Schlanger Law Group LLP - Restore Your Financial Life
212 500 6114

QR Code Phishing Scams (Quishing): What Victims Need to Know About Their Legal Rights

By: The Schlanger Law Group Legal Team 

QR code phishing scam quishing identity theft victim

In January 2026, residents across the Kansas City area started receiving unexpected packages containing what appeared to be Travis Kelce trading cards. The packaging looked professional. The cards seemed legitimate. And each package included a QR code with instructions to “verify the autograph.”

It was a scam.

Local law enforcement reported they had never seen this particular method of fraud before. The victims were intrigued about what appeared to be authentic memorabilia and did what the scammers were counting on — scanned the code to learn more.

According to NordVPN, 73 percent of Americans scan QR codes without verifying them first, and more than 26 million people have already been directed to malicious websites this way.

This type of attack is called quishing — a combination of “QR code” and “phishing.” Although the scam is a new one, law enforcement and data security experts are already posting online about how to recognize and avoid quishing scams. Online information regarding the legal rights of quishing victims is considerably more scarce.

This article fills that gap. If a quishing scam has led to unauthorized charges on your accounts, fraudulent accounts on your credit report, or a drained bank account, federal consumer protection laws may provide a path to recovery.

What Is Quishing and How Does It Work?

Quishing is a social engineering attack that uses QR codes to trick people into visiting malicious websites or downloading harmful software. The term combines “QR” (quick response) with “phishing,” the practice of impersonating trustworthy sources to steal personal information.

The mechanics are straightforward. A scammer creates a QR code that links to a spoofed login page, a fake payment portal, or a site that automatically downloads malware. The scammer then places that code somewhere victims are likely to scan it — in an email, on a flyer, stuck to a parking meter, or included in an unsolicited package.

When a victim scans the code, they’re redirected to what looks like a legitimate website. They might enter their bank login credentials, their credit card number, or other sensitive information. Or their phone might silently download software that captures their data in the background.

What makes quishing particularly dangerous is that QR codes bypass many of the defenses we’ve built against traditional phishing. Email security filters can detect suspicious links in text, but QR codes appear as meaningless images to these systems. Unlike a URL in an email, you can’t hover over a QR code to preview where it leads. And because most scans happen on personal mobile devices, victims are often outside the protection of corporate security systems.

The physical context also creates a false sense of trust. A QR code on a parking meter, a restaurant menu, or in a package that arrived at your door feels more legitimate than a random link in an email. Scammers exploit that trust.

The growth has been dramatic. According to cybersecurity firm KeepNet Labs, QR code phishing increased from less than one percent of all phishing attacks in 2021 to nearly 11 percent by 2024. More than a quarter of all malicious links are now delivered via QR code.

Common Quishing Scenarios

Quishing scams take many forms, but several patterns have emerged as particularly common.

Unsolicited packages with QR codes. The Travis Kelce trading card scheme is one example of a broader tactic that combines quishing with “brushing” scams — the practice of sending unsolicited packages to generate fake reviews or, increasingly, to deliver malicious QR codes. These packages often contain small gifts, free products, or items that appear valuable, along with a card instructing the recipient to scan a code to “register your product,” “verify authenticity,” or “claim your warranty.” The U.S. Postal Inspection Service has issued warnings specifically about this combination of quishing and brushing.

Fake parking meter and pay station stickers. Scammers place QR code stickers over legitimate payment codes on parking meters, EV charging stations, and other public payment terminals. Victims believe they’re paying for parking or charging their vehicle, but instead they’re entering payment information into a fraudulent site. Cases have been reported across the country, with Texas among the states issuing public warnings.

Tampered restaurant menus and public signage. The pandemic accelerated adoption of QR code menus, and scammers have taken notice. Codes can be swapped overnight, redirecting diners to credential-harvesting sites instead of the restaurant’s menu.

Emails and texts with embedded QR codes. Traditional phishing campaigns increasingly include QR codes rather than clickable links, precisely because many email filters cannot scan QR code destinations. These messages often impersonate banks, utility companies, or government agencies, urging recipients to scan immediately to avoid account suspension or late fees.

Cryptocurrency scams. In 2024, a hacker group known as CryptoCore combined QR codes with deepfake videos to steal more than one million dollars in cryptocurrency. Victims scanned codes believing they were participating in legitimate giveaways promoted by what appeared to be well-known figures.

What Scammers Are After

The QR code itself is just a delivery mechanism. What scammers actually want is your information — and access to your money.

Depending on the scheme, quishing attacks target account usernames and passwords, credit and debit card numbers, PINs, Social Security numbers, dates of birth, and other personally identifiable information. Some attacks aim to install malware that captures this information over time. Others direct victims to fake login pages that harvest credentials immediately.

Once scammers have this information, they can drain bank accounts through unauthorized transfers, make fraudulent purchases on existing credit cards, open new accounts in the victim’s name, file fraudulent tax returns, or sell the information to other criminals. A single successful quishing attack can lead to months or years of identity theft consequences.

How Victims Discover They’ve Been Targeted

Many quishing victims don’t realize anything is wrong until the damage is already done. Common warning signs include unauthorized charges appearing on bank or credit card statements, unfamiliar accounts showing up on credit reports, sudden denials for credit applications, housing, or employment, collection calls for debts the victim never incurred, identity verification failures when trying to access legitimate accounts, and bank accounts that have been partially or completely drained.

If you’ve experienced any of these problems and remember scanning an unfamiliar QR code in the days or weeks before, the two may be connected.

Quishing is an identity theft vector — a method criminals use to steal your information. Your legal rights as a victim depend on what happens after that information is stolen. Federal consumer protection laws provide remedies for victims, but the specific law that applies depends on the type of harm you’ve suffered.

If Fraudulent Accounts Appear on Your Credit Report: The Fair Credit Reporting Act

When criminals use stolen information to open accounts in your name, those accounts often end up on your credit report. The Fair Credit Reporting Act (FCRA) gives you the right to dispute this inaccurate information and requires credit bureaus and the companies that furnish information to them to investigate your disputes.

Under the FCRA, credit bureaus must conduct a reasonable investigation when you dispute inaccurate information. If they cannot verify the information or determine it is inaccurate, they must correct or delete it. The companies that reported the fraudulent accounts — known as “furnishers” — have similar obligations once they receive notice of your dispute from the credit reporting agency.

The FCRA also provides specific protections for identity theft victims, including the right to place extended fraud alerts on your credit file, the right to obtain free credit reports, and the right to block information resulting from identity theft from appearing on your report.

When credit bureaus or furnishers fail to conduct reasonable investigations or improperly verify inaccurate information, victims can recover damages. These damages may include compensation for actual harm suffered, such as denied credit, lost housing opportunities, emotional distress, and out-of-pocket expenses, as well as statutory damages and attorney’s fees. For a detailed explanation of recoverable damages in credit reporting cases, see our guide on FCRA damages.

If Your Bank Account Is Drained: The Electronic Fund Transfer Act

If a quishing scam results in unauthorized withdrawals from your bank account — whether through debit card fraud, unauthorized ACH transfers, or compromised online banking credentials — the Electronic Fund Transfer Act (EFTA) provides important protections.

The EFTA limits your liability for unauthorized electronic fund transfers, but those limits depend on how quickly you report the problem. If you report an unauthorized transfer within 60 days of your bank sending the statement showing the transfer, your liability is generally limited. Your bank must investigate your claim and, in most cases, must provisionally credit your account while the investigation is pending.

Banks sometimes deny EFTA claims by arguing that the consumer “authorized” the transaction by scanning a QR code or entering their credentials on a website. But authorization under the EFTA requires that the consumer initiate the transfer itself. Being tricked into providing access information is insufficient. The CFPB’s official interpretation of Regulation E specifically provides that if a thief obtains access credentials through fraud, the resulting transfers are unauthorized — even though the consumer technically “gave” the information to the thief. For a more detailed discussion of the fraud exception and related issues, see our FAQ on imposter scams.

When banks fail to follow EFTA procedures, deny valid claims, or refuse to provide required provisional credits, victims can pursue legal action to recover their losses plus statutory damages and attorney’s fees.

If Unauthorized Credit Card Charges Occur: TILA § 1643 and the Fair Credit Billing Act

Unauthorized credit card charges resulting from quishing are governed by two overlapping federal laws: Section 1643 of the Truth in Lending Act (TILA) and the Fair Credit Billing Act (FCBA).

TILA § 1643 limits cardholder liability for unauthorized use of a credit card to a maximum of $50 — and in practice, most major card issuers waive even that amount. The key question under this statute is whether the use was “authorized.” As with the EFTA, a cardholder who is tricked into providing their card information to a scammer has not authorized the resulting charges.

The FCBA provides a separate mechanism for disputing billing errors, including charges for goods or services the cardholder did not accept or that were not delivered as agreed. When you submit a billing error notice to your card issuer, the issuer must acknowledge your dispute, conduct an investigation, and cannot report the disputed amount as delinquent during the investigation.

Card issuers that fail to follow these requirements, that hold cardholders liable for clearly unauthorized charges, or that report disputed amounts as delinquent may face liability under these statutes.

For a detailed explanation of your rights under the Fair Credit Billing Act, see our FCBA FAQ. For more on your protections against unauthorized credit card charges under TILA § 1643, see our guide to unauthorized credit card charges.

Multiple Laws May Apply

A single quishing incident can trigger claims under multiple federal laws. For example, if a scammer uses your stolen credentials to make unauthorized charges on your existing credit card and to open new fraudulent accounts in your name, you may have claims under both TILA/FCBA (for the unauthorized charges) and the FCRA (for the fraudulent accounts on your credit report). If the scammer also drains your bank account, the EFTA applies to those transfers. State laws may provide additional remedies as well, including claims related to identity theft, unfair and deceptive practices, and other consumer protection violations.

Understanding which laws apply to your situation — and how to enforce your rights under each — is one reason why victims of sophisticated identity theft schemes often benefit from working with an attorney who concentrates in this area.

Steps to Take If You’ve Fallen Victim to Quishing

If you believe you’ve scanned a malicious QR code or are experiencing the consequences of a quishing attack, take these steps as quickly as possible.

Secure your device. Disconnect from the internet, run a security scan, and change passwords for any accounts that may have been compromised. If you entered credentials on a suspicious site, assume those credentials are compromised and change them immediately — not just for the targeted account, but for any other account where you use the same password.

Contact your bank and credit card issuers. Report unauthorized transactions immediately. Follow up any phone calls in writing so you have documentation of when you reported the problem. For bank accounts, the timing of your report affects your rights under the EFTA.

Place a fraud alert or credit freeze. Contact one of the three major credit bureaus — Equifax, Experian, or TransUnion — to place a fraud alert, which requires creditors to verify your identity before opening new accounts. A credit freeze goes further, blocking access to your credit report entirely until you lift it. For identity theft victims, an extended fraud alert lasting seven years is available.

File a police report. Report the fraud to your local police department. Even if they cannot investigate, a police report creates an official record of the crime and may be helpful when disputing fraudulent accounts or transactions.

File an identity theft report. Visit IdentityTheft.gov to create an official FTC identity theft report. This report can help you dispute fraudulent accounts and may be required by some creditors and credit bureaus.

Obtain and review your credit reports. You can access free credit reports from all three bureaus at AnnualCreditReport.com. Review each report carefully for accounts you don’t recognize, inquiries you didn’t initiate, and any other signs that your information has been misused.

Dispute inaccurate information. If you find fraudulent accounts or other errors on your credit reports, dispute them in writing with both the credit bureau and the company that reported the information. Send disputes by certified mail with return receipt requested, and keep copies of everything you send and receive.

Document everything. Keep copies of all correspondence, take screenshots of unauthorized transactions, save statements showing fraudulent activity, and note the dates of all phone calls and the names of representatives you speak with. This documentation is essential if you need to pursue legal action.

Report the scam. File a complaint with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov. For quishing scams involving the mail — including unsolicited packages with malicious QR codes — report to the U.S. Postal Inspection Service at spam@uspis.gov. You can also report to the FTC at ReportFraud.ftc.gov.

Provide copies of all reports to the relevant institutions. Send copies of your police report, FTC identity theft report, and any regulator complaints (CFPB, state attorney general, etc.) to the financial institutions and credit reporting agencies involved in your dispute. These documents support your claims and demonstrate the seriousness of the fraud.

For additional guidance on disputing credit reporting errors, unauthorized bank transfers, and unauthorized credit card charges, see our Fighting Back guide.

Protecting Yourself from Quishing

While this article focuses on your rights after a quishing attack, prevention remains the best defense.

Be skeptical of unsolicited packages containing QR codes, especially if they ask you to scan to “verify,” “register,” or “claim” something. Legitimate companies rarely require you to scan an unknown code to activate a product or verify authenticity.

Before scanning any QR code in a public place, inspect it for signs of tampering. Stickers placed over existing codes are a red flag. If a code looks like it might have been added after the fact, don’t scan it.

Be wary of QR codes that create a sense of urgency — messages warning that you must scan immediately to avoid account suspension, late fees, or lost benefits are classic social engineering tactics.

When possible, type URLs directly into your browser rather than scanning. If you receive a message claiming to be from your bank, utility company, or a government agency, navigate to that organization’s website directly or call a known phone number rather than scanning an embedded code.

Your phone’s built-in camera app is all you need to scan QR codes. Third-party scanning apps are unnecessary and may pose their own privacy risks.

Finally, monitor your accounts and credit reports regularly. The sooner you catch unauthorized activity, the better your chances of limiting the damage and enforcing your legal rights.

When to Contact an Attorney

Schlanger Law Group has represented victims of identity theft and unauthorized charges since 2007. Representing identity theft and unauthorized charge victims is one of our core practice areas. We typically represent victims on a contingency fee basis — meaning you pay nothing unless we recover compensation for you — and we handle cases nationwide.

If you’ve fallen victim to a quishing scam and are facing unauthorized charges that your bank or credit card company won’t reverse, fraudulent accounts that credit bureaus won’t remove, a drained bank account with no resolution in sight, or credit damage that is affecting your credit (or your ability to obtain housing and/or employment), contact us today to discuss your options.

Share this Article

More to Explore

Schlanger Law Group In The Media

Blue background with white LAW360 logo.
The New York Times logo in white on a black background.
Black background with white WSJ letters.
Black and white ABA Journal logo.

Give Yourself A Legal Voice and Restore Your Financial Life.

Reach out to Schlanger Law Group for a free consultation, and let’s discuss your case with no upfront fees.

Something went wrong. Please try again or call us at (212) 500-6114.

The information on this website is for general information purposes only. Nothing on this site should be taken as legal advice for any individual case or situation.
This information is not intended to create, and receipt or viewing does not constitute, an attorney-client relationship.
ATTORNEY ADVERTISEMENT | Past Results Do Not Guarantee Similar Outcomes in the Future

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Copyright © 2023, Schlanger Law Group, LLP. All rights reserved.| Disclaimer | Privacy Policy

WEBSITE BY: VISIONTRACTION