QR code scams are rising in Australia. Here’s how to protect yourself

Many of us scan without thinking.  

That convenience is exactly what scammers are now exploiting, according to finance and security experts.  

QR code scams, sometimes called ‘quishing’ or ‘QR phishing’, are a growing tactic in Australia.  

And while they can look harmless, “scanning the wrong code can expose your personal information, money and even your device”, according to XX from Bank Australia's Customer Safety Team.  

Here’s what you need to know about QR code scams and how to avoid them.

What is a QR code scam?  

A QR code scam happens when a criminal creates or replaces a legitimate code with one that directs you to a scamwebsite.  

Instead of taking you to the expected site, it sends you somewhere that can:  

• Steal your personal information

• Capture your banking or credit card information

• Install malware or tracking software on your device

• Trigger follow-up scams later

Because QR codes don’t show you the full web address before you scan, it’s harder to spot when something doesn’t look right.  

Why QR code scams are increasing

Over recent years, scanning QR codes to visit websites or open apps has become an everyday action for many Australians.

With scam activity still extremely high, the National Anti Scam Awareness Centre reported around $2 billion lost to scams in 2024, and more than 52,000 phishing attempts reported in 2025.  

Australians need to stay alert to the risks of sharing personal details online.

Consumer advocates, including CHOICE, and several cybersecurity experts have warned that scammers are now placing fake QR codes in public spaces because they are harder to verify at a glance.

“Instead of clicking a suspicious link, you’re scanning a physical code on a parking meter or café table,” Bank Australia security expert XX says.  

“It feels more legitimate to many people.”

“And the destination is hidden until after you’ve already scanned”.

Where you’re most likely to see a fake QR code

QR scams tend to appear in places where speed and convenience matter.  

Common examples include:  

• Café tables and takeaway menus

• Posters or flyers offering ‘free’ deals

• Fake Australia Post or delivery notices

• Emails or text messages asking you to ‘scan to resolve the issue’

• Stickers placed over legitimate QR codes

What happens if you connect with a scammer’s QR code?

A malicious QR code can:  

• Take you to a fake payment page that collects your personal details

• Mimic a trusted brand or government site

• Prompt you to log into banking or email providers

• Install malicious software on your device

• Lead to identity theft or account compromise

“Often the impact isn’t felt immediately,” explains Alex.  

“Customers might not realise anything is wrong until days or weeks later.”

Red flags to watch out for

Scammers rely on urgency and convenience.

It’s worth pausing and double checking if you notice:  

• Pressured language like ‘pay now’ or ‘account suspended’

• A request for sensitive information not normally provided

• A website address that appears odd or unusual

• A QR code sticker that appears tampered with or placed over another one

• Being asked to scan in an unexpected context.  

How to be safer when scanning QR codes

You don’t need to stop using QR codes entirely, however it’s good to be aware of how to reduce the potential risk before scanning.

Here’s a simple approach to QR code safety:

1. Stop: Don’t scan automatically.  

2. Check: Look closely at the code. Is it a sticker stuck over another one? Does it look like it’s been tampered with? Don’t proceed to scan if so.

3. Read: After scanning, read the website address before entering any personal details.
   If anything about the website feels off, it takes you somewhere unexpected or the website address doesn’t use secure ‘https” at the start.  

4. Protect: Avoid entering passwords or sensitive information through a new QR link unless you’re certain it’s genuine.  

5. Pivot: If you’re unsure, navigate to the organisation’s website yourself instead of using the code as a shortcut.  

What to do if you’ve scanned a scam QR code

1. Call your bank immediately if you’ve entered card or account details

2. Change any passwords that might be at risk

3. If available, run a security check on your device

4. Report the incident to Scamwatch.  

According to Kristy, QR codes aren’t inherently unsafe but, like any digital shortcut, they can create risk.  

At Bank Australia we believe the more customers understand about how scams work the less likely it is they’ll fall victim.  

Next time you see a QR code in the wild, pause before you scan. Those few seconds of consideration could save you thousands.  

If you’re concerned about potential scam activity on your account, call us on 132 888.

Our contact centre is open Monday to Friday 8:00am-8:00pm and Saturday 9:00am-2:00pm AEST/AEDT

Find out which scams are on the rise in our scam security series.

‍