QR Code Security: How to Spot and Avoid Quishing Scams in 2026

Updated March 2026 · 7 min read

In 2024, QR code phishing attacks — known as "quishing" — increased by over 500% according to cybersecurity firms tracking the trend. By late 2025, quishing had become one of the fastest-growing attack vectors in the phishing landscape. As QR codes become ubiquitous in restaurants, parking meters, business cards, and professional networking, understanding the risks is no longer optional — it is essential.

What Is Quishing?

Quishing is phishing via QR code. Instead of embedding a malicious link in an email or text message, attackers encode the link inside a QR code. When you scan the code with your phone, it opens the malicious URL in your browser — often a convincing fake login page designed to steal your credentials.

The reason quishing works so well is that QR codes are opaque. Unlike a hyperlink where you can hover to preview the URL, a QR code reveals nothing about its destination until after you scan it. This opacity is what makes QR codes both useful and dangerous.

How Quishing Attacks Work

1. Physical overlay: Attackers place a sticker with a malicious QR code over a legitimate one — on a parking meter, restaurant table, or public poster.
2. Email embedding: A QR code is included in a phishing email, bypassing text-based email security filters that scan URLs but cannot read QR codes.
3. Fake business cards: A counterfeit business card with a QR code that leads to a credential-harvesting page instead of a LinkedIn profile.
4. Event exploitation: At conferences and trade shows, attackers distribute flyers or badges with QR codes linking to malware downloads.

The Scale of the Problem

The numbers are sobering. According to a 2025 report by SlashNext, quishing attacks increased from 0.8% of all phishing attacks in 2023 to over 4.8% in 2025 — a 6× increase. Abnormal Security reported that 89% of quishing attacks target credential theft, with Microsoft 365 and Google Workspace login pages being the most commonly spoofed.

The FBI issued a public warning in 2024 about QR code fraud at parking meters and gas stations across the United States. In the UK, Action Fraud reported a 300% increase in QR code scam complaints between 2023 and 2025.

How to Spot a Fake QR Code

While QR codes cannot be visually "read," there are several red flags to watch for:

• Sticker overlays: If a QR code appears to be a sticker placed on top of another surface — especially on a parking meter, ATM, or restaurant menu — do not scan it. Legitimate QR codes are typically printed directly on the surface.
• Unexpected context: A QR code in an unsolicited email, text message, or flyer should be treated with suspicion. Legitimate companies rarely ask you to scan a QR code to "verify your account" or "claim a prize."
• URL mismatch: After scanning, check the URL before tapping. If the QR code was on a LinkedIn business card but the URL does not contain linkedin.com, do not proceed.
• Shortened URLs: Be cautious of QR codes that resolve to bit.ly, tinyurl, or other URL shorteners. These mask the true destination. Legitimate professional QR codes link directly to the target.
• Poor print quality: Blurry, off-center, or oddly sized QR codes on otherwise professional materials may indicate tampering.

How to Protect Yourself

1. Preview Before You Click

Most modern smartphone cameras show a URL preview when you point at a QR code. Read the URL carefully before tapping. Look for misspellings (like linkedln.com instead of linkedin.com), unusual domains, or suspicious paths.

2. Use a QR Scanner with Security Features

Some QR scanner apps check URLs against known phishing databases before opening them. Apps like Kaspersky QR Scanner and Norton Snap (or the built-in camera apps on iOS 17+ and Android 14+) provide URL previews and basic safety checks.

3. Never Enter Credentials After Scanning

If a QR code takes you to a login page, stop. Open the service directly from your browser or app instead. Legitimate LinkedIn QR codes take you to a public profile page — they never ask you to log in.

4. Verify Physical QR Codes

If you are at a business or venue, ask staff whether the QR code is legitimate. At events, only scan QR codes from official materials — not from random flyers or handouts.

5. Keep Your Phone Updated

iOS and Android regularly patch security vulnerabilities that could be exploited through malicious websites. Keeping your phone's OS and browser updated is a basic but critical defense.

Why LinkedIn QR Codes Are Safer

Not all QR codes carry equal risk. LinkedIn QR codes generated by tools like our free generator have several built-in safety advantages:

• Direct URL: The QR code points directly to linkedin.com/in/your-profile — no redirects, no URL shorteners, no tracking pixels.
• Recognizable destination: Anyone scanning the code sees a linkedin.com URL in their preview, which is easy to verify.
• No data collection: Static QR codes (like ours) do not pass through any third-party server. The URL is encoded directly in the QR pattern.
• Client-side generation: Your LinkedIn URL never leaves your browser during generation — there is no server to compromise.
• Visual trust signal: QR codes with the LinkedIn logo embedded (like ours) provide an immediate visual cue about the destination.

QR Code Security Checklist

The Bottom Line

QR codes are not inherently dangerous — but they are inherently opaque. The same convenience that makes them useful for networking also makes them attractive to attackers. The defense is simple: preview before you click, verify the URL, and never enter credentials on a page reached via QR scan. When creating your own QR codes, use tools that generate direct, transparent URLs with no intermediary servers — like our LinkedIn QR code generator.