Why QR Code Scams Are Suddenly Everywhere (And How to Check Links First)

QR code scams are getting more attention because QR codes are now part of normal everyday life.

People scan them at parking meters.

They scan them on restaurant tables.

They scan them on event posters, donation signs, and delivery messages.

That convenience is exactly why scammers like them.

On 18 May 2026, RNZ reported that quishing scams are rising fast in New Zealand, with ESET saying they were almost unseen a year ago but now make up about one in 10 scams. RNZ also reported a jump from about 4 percent in March to more than 9 percent in April.

This matters because QR scams work very well on phones.

People scan first.

They think later.

This article explains why quishing is rising, how fake QR links work, and how to check where a QR code really goes before you open it.

If you want the broader safety foundation first, read QR Code Safety and Quishing: Complete Guide for Everyday Scans.

What is quishing?

Quishing is phishing that uses QR codes instead of normal text links. The Australian Cyber Security Centre says quishing uses QR codes in emails, digital platforms, or physical items to trick people into giving away sensitive information or downloading malware.

The scam feels simple:

• you scan a QR code
• it sends you to a fake page
• the page asks for payment, login details, or card details

Because the link is hidden inside the QR image, people often skip the normal "does this URL look right?" check.

Why QR code scams are suddenly everywhere

QR scams are rising because QR codes are now mainstream and people trust them too easily. The more normal QR codes become in daily life, the easier it is for scammers to hide fake destinations inside something people think is routine.

This is why mobile users are especially exposed:

• phones make scanning fast
• people often act in a hurry
• QR codes hide the link before the scan
• personal phones may bypass workplace security controls

RNZ highlighted this mobile angle in its 18 May 2026 coverage, including examples involving fake payment requests and fake login pages.

How fake QR links work

A scam QR code usually sends you to a fake website that looks urgent, familiar, or official. It may ask for card details, a Microsoft 365 login, a Google account login, or some other payment or account action.

Common scenarios include:

• fake parking meter payments
• fake package or customs payment messages
• fake donation pages
• fake event or ticket links
• fake business login pages

The big trick is that you do not see the real destination clearly until after the scan.

Why mobile users are vulnerable

QR scams work well on mobile because scanning feels like a shortcut. On a laptop, people may inspect a link more carefully. On a phone, they often scan, tap, and move on quickly.

That makes mobile a good environment for:

• rushed payments
• rushed logins
• rushed trust

This is also why QR scams can bypass normal habits people use for email and web safety.

The ACSC warns that quishing can be harder for some email-security tools to detect because the malicious link is embedded inside an image rather than shown as plain text.

Before you open that QR link, check this first

The safest habit is simple: check the link before opening it.

A practical review flow:

• scan the QR code
• inspect the original URL
• inspect the final destination after redirects
• stop if the domain looks unfamiliar
• stop if the page asks for urgent payment or login details

This is especially important when the QR code involves:

• money
• account logins
• work credentials
• package release fees
• business email accounts

Real-world examples people understand fast

Package and customs scam

You get a message that says your package is on hold.

It asks you to scan a QR code and pay quickly.

That urgency is the trap.

Parking meter or poster scam

You scan a public QR code in a hurry.

The page looks normal enough.

But the payment page is fake.

Business login scam

You scan a QR code from an email or flyer.

The page asks for Microsoft 365 or Google login details.

Now the scam is not just about money.

It may be about business access too.

How Safe QR Scanner helps

Safe QR Scanner is designed around a review-first flow, which is useful when you want to slow down and check a QR destination before opening it.

It can help you:

• inspect the original scanned URL
• inspect the final redirect destination
• review redirect behavior before opening the browser
• scan QR codes from the camera
• scan QR codes from screenshots and pictures

That is useful when the QR code appears in:

• emails
• social posts
• screenshots
• public posters
• printed menus

If the QR code is already on your phone, read How to Scan a QR Code From a Screenshot or Image on Android.

For a more detailed product-specific guide, read How Safe QR Scanner Helps Spot Risky QR Links Before You Open the Browser.

How to verify a QR code destination more safely

You do not need to become technical.

You just need a better habit.

Use this simple checklist:

• Does the first URL look like the brand you expected?
• Does the final destination still match that expectation?
• Is the page asking for payment or login details unusually fast?
• Is the message creating pressure to act now?
• Would you normally reach this action another way?

If anything feels off, stop and go to the official website yourself instead of using the QR code.

Can we help?

For everyday safer scanning

If you want a practical way to slow down and inspect QR links before opening them, Safe QR Scanner can help on Android. You can scan live QR codes, inspect destinations, and test QR codes from screenshots and saved images. You can also install the Android app.

For business QR infrastructure

If your business needs custom managed QR solutions with stronger redirect ownership, campaign flexibility, analytics infrastructure, and long-term reliability, Naonis can help.

If you want to discuss your QR setup, Contact us.

FAQ

Why are QR code scams suddenly everywhere?

Because QR codes are now common in everyday life, and people often trust them without checking the destination first.

What is quishing?

Quishing is phishing that uses QR codes to send people to fake websites, payment pages, or login pages.

Why are mobile users more vulnerable to QR scams?

Because phone scanning is fast, the link is hidden before the scan, and people often act quickly without reviewing the destination.

Can QR code scams steal more than payment details?

Yes. They can also steal login credentials, including Google or Microsoft 365 account details, and may expose business systems.

How can I check where a QR code really goes?

Scan it with a review-first tool, inspect the original URL, and inspect the final redirect destination before opening the browser.

Can I test a QR code from a screenshot?

Yes. A scanner with image support can read QR codes from screenshots, saved photos, and other pictures on your phone.