QR codes went from a curiosity to a daily convenience in a span of two years — and attackers followed close behind. Understanding how large the problem has grown helps you calibrate how seriously to treat every scan.
Here's what the data actually shows.
QR code scam complaints have grown sharply since 2020
The FTC received more than 22,000 QR code fraud reports in 2023, up from near zero in 2020. Reported losses in those cases exceeded $10 million — but that figure almost certainly understates true losses because most victims don't file a federal complaint.
The FBI's Internet Crime Complaint Center (IC3) issued a formal public advisory on malicious QR codes in January 2022, noting that criminals were redirecting legitimate payment QR codes to phishing sites — a sign that the threat had grown large enough to warrant a national warning. The 2023 IC3 report recorded more than 880,000 cybercrime complaints totaling over $12.5 billion in losses, with QR-code-facilitated fraud appearing across several of the highest-loss categories: investment fraud, business email compromise, and personal data theft.
QR phishing in email has become a major attack vector
Security researchers began tracking "quishing" — QR code phishing — as a distinct category once it became widespread enough to stand on its own.
- Check Point Research reported a 587% spike in quishing attacks in a single quarter (Q3 2023) compared to Q2 2023.
- Proofpoint estimated that QR code phishing accounted for approximately 3% of all phishing attempts by late 2023 — a number that sounds small until you realize phishing runs in the hundreds of millions of messages per month.
- ReliaQuest found that in certain corporate email threat campaigns observed in 2023, more than 60% of email lures used QR codes rather than hyperlinks — specifically to bypass enterprise link-scanning tools.
- Hoxhunt measured a 51% growth in QR phishing attacks from July to November 2023 alone.
The mechanic is straightforward: most email security gateways scan URLs embedded in messages. A QR code is an image — there's no URL to scan until after a human points a camera at it. That gap is exactly what attackers exploit.
Physical QR code scams are climbing
The fake parking meter QR code scam became so widespread that the FBI included it in its January 2022 advisory. Cities including Austin, San Antonio, and Houston confirmed tampered meter stickers within weeks of each other in early 2022.
Since then, the scam has expanded to every surface with a QR code:
- Gas pump payment stickers replacing legitimate codes
- EV charging station QR codes leading to fake payment portals
- Restaurant table tents redirected to phishing menus
- Package insert QR codes from third-party sellers harvesting credentials
The FTC's 2023 consumer alerts identified parking meters, delivery notifications, and unsolicited mail as the top three physical QR code fraud vectors consumers reported.
Older adults face the highest losses per incident
The FBI IC3 2023 report found that consumers over 60 filed fewer complaints than younger age groups but suffered higher median losses per incident — in part because scammers target retirement savings and in part because older adults are less likely to recognize red flags in mobile browser URLs.
AARP's Fraud Watch Network reported that QR code scams appeared in the top five fraud types reported by members in 2023 for the first time, with the average reported loss exceeding $1,200 per incident when real money was transferred.
QR code fraud is underreported
Every major source acknowledges the same limitation: reported figures represent a fraction of actual incidents.
The FTC estimates that fewer than 5% of fraud victims report their experience to a government agency. Victims who dispute a charge with their bank, absorb a loss under $50, or simply don't know where to report go uncounted. Adjust the 22,000 FTC reports by that factor and the true scale of QR code fraud in the US likely ran into the hundreds of thousands of incidents in 2023 alone.
What these numbers mean for everyday scans
The data points to a consistent picture: QR code scams are no longer rare or exotic. They appear in email, on physical surfaces, in packages, and across every major social platform. The attack is effective because QR codes bypass the link-scanning protections most people and organizations rely on.
The defense is checking the destination URL before your browser opens it. That's not something humans are reliable at doing — attackers register domains that look right at a casual glance. Automated URL checking, done before the page loads, is the only consistent protection.
For a detailed look at what can happen when a malicious scan goes through, read what happens if you scan a fake QR code. If you're worried about a recent scan, see what to do immediately after scanning a suspicious QR code.
QRsafer checks every QR code destination against security databases before your browser opens the page — the step that stops the majority of these attacks cold. Download it for iOS or Android and scan with confidence.
Frequently asked questions
How many people fall for QR code scams each year?
The FTC received more than 22,000 QR code fraud reports in 2023, up from near zero in 2020. Actual losses are likely far higher because most victims don't report to a government agency — they dispute a charge with their bank or simply absorb the loss.
What percentage of phishing attacks now use QR codes?
Security firm Proofpoint estimated that QR code phishing represented roughly 3% of all phishing attempts in late 2023 and early 2024 — a small share but one that grew from near zero in 2021. In specific high-value attack campaigns targeting corporate email, the share is significantly higher.
Which industries are most targeted by QR code scams?
Financial services, technology, healthcare, and retail see the highest volume of QR phishing attacks. The FBI has specifically called out parking meters, restaurants, and unsolicited mail as common physical vectors targeting consumers.
Does QRsafer protect against the scams in these statistics?
Yes. QRsafer checks the destination URL of any QR code against security threat databases before your browser opens the page — catching the phishing pages, fake payment portals, and malicious redirects behind the attacks described in these reports. Download it for iOS or Android before you scan again.