QR codes are quick and convenient, which is exactly why scammers use them. A single scan can take you to a fake website designed to steal your money or personal information. Before you scan, it’s worth taking a second to check where that code is really taking you.
“QR” stands for "quick response," and QR codes do just that.
Once a smartphone camera reads a QR code, a URL appears. By clicking the URL, the user is transported to a website or app.
Many QR codes provide legitimate links to useful information; you've probably scanned one to get into an event, pay for a purchase, or read a restaurant menu.
But it’s important to know that QR codes can also be used in phishing attacks and other schemes devised to steal money and personal information from unsuspecting people.
So, before you scan any QR code, pause for a second. Ask yourself: Do I trust where this code came from?
How QR code scams work
Although QR codes have been around since the 1990s, their popularity exploded after 2020 as contactless interactions became the norm—powering everything from touch-free menus to quick payments and check-ins.
What started as a pandemic-driven shift quickly became a habit. Now, you're likely to see these square barcodes on billboards, product labels, or promotional emails.
Trouble is, anyone can create a QR code for free online—including bad actors.
Increasingly, scammers are creating QR codes that direct to phishing websites or bogus apps designed to capture money or personal information. Scammers often create malicious websites that only look legitimate on the surface, and QR codes are just one way for them to advertise and lure people to their scam sites.
In some cases, these scams (sometimes called “quishing,” or QR code phishing) may also prompt you to download malware, giving criminals access to your device, files, or sensitive data like your location—information they can use to commit identity theft.
Common QR code scams
QR codes can be fabricated physically, and digitally as well. Here are some ways criminals may circulate scam QR codes:
Phishing emails and texts: You might receive an email or text saying that suspicious activity has been detected on your account and you need to scan a QR code to verify your identity. Or, you might be hit with an imposter scam and get a message from someone claiming to be from a utility company or the IRS, requesting that you scan a QR code to pay off a debt you owe.
Social media ads: These digital ads might feature a special offer or promotion that you “won't want to miss”—and a QR code scan is all it takes to gain access. But really, you're taken to a fraudulent website instead of a legitimate one.
Stickers on parking meters and payment machines: Scammers have been found placing scam QR code stickers on parking meters or payment stations, leading drivers to think they can pay for their spot with a quick scan. In reality, you'll be sending your funds and/or credit card information to crooks. Criminals have also been found placing these “fake” QR code stickers over real ones on restaurant tables and flyers, so be vigilant in these public places as well.
Crypto payment scams: As cryptocurrency becomes more mainstream, scammers are taking advantage. Legitimate cryptocurrency traders often use QR codes to direct people to their digital wallets, and con artists are following suit. Victims often think they're investing in real cryptocurrency, but they're really depositing their money into criminals' wallets.
How to spot and avoid a “fake” QR code
Always check the legitimacy of a QR code before clicking the link it generates—especially if you’re using it to download an app, make any kind of payment, or share secure information like passwords and usernames.
If you need to scan a QR code, consider these safety tips:
Read the link. When you hover your camera over a QR code, a URL will likely appear. Make sure it looks like it’s for the business or organization you expected, and check for typos or misspellings. Be extra wary of shortened URLs, which cybercriminals tend to use.
Look for tampering. Before you scan a code posted in a public place, carefully examine it. Could it be a sticker covering a real code or other information? Legitimate businesses often laminate signage that contains QR codes or place them behind glass.
Check the source. If you receive an out-of-the-blue communication from a trusted company encouraging you to follow a QR code to make a payment or enter personal information, reach out to the company directly before taking action (be sure to check the company's official website for the correct contact information). The same goes if you get an unexpected QR code from a friend, as they could have been hacked.
Don't be swayed by panic-inducing messages, especially those that urge you to act immediately. This is a favorite trick of scammers, aimed at convincing victims to comply before they’ve had time to consider the situation or discuss it with others.
Here’s an extra tip: If you’re an Allstate Identity Protection member and want an added layer of defense, consider enabling device security features that can help block malicious links before you ever land on a harmful site. You can check if this feature is included in your plan by visiting your account dashboard.
With this in mind, you can still enjoy the convenience of QR codes; just maintain a healthy sense of skepticism.


