QR codes are on restaurant menus, parking signs, and even in your mailbox. But scammers have turned them into a tool. Quishing (QR code phishing) occurs when criminals send official-looking mail pretending to be from a government agency, court, or law enforcement. The envelope or letter includes a QR code that claims you owe money for unpaid parking tickets, tolls, court fines, or other “overdue” payments. Scanning it takes you straight to a fake website designed to steal your money or personal information.

Government agencies DO NOT send QR codes in the mail (or via text) asking for immediate payment. This is a red flag every time. Scammers create these codes using free online tools and make the letters look real with state seals, case numbers, judge names, and urgent threats like “pay now or face arrest.” The goal? Get you to scan without thinking twice.

What Happens Next?

• Identity theft: Your personal or financial information can be used to open new accounts, file fake tax returns, or drain existing ones.
• Device compromise: Malware can track your keystrokes or lock your phone.
• Ongoing harassment: Scammers may follow up with more threats or sell your data to other criminals.

What to Look For in the Mail

Common signs of a government QR code scam:

• Unsolicited letters or small packages from “government” sources with no official postmark or return address from a known agency.
• QR codes paired with urgent threats (e.g., “warrant issued if unpaid today”).
• Fake official elements like state seals, court case numbers, or names of real judges/police officials.
• Demands for payment through unusual methods—never a government check, online portal you already use, or standard mail payment.
• References to “overdue” fines, tolls, loan forgiveness offers that seem too good to be true, or surprise discounts.
• Envelopes that feel generic or have poor printing quality despite looking “official.”

Handle QR Codes with Caution

Always approach QR codes with care, especially those that appear unexpectedly. Before scanning any code, take a moment to inspect the destination URL. Many smartphone QR scanner apps let you preview the link first—use that feature, or simply hover over the code if you’re on a computer. If the web address looks strange, unfamiliar, or doesn’t match the official website of the agency mentioned in the letter, stop right there and do not scan it.

It’s best to avoid scanning QR codes found in unsolicited mail, text messages, emails, or on unexpected packages. This is especially true if the message creates urgency or pressure to act immediately.

When it comes to physical mail or packages, treat any QR code as carefully as you would treat cash. If the item arrived without your request, resist the temptation to scan the code just to “find out more.” Legitimate government agencies will never ask you to scan a code in the mail to pay a fine or resolve an issue.

Extra Layers of Protection

Beyond handling QR codes carefully, there are several simple steps you can take to strengthen your defenses against these and other scams. First, keep the software on your phone and computer up to date. Regular updates help patch security holes and block new types of malware.

Use strong, unique passwords for all your important accounts and enable two-factor authentication whenever possible. App-based authentication is much safer than receiving codes via text message.

Get into the habit of monitoring your bank statements, credit reports, and financial accounts on a regular basis. You can check your credit report for free once a week at AnnualCreditReport.com.

Additionally, block spam texts and emails from unknown senders to reduce the number of scam attempts that reach you.

If you receive suspicious mail, report it to the U.S. Postal Inspection Service by emailing spam@uspis.gov or by contacting your local post office. Reporting helps authorities track these scams and protect others in your community.

What to do if you’ve already scanned or paid:

• Change passwords immediately and enable two-factor authentication everywhere.
• Contact your bank or credit card company to dispute charges.
• Report the incident to the FTC at ReportFraud.ftc.gov, the FBI’s Internet Crime Complaint Center (IC3.gov), and your state attorney general.
• Check for identity theft at IdentityTheft.gov and consider a credit freeze.