Egidio
Report · 2026

Fake QR codes & quishing

A QR code has no visible address — that's exactly what makes it a convenient fraud tool. Here's what the FBI and FTC document about this growing vector.

An official warning, not a rumor

FBI — Internet Crime Complaint Center (IC3), alert PSA250731

Published on July 31, 2025, this alert describes a specific scheme: unsolicited packages delivered to individuals, containing a note with a QR code inviting them to scan it "for more information" — a way to kick off fraud schemes through an unexpected physical intermediary.

FTC (Federal Trade Commission) — consumer alerts

The FTC has published two separate alerts on this topic: in December 2023, on scammers hiding malicious links in QR codes; in January 2025, a specific alert about QR codes arriving with unexpected packages, redirecting to phishing sites designed to steal credentials or card numbers.

82.6%
Of analyzed phishing emails used generative AI, a 53.5% rise year over year — the broader context in which the rise of quishing sits.
KnowBe4, 2025 Phishing Threat Trends Report. Accessed 07/14/2026.

Why this vector works

A regular link in an email can be hovered over to check the address before clicking. A QR code can't — you have to scan it to find out where it leads, and the phone's camera hides the verification step that many people have learned to apply to text links. That's exactly why the FTC and FBI specifically target this vector in their recent alerts — packages, parking meters, posters in public spaces: the physical medium lends a legitimacy the link alone wouldn't have.

🔒 A link hidden behind a QR code almost always redirects to a follow-up "verification" text or call — that's exactly where Egidio steps in, connecting what happens after the scan to the other channels. See the global scam report.

Frequently asked questions

What is quishing?

A blend of "QR code" and "phishing": a scam where a fake QR code, often stuck onto a real object (a package, a parking meter, a poster), redirects the victim to a fraudulent site instead of the legitimate one.

Has the FBI really warned about this?

Yes. The FBI's complaint center (IC3) published a specific alert on July 31, 2025, about unsolicited packages containing QR codes used to launch fraud schemes.

How can you spot a fake QR code?

Be systematically wary of any QR code received by mail, stuck on an existing surface, or paired with a message creating urgency. The safest move: never scan an unexpected QR code, and check the displayed address before continuing if you scan it anyway.

Go further