Threatcare

Clear, practical help to spot scams, avoid fraud, and recover if you've been caught out.

Spot the scam, protect your money, recover if it happens.

QR Code and Smishing Scams: How Quishing and Text Phishing Work

By David Mercer  |  Reviewed by Dana Whitaker, CFE

Published · Last reviewed

Key takeaways

  • Quishing (malicious QR codes) and smishing (scam text messages) both have one goal: to get you onto a fake site or app where you hand over logins, card details, or a one-time passcode.
  • A QR code hides its destination, and a text can spoof any sender name, so neither proves who is really contacting you; the only reliable defence is to pause and verify independently.
  • Never log in, pay, or approve anything from a link or code that arrived unprompted; open the official app or type the real web address yourself instead.
  • Treat any request for a one-time passcode, gift cards, crypto, or moving money to a 'safe account' as a scam, whatever the message claims.

Quishing and smishing are the same trick in two wrappers: a QR code or a text message lures you onto a fake website or app, where you hand over logins, card details, or a passcode. The code or the text is only the bait; the real theft happens on the page it opens. See it that way and both become far easier to refuse.

How quishing and smishing work

Both attacks borrow trust and hide their destination. A QR code is just a grid of squares; you cannot read where it leads until your phone has already opened it. A text can display any sender name it likes, so a message that reads “Bank” or “USPS” tells you nothing about who actually sent it. In both cases the goal is identical: move you to a convincing fake site and have you enter something valuable.

This is the same machinery behind every scam: urgency or fear, borrowed trust through impersonation, and a push to act before you think. For the full anatomy, see how to spot a scam.

Quishing: malicious QR codes

Quishing is phishing delivered through a QR code, and the most cunning version is physical. Scammers print fake codes on stickers and place them over genuine ones on parking meters, restaurant tables, electric-vehicle chargers, and public posters. You scan what looks like the official code, but it sends you to a lookalike payment page that captures your card. The US Federal Trade Commission has warned specifically about scammers hiding harmful links inside QR codes to steal information.

Digital quishing appears in emails too, often a fake “verify your account” or “review this document” code, because an image can slip past filters that would catch a suspicious text link. When you scan, your phone usually previews the web address first; read it. A real bank does not send you to a string of random characters or a misspelled domain.

Smishing: scam text messages

Smishing is phishing by SMS, and it leans on stories you are primed to believe. Common scripts include a delivery that needs a small redelivery fee, a bank flagging “suspicious activity”, an unpaid road toll or tax bill, or a one-time passcode you did not request. Each carries a link and a clock. The FBI Internet Crime Complaint Center (IC3) consistently ranks phishing, smishing, and vishing as the single most reported crime type by complaint volume, well ahead of other categories in its annual reports.

The detail that disarms people is the spoofed sender. A scam text can thread itself straight into the same conversation as your bank’s real messages, so it sits right under a genuine one. That placement is not proof of anything; the sender field is trivially faked. Smishing is the close cousin of email phishing, covered in phishing emails and texts.

The day I scanned the wrong code

I want to be honest about how ordinary this looks from the inside, because after losing most of my savings to a scam I had promised myself I was switched on. I pulled into a car park, scanned the code on the meter, and a clean payment page loaded asking for my card. Nothing felt wrong. It was only when it also asked me to “confirm” a one-time passcode that a small alarm went off, the same hard-to-reverse, act-now feeling I knew too well. I stopped, walked to the meter, and saw the sticker peeling at one corner with the council’s real code underneath. I had been seconds from typing my card into a stranger’s site, in daylight, fully warned. That is how good these are.

How to stay safe

Pause and verify independently. It is the one defence that works against every wrapper a scam can wear:

  • Do not act on unsolicited links or codes. If a text or a code arrives unprompted, open the official app or type the real web address yourself; never use what the message gives you.
  • Read the address after scanning. Your phone previews the destination; if it is misspelled, random, or not the organisation it claims, close it.
  • Be wary of public QR codes. Check for stickers placed over the original, and be cautious of any code that then asks you to log in or pay.
  • Guard your one-time passcode. No real organisation asks you to read out or enter a passcode to “confirm” your identity; that request is the scam.
  • Refuse unusual payments. Gift cards, crypto, wire transfers, and “move your money to a safe account” are red flags whatever the message says.

If something already went wrong, act fast and follow what to do if you have been scammed: contact your bank, secure your accounts, and report it.

This is general information, not individual legal, financial, or security advice. If you have been targeted, report it to the proper authorities, such as ReportFraud.ftc.gov or the FBI IC3.

References

  1. How To Recognize and Avoid Phishing Scams, US Federal Trade Commission.
  2. Internet Crime Complaint Center (IC3), Federal Bureau of Investigation.
  3. QR Codes: What's the Real Risk?, FTC Consumer Advice.

Frequently asked questions

What is a quishing scam?

Quishing is phishing using a QR code. Scammers print or send a QR code that looks legitimate, often by sticking a fake one over a real parking meter, restaurant menu, or charging point, or by pasting one into an email. When you scan it, it sends you to a fake website that harvests your card details or login. Because the code itself is just a pattern of squares, you cannot see where it leads until you have already opened it.

What is smishing?

Smishing is phishing by SMS or text message. You get a text claiming to be from your bank, a delivery firm, a tax office, or a toll road, usually with a link and a sense of urgency: a parcel needs a small fee, an account is locked, a fine is overdue. The link leads to a fake site built to capture your details. The sender name can be spoofed to read 'HMRC' or your bank, so the displayed sender proves nothing.

Are QR codes safe to scan?

A QR code is only as safe as wherever it sends you, and you cannot read that destination by eye. Be cautious with codes in public places (they can be stickers placed over the real one), codes sent in unexpected emails or texts, and any code that then asks you to log in or pay. When your phone previews the web address after scanning, check it carefully before opening, and never enter passwords or card details on a site you reached by scanning an unsolicited code.

What should I do if I clicked a smishing link or scanned a bad QR code?

If you only opened the page, close it and do not enter anything. If you entered card details, contact your bank or card provider straight away, as speed gives the best chance of stopping a payment. If you entered a password, change it everywhere you reused it and turn on two-factor authentication. If you approved a one-time passcode, call your bank now. Then report it, and watch for follow-up recovery scams.

How can I tell a scam text from a real one?

Real organisations do not pressure you to act in minutes, ask you to pay a fine or fee by clicking a text link, or request a one-time passcode. Warning signs include urgency, an unexpected link, a slightly odd web address, requests for payment in unusual ways, and demands for secrecy. When in doubt, do not use the link; contact the organisation through a number or app you found yourself.

Can scammers steal money just from me scanning a QR code?

Scanning alone usually just opens a web page; the harm comes from what you do next. The danger is that the page convincingly asks you to log in, pay, or approve a payment, and you do. Some codes also try to start a payment or add a payee directly, so always read what the screen is asking before you confirm anything, and never approve a payment you did not start yourself.

Written by David Mercer. Reviewed by Dana Whitaker, CFE.

Our guides are written from personal experience and reviewed by a qualified fraud and security professional for accuracy. Read our editorial policy.

Related articles