a growing problem, but there are ways you can protect yourself against it.
The first is by adopting healthy skepticism about QR codes. Just because a QR code is on the hotel room nightstand, below the parking meter dial, or in an email that looks to be from your bank doesn’t mean it’s benign. Understanding that is your first step toward protecting yourself.
The next step is to carefully examine QR codes before scanning them. Scammers often place fake QR codes over real ones in the physical world. So, before you scan a QR code on a restaurant table, take a moment to inspect it for signs that it might be a sticker covering the authentic code. Look for rough edges, tears, or black squares from a deeper QR code showing through the white space, as these can indicate that the QR code isn’t one you should be scanning.
Likewise, be extremely cautious of QR codes you receive in emails, especially from senders purporting to be your financial institution or online services you use—and particularly if these emails contain messages that use language like “scan the code now to secure your account.” Scammers rely on urgency to compel people to enter their login details hastily on fake websites—logins the scammers will then use to access your accounts on the real website.
Finally, never enter information on a web page that was loaded from a scanned QR code without first manually checking the URL in your web browser. The web page might look like your bank’s login screen, but a scam website will have a URL that doesn’t match the authentic website’s address. When in doubt as to whether a URL is authentic, it’s best to open up another browser window, do a Google search for the website in question, and click on the link Google gives you.
Verticals
designtech
Originally published on Fast Company Tech on 2/28/2026