Health Money
BudgetingInvestingDebt FreedomReal Estate
Best Credit Cards
Calculators
About
Health Money

Helping you make smarter money decisions with clear, research-backed personal finance advice.

Categories

  • Budgeting
  • Investing
  • Credit Cards
  • Debt Freedom
  • Earning More

More Topics

  • Banking
  • Taxes
  • Insurance
  • Real Estate
  • Financial Planning

Company

  • About
  • Editorial Guidelines
  • Privacy Policy
  • Terms of Service

hello@thehealthmoney.com

Affiliate Disclosure: Some links on this site are affiliate links. We may earn a commission at no extra cost to you.

© 2026 The Health Money. All rights reserved.Our content is developed through a rigorous editorial process that combines deep data research with human oversight to ensure accuracy and relevance. For informational purposes only — not financial advice.Powered by Aptitude Media
HomeBankingQR Code Quishing Scams: How to Protect Your Money in 2026

QR Code Quishing Scams: How to Protect Your Money in 2026

QR code scams on parking meters and fake traffic-ticket texts exploded in 2026. Here's how quishing works and how to keep it from draining your accounts.

Written by The Health Money Editorial Team|Updated July 12, 2026
Close-up of a person holding a smartphone up to scan a black-and-white QR code

In the first week of January 2026, drivers in downtown Raleigh pulled up to metered parking, saw a QR code sticker on the meter, and did the obvious modern thing: they scanned it to pay. The page that loaded looked like a normal parking checkout. They typed in a card number, paid what they thought was a few dollars for an hour, and walked off to lunch. Some of them had just handed their card details to a scammer who'd slapped a fake sticker over the real one. On January 5, the city put out a warning telling people to stop scanning the codes on its meters.

Raleigh isn't a one-off. The same trick has shown up on meters from Southern California to Toronto, and in one Toronto case reported at the end of April, a driver who meant to pay about $7 for street parking got charged nearly $2,000 instead. The scam even has a name now. It's called quishing, and 2026 is the year it went mainstream.

What quishing actually is

Quishing is phishing with a QR code instead of a link. "Phishing" is when a scammer tricks you into typing your password or card number into a fake page that looks real. For years they did it with emails and text links. The problem, from the scammer's side, is that people got wise to sketchy links, and spam filters got good at catching them.

A QR code solves that problem for the crook. It's just a square of black-and-white dots that your phone reads as a web address. You can't eyeball a QR code and tell whether it points to your bank or to a lookalike page in someone's basement. Your phone reads it, opens the site, and you're already there before you've had a chance to be suspicious. That's the whole con: the code hides the destination until it's too late to think twice.

The mechanics are almost insultingly simple. A scammer prints a sticker with their own QR code and sticks it over a legitimate one somewhere public, or texts it to you dressed up as an official notice. You scan. Your phone opens a page built to look like the real parking service, the real toll site, the real court portal. You enter a card number or a login, and it flows straight to the scammer instead of the business you thought you were paying.

Why it blew up in 2026

Two things happened at once: the attacks multiplied, and the losses got counted.

Microsoft Threat Intelligence tracks phishing across billions of emails, and its Q1 2026 report, published April 30, found that QR code phishing was the single fastest-growing email attack of the quarter. The volume climbed from 7.6 million attacks in January to 18.7 million in March, a jump of about 146% in three months, reaching the highest monthly level in at least a year. Scammers like QR codes for the same reason you find them annoying: a code buried inside a PDF attachment or printed on a sticker sails past the filters that would flag a suspicious link.

The dollar side is uglier. The Federal Trade Commission's fraud data for 2025, released in June 2026, showed Americans reported losing about $16 billion to fraud, a record and up roughly 25% from the year before. Imposter scams, the bucket that includes fake-official QR schemes, led every category at $3.5 billion in reported losses, with a median individual loss of $700. Tellingly, the FTC added "QR Code & Mobile Payment Scams" as its own tracked category this year. Agencies don't create a new line item for a problem that's shrinking.

The three places it's draining wallets

Quishing isn't one scam. It's a technique showing up in several disguises, and the three below are the ones actually hitting people's bank accounts right now.

Parking meters and public payment codes

This is the Raleigh version, and it's spreading because it's so easy to pull off. A scammer needs a printer and thirty seconds of standing next to a meter looking bored.

Back in 2024, Redondo Beach, California found fake QR stickers on roughly 150 meters along its beachfront, glued right next to the legitimate ParkMobile and PayByPhone labels. The fake codes sent drivers to a site called "poybyphone.online," a near-copy of the real PayByPhone, close enough that a person glancing at their phone wouldn't notice the swapped letters. The city only ever works with two payment vendors. The scammers had simply invented a third that looked plausible.

The tell, once you know to look, is physical. A real payment sticker is printed and sealed by the city or the vendor. A fake one is often a fresh sticker slapped crookedly on top of or beside the official one. If a QR code peels at the corner, sits at an odd angle, or covers up printed text, treat it as suspect.

Fake traffic-ticket and toll texts

The version that reaches you at home comes by text. On April 14, 2026, the FTC put out a formal alert after a spike in reports of texts claiming you owe money for a traffic violation. The message looks official. It might show a state seal, a fake case number, and a hearing date, and it gives you two choices: show up in court or scan this QR code to pay the fine now. It leans hard on fear, warning of default judgments, extra fines, and enforcement if you don't act fast.

Scan it and you land on a page that harvests your Social Security number, your card details, or both, and sometimes tries to push malware onto your phone. The unpaid-toll version of the same text ("your E-ZPass balance is overdue") works identically.

Here's the thing courts and toll agencies actually do: they mail you paper, or they use the account and website you already set up. They don't text you a QR code out of the blue with a countdown attached. Urgency plus a QR code plus a payment demand is the signature of the scam, not the government.

Restaurant menus, hotel flyers, and email attachments

The travel-season version rides on how normal QR codes have become. You expect one on a restaurant table, a hotel welcome card, or a scooter dock, so a fake one blends right in. A tampered menu code can route you to a fake "pay your bill" page. A flyer under a hotel room door can advertise a "resort fee portal" that's pure theft.

The email flavor is what Microsoft flagged: a QR code embedded in a PDF invoice or a "your account needs verification" message, betting you'll scan it with your phone, which usually has weaker security than your work computer and no IT department watching.

What one scan can actually cost you

The danger scales with what you type after the scan, not the scan itself. Opening a malicious page is bad, but the real damage happens when you hand over information.

If you enter a card number, you can be hit two ways. The obvious one is a single fraudulent charge, like that $2,000 Toronto "parking" payment. The sneakier one is a recurring charge or a saved card the scammer reuses later. If you enter a bank login or a Social Security number, you've handed over the raw material for account takeover and identity theft, which is far harder to unwind than a single disputed charge.

There's a meaningful protection gap depending on which card you used. Under federal rules, credit card fraud liability is capped at $50, and most major issuers make it $0. Debit cards are riskier: if you report fraud within two business days your loss is capped at $50, but wait longer and it can climb to $500 or more, and in the meantime the money is actually gone from your checking account while the bank investigates. For a scan-and-pay situation you weren't expecting, a credit card is the safer instrument by a wide margin.

Related Reading

Payment App Safety: Protect Your Money on Zelle, Venmo & Cash App

How to scan without getting burned

You don't have to swear off QR codes. You just need a couple of habits that cost you three seconds and close off almost all of the risk.

First, preview the web address before you go to it. When you point your camera at a code, your phone shows the URL for a moment before opening it. Look at it. Is it the real domain (cityofraleigh.gov, not "raleigh-parking-pay.online")? Watch for misspellings, extra words, and odd endings like .online or .info where you'd expect a .gov or a known brand. If the preview doesn't match who you think you're paying, don't tap through.

Second, don't pay through a code you didn't seek out. For parking, type the vendor's real app or website yourself, or use the meter's card reader or coin slot. For a "ticket" or "toll" text, go to the agency's actual website on your own, or call a number you look up independently. Never use the contact info inside the suspicious message.

Third, inspect the physical sticker. Peeling corners, a code pasted over other text, or a sticker that looks newer than the machine it's on are all reasons to walk away and pay another way.

If you think you already scanned a bad one, move fast. Call the number on the back of your card, report the charge, and ask for a new card number. Change any password you entered. And report it, both to the FTC at ReportFraud.ftc.gov and, if real money was taken, to the FBI's Internet Crime Complaint Center at ic3.gov. Those reports feed the data that got QR scams their own tracking category in the first place.

Bottom Line

Quishing works because a QR code hides where it's sending you, and 2026 gave scammers a banner year. Here's what to do this week:

  1. Turn on URL preview and actually read it. Most phones show the web address before opening a scanned code. Make checking it a reflex, and bail if the domain looks off.
  2. Stop paying through codes you didn't go looking for. Pay parking through the vendor's own app or the meter's card reader, and handle any "ticket" or "toll" text by visiting the agency's real site directly.
  3. Use a credit card, not a debit card, for any scan-to-pay. Credit cards cap your fraud liability at $50 (usually $0), while debit card losses can hit $500 and drain your checking account while the bank sorts it out.
  4. If you got caught, call your card issuer today. Kill the card number, change any password you typed, and file reports at ReportFraud.ftc.gov and ic3.gov.

This article is for educational purposes and isn't personalized financial advice. If you've lost money or think your identity was exposed, contact your bank and the FTC directly for help specific to your situation.

bankingscamsfraud-protection

Get Smarter With Your Money

Join 10,000+ readers getting weekly tips on budgeting, investing, and building wealth — no spam, just actionable advice.

Trusted by readers in 50+ countries|4.9/5 reader satisfaction
Subscribe for Free

Free forever. Unsubscribe anytime.

Helpful Resources

  • Best Credit Cards of 2026
  • Compound Interest Calculator
  • Budgeting Guides
  • Investing Articles

Related Articles

  • A hand placing a coin into a piggy bank with dollar bills nearby, representing savings and locking in interest

    Brokered CDs vs. Bank CDs: Lock In Yield Without the Trap

    10 min read

  • Person using a smartphone banking app with financial charts on the screen

    Cash Management Accounts: The All-in-One Banking Alternative

    7 min read

  • Person holding a smartphone displaying a banking app interface

    Open Banking Is Here: How to Use It to Your Advantage

    8 min read

  • A person placing rolled dollar bills into a glass savings jar on a wooden table

    The Cash Sweep Trap: Why Your Brokerage Cash Earns Nothing

    9 min read