For Parents of Teens

The QR Code Scam Coming for Your Teen: How “Quishing” Works

Published May 20, 2026 · 6 min read · By the ScamDrill Team
A teenager's phone scanning a QR code that splits into a fake login page, a payment screen, and a malware download, flagged as a scam

Here is the part that surprises most parents: when it comes to who actually reports losing money to scams, it is not grandparents at the top of the list. Year after year, the Federal Trade Commission finds that younger adults report losing money to fraud at a higher rate than older adults do. Older victims lose more per scam, but younger people get caught more often. And the generation right behind them, today’s teenagers, is being raised to do the one thing that makes the newest version of these scams work: scan first, think later.

The scam is called quishing — a mashup of “QR code” and “phishing” — and it had a breakout year. Security analysts who track email threats watched QR-code phishing climb roughly fivefold over the course of 2025, and by July the trend had spilled out of inboxes and into parking lots, restaurants, and concert venues. Both the FTC and the FBI have now put out public warnings. Your teen almost certainly hasn’t seen either of them.

~5× The rough increase in QR-code phishing detections that security researchers tracked across 2025 — one of the fastest-growing scam techniques of the year, now common at the exact places teens hang out.
Sources: industry threat reporting summarized by CNBC, July 2025; FTC and FBI public alerts, 2023–2025

What a QR code actually is (and why that’s the whole trick)

A QR code is not a magic shortcut. It is just a web address — a link — drawn as a grid of squares so a camera can read it instead of a human. That sounds harmless until you say the quiet part out loud: you cannot tell where a QR code goes by looking at it. A link in a text message at least shows you some letters you can squint at. A QR code shows you nothing. By the time you know the destination, your phone has already opened it.

Scammers love this for the same reason magicians love misdirection. The square looks official, it sits somewhere you already trust — a parking sign, a poster, the back of a rideshare seat — and the moment of decision happens after the curtain is already up. Here is the path a scan actually takes once it goes wrong.

FIG. 01 • ANATOMY OF A QUISHING SCAN • QR → THEFT ScamDrill scamdrill.com How one scan becomes stolen data A QR code is a link you can’t read — so the decision happens after the page is already open. 1 SCAN Phone reads the square 2 REDIRECT A hidden link opens itself 3 LANDING Fake login, payment or a silent download 4 HARVEST Password, card & 2FA codes taken The dangerous step is the one you can’t see: between the scan and the page, you never get to read where it goes.

How a single quishing scan turns into stolen credentials. The accent step — harvest — is invisible until it’s done.

Two outcomes do the real damage. The first is a spoofed page: a near-perfect copy of a login screen or a payment form. Your teen types in a password or a card number, the page thanks them, and the credentials are gone. The second is a silent download that drops malware capable of reading texts, including the two-factor codes that are supposed to protect everything else. In the FTC’s January 2025 alert, scanning a single code on a mystery package could do either one.

Where your teen actually meets these codes

This is not an inbox problem they can avoid by ignoring email. Quishing has moved into the physical and social places teens live. A few of the patterns showing up in 2025 and 2026:

FIG. 02 • WHERE TEENS MEET THEM • 2025–2026 ScamDrill scamdrill.com Six places the square shows up Quishing left the inbox. These are the real-world and social spots aimed at teens. 01 Rideshare line “Pay by QR code” shown in the back seat — skips the app entirely. 02 Parking stickers A fake QR sticker placed over the real meter or lot code. 03 ‘Free’ giveaways Merch, raffle entries and sneaker drops dangled as the bait. 04 Mystery package “Scan to see who sent it.” An FBI-flagged twist on the brushing scam. 05 Event tickets Fake resale and “entry” codes posted near the venue or in DMs. 06 Game currency “Free coins, skins or V-Bucks” — scan and log in to claim.

The same hidden-link trick, six different settings — each chosen because it catches teens mid-impulse.

The rideshare pickup line. Outside concerts and games in 2026, scammers have worked the chaos of the rideshare zone — a driver waves a teen over, then points to a QR code in the back seat and says “pay here.” The payment skips the app entirely, which means no receipt, no tracked route, and a charge that can be wildly inflated. Both Uber and Lyft have said plainly: you never pay by a QR code shown inside the car.

Tampered stickers in the real world. The cleanest version of this is a fake QR sticker slapped over a real one on a parking meter or lot. People scan, “pay for parking,” and hand a stranger their card — sometimes signing up for recurring charges. The scam spread far enough that the Miami Parking Authority pulled QR payment as an option entirely. Any teen who drives is now in scope.

Giveaways, “free merch,” and drops. A QR code promising free concert merch, a giveaway entry, a sneaker raffle, or free in-game currency is engineered for exactly the audience most likely to want it badly and check it least. The reward is the bait; the scan is the hook.

The package on the doorstep. An unexpected box arrives with a note: scan to see who sent the gift, or to return it. The FBI warned in July 2025 that these codes lead to data-harvesting sites or malware. It is a new wrapper on the old “brushing” scam, and a curious teenager is the perfect person to scan it.

Why teens fall for it when adults might not

It is not that teens are careless. It is that three things stack against them at once. They are the most QR-native group alive — menus, tickets, school sign-in sheets, lunch lines — so scanning is muscle memory, not a decision. They live on phones, where the browser hides almost the entire web address, so the giveaway tell that a parent might catch on a laptop (a weird domain) is mostly invisible. And the codes show up in moments built for impulse: a line that’s moving, a drop that’s “ending soon,” a friend’s repost of a giveaway. Urgency plus a trusted-looking square is the entire formula.

“A QR code is a link you’re not allowed to read before you click it. Treat every unexpected one exactly the way you’d treat a link texted by a stranger.”

The one habit that defuses almost all of it

You do not need your teen to memorize attack types. You need them to add a single half-second of friction between the scan and the action that follows it. Most phones show a preview of the web address at the top of the screen right after a scan, before the page loads. The whole game is teaching them to read that line.

The quishing rule for your teen

After you scan, read the web address before you tap, type, or pay. If it’s not the brand you expected — if it’s a random string of letters, a shortener, or a misspelled name — close it. And never pay or log in from a QR code you didn’t go looking for. Want the menu, the ticket, or the parking payment? Open the official app or type the address yourself. A real business will never lose your business because you typed its name.

If your teen already scanned and entered something

Move fast, but lead with reassurance

If they only scanned and backed out, the risk is low — watch for pop-ups or apps they don’t recognize. If they typed a password, change it now on every account that shared it and turn on two-factor authentication. If they entered card details, tell whoever owns the card so it can be frozen and watched, and report it at reportfraud.ftc.gov. If a download started, run a security scan and, if anything looks off, take the phone to your carrier. One thing first, though: don’t lead with anger. Teens who expect to get yelled at are the ones who hide the next scam until it’s much worse.

The conversation to have this week

You don’t need a lecture. You need ten seconds and a real example. Next time you’re out and you see a QR code on a sign or a table, point at it and ask your teen, “How would you know if that one was fake?” Let them answer. Then show them where the web address appears after a scan, and make the deal out loud: scan if you’re curious, but read the address before you ever type, tap, or pay. That single sentence travels with them into every parking lot and concert line you won’t be standing in.

If you want to go deeper on the broader picture, our guide on how to teach kids about online scams without scaring them covers what to say at each age, and the 2026 internet-safety guide for tweens and teens puts QR safety alongside DMs, AI companions, and privacy. Quishing is also a close cousin of the text-message scams in our USPS smishing guide and the fake-verification trick in the ClickFix CAPTCHA breakdown — same psychology, different delivery.

Turn “read the address first” into a reflex.

ScamDrill sends safe, realistic practice scams — including QR-code lures — to your family on a rotating schedule. When your teen taps where they shouldn’t, they get a friendly teachable moment instead of a drained account.

Start your family plan →

Frequently asked questions

What is quishing?

Quishing is QR-code phishing: a scam that hides a malicious link inside a QR code. Because you can’t read a QR code with your eyes, you only find out where it goes after your phone has already opened it. The code typically sends you to a fake login or payment page that harvests your username, password, or card details, or it prompts a download that installs malware. Security firms reported QR-code phishing climbing roughly fivefold in 2025, and both the FTC and FBI issued public warnings about it.

Why are teens especially exposed to QR code scams?

Teens grew up scanning QR codes for menus, tickets, and school handouts, so they scan on reflex without questioning it. They also live on phones, where the browser hides most of the web address, making a fake page harder to spot than on a laptop. Add the urgency of a concert line, a “free” giveaway, or a sneaker drop and the scan happens before anyone stops to think. The FTC has consistently found that younger adults report losing money to fraud at a higher rate than older adults.

Where do teens run into malicious QR codes?

The most common places in 2025 and 2026 are rideshare pickup zones outside concerts and games (a “pay by QR code” code shown in the back seat), tampered parking-meter and parking-lot stickers, social-media giveaways and “free merch” posts, fake event-ticket and resale codes, gaming offers promising free in-game currency, and QR codes printed on notes inside unexpected packages (a twist on the brushing scam the FTC flagged in January 2025).

What should my teen do if they already scanned a bad QR code and entered information?

If they only scanned and closed the page, the risk is low, but watch the phone for pop-ups or new apps. If they typed in a password, change it immediately on any account that used it and turn on two-factor authentication. If they entered card details, tell the parent who owns the card so it can be frozen and watched, and report at reportfraud.ftc.gov. If a download started, run a security scan and consider taking the phone to the carrier. Reassure your teen first — shame keeps kids from telling you next time.

Keep reading

How to Teach Kids About Online Scams Without Scaring Them

What to say, at what age, and what to avoid — without making them afraid of the internet.

Internet Safety for Tweens and Teens: A 2026 Parent’s Guide

Privacy, DMs, AI companions, and the household digital agreement that actually works.

The USPS Text Scam: Train Your Family to Delete Them

The same hidden-link trick as quishing — just delivered by text instead of a square.

Join our free newsletter to stay ahead of the scammers

Receive updates on monthly scam trends, along with best practices to protect yourself and those you care about.