QR Code Scams Targeting Kids and Teens: What Parents Need to Teach Before the Next Scan

At a middle school science fair in Phoenix last spring, students were invited to scan a QR code on a poster to vote for their favorite project. Three students scanned a nearly identical code placed on a second poster beside it — a fake, placed by a high school student testing a social engineering concept for a cybersecurity class presentation. The fake code led to a blank page, but the point was made: nobody checked. QR codes have become the digital equivalent of an unlabeled door, and teens walk through them dozens of times a week without a second thought. The FBI’s Internet Crime Complaint Center (IC3) flagged QR-code-based phishing — commonly called “quishing” — as an emerging fraud vector in 2023, noting that the codes’ opacity makes them especially effective at bypassing the URL-inspection habits adults have built over years of internet use.

Key Takeaways

• QR codes hide their destination URL until after scanning, making them a natural phishing tool that bypasses the visual inspection habits adults use with links.
• “Quishing” attacks targeting teens appear in gaming contexts (fake tournament sign-ups, prize claim codes), school settings (fake Wi-Fi QR codes), and physical spaces (stickers placed over legitimate codes in restaurants and transit).
• The FBI and FTC both issued consumer alerts on QR code fraud in 2023–2024, with losses from QR-linked fraud topping $22 million in reported cases.
• Teens can protect themselves by previewing URLs before opening, using a QR scanner app that shows the destination link, and never scanning codes that arrive unsolicited via DM or email.
• Parents should know that legitimate schools, restaurants, and businesses virtually never email unsolicited QR codes — that pattern is almost exclusively a scam indicator.

What Is Quishing and Why Does It Work on Teens

“Quishing” combines “QR code” with “phishing.” The attack works identically to a standard phishing link — it leads to a fake login page, malware download, or credential-harvesting form — but it uses a QR code as the delivery mechanism rather than a clickable hyperlink.

The reason this is particularly effective against teenagers specifically comes down to behavioral conditioning. Teens have grown up scanning QR codes to see restaurant menus, join Wi-Fi networks, enter school activities, and access game rewards. The act of scanning has become reflexive — low-friction and low-suspicion. A link in an email might trigger the “hover to preview” habit some adults have developed. A QR code provides no equivalent preview mechanism in the default smartphone camera app.

Research from Proofpoint’s 2023 State of the Phish report documented a 587% increase in QR-code-based phishing attacks between Q1 and Q4 of 2023, with mobile users — the primary demographic for QR scanning — being the primary targets. Security teams at organizations struggle to filter QR codes the way they can filter suspicious URLs, because the image containing the code passes through email filters as a harmless picture file.

Where Teens Encounter Fake QR Codes

Gaming and Discord Communities

This is the highest-density exposure zone for teenagers. Fake tournament sign-up pages, skin giveaway “verification” codes, and Nitro gift claim codes circulate constantly through Discord servers and gaming subreddits. The format looks like this: a server posts an image that says “Scan to claim your exclusive Season reward” with a QR code underneath. The code leads to a page mimicking Discord’s or Epic Games’ login portal.

The appeal of instant reward bypasses rational evaluation. A teen who has been trained to recognize suspicious email links may still scan a QR code in a trusted Discord server without hesitation, because the social context feels safe.

Physical Sticker Attacks

This attack requires physical access to a location but is well-documented by law enforcement. Criminals print sticker QR codes and place them over the legitimate codes on restaurant tables, parking meters, public transit fare displays, and event posters. The FBI field office in San Francisco documented parking meter QR code stickers in 2022 that redirected drivers to fraudulent payment portals.

Teens encounter this most commonly at retail stores, malls, sports venues, and school campuses — anywhere QR codes are posted in physical spaces.

Unsolicited Email and Text Messages

The FTC’s 2024 consumer alert on QR code scams specifically called out unsolicited messages claiming:

• “Your package could not be delivered — scan to reschedule”
• “Your account has been suspended — scan to verify your identity”
• “You’ve won a prize — scan to claim”

These messages are designed to create urgency. Teens who receive them on a phone are often looking at a small screen with limited URL context, making the destination even harder to evaluate.

School and Educational Settings

A subtler vector: fake Wi-Fi network QR codes. A malicious actor can post a QR code in a school hallway or library that connects a device to a rogue access point rather than the school network. Once connected, traffic can be intercepted. This is a more sophisticated attack, but it exploits the same reflexive scanning behavior.

How a Quishing Attack Actually Works: Step by Step

Understanding the technical mechanism helps both parents and teens recognize what they’re defending against.

Stage	What Happens	What the Teen Sees
1. Code Creation	Attacker generates a QR code pointing to a phishing domain	A QR code image that looks identical to legitimate codes
2. Distribution	Code shared in Discord, posted physically, or emailed	A seemingly relevant message with a “helpful” QR code
3. Scan	Teen scans with phone camera	Phone shows a truncated URL or goes directly to the page
4. Landing Page	Fake login page cloned from Discord, Epic, Google, etc.	A visually convincing login screen
5. Credential Entry	Teen enters username and password	A success message or redirect to the real site
6. Data Capture	Credentials logged on attacker’s server	Nothing visible — teen believes they just logged in
7. Account Takeover	Attacker uses credentials, often adds their own 2FA	Teen discovers locked account hours or days later

The most sophisticated attacks use real-time proxying, meaning the fake page actually forwards the session to the legitimate server, capturing 2FA codes as they’re used. This defeats standard SMS-based two-factor authentication.

The URL Preview Problem: Why Smartphones Are Part of the Risk

On a desktop browser, hovering over a hyperlink shows the destination in the status bar before clicking. No such native preview exists for QR codes in the iOS or Android default camera apps. When a teen scans a code, the phone typically shows a small notification banner with a truncated URL — often just the domain — and then proceeds to the page on tap.

Attackers exploit this in two ways. First, they register domains designed to look legitimate in a truncated preview: epicgames-support.com shows “epicgames” in the truncation. Second, they use URL shorteners that make the preview meaningless: a bit.ly or tinyurl.com link tells you nothing about the destination.

The practical fix: Dedicated QR scanner apps — rather than the built-in camera — can display the full decoded URL before any navigation occurs. Kaspersky QR Scanner, Trend Micro QR Scanner, and others pause on the URL screen and allow the user to inspect it before proceeding. This single behavioral change — using a preview-enabled scanner — restores the ability to check a destination before going there.

What to Teach Your Teen: Five Specific Habits

Habit 1: Never scan codes that arrive unsolicited. If a QR code arrives via DM, email, or text from an unknown sender, treat it identically to a suspicious link. The delivery mechanism doesn’t change the risk.

Habit 2: Check whether the physical code has a sticker on top. At restaurants, parking meters, or event venues, look for stickers placed over an original printed code. A sticker that’s slightly misaligned or has different printing quality is a red flag.

Habit 3: Use a QR scanner that shows the URL before opening. Install a dedicated scanner app and make it the default tool for QR scanning. This adds two seconds of friction that can prevent an account takeover.

Habit 4: Never enter login credentials immediately after scanning. If scanning a code leads immediately to a login screen, pause. Legitimate reward claims and sign-up forms rarely require an account login as the first step. Open a browser manually and navigate to the service directly.

Habit 5: Verify through the official channel. If a Discord server is offering a QR code reward, check whether the offer is pinned in the official announcements channel. Scam codes are often posted in general chat by newly-joined accounts.

For more on building these verification habits in everyday tech use, see our guide on helping kids recognize phishing attempts across platforms.

What Parents Should Know About School QR Codes

Schools increasingly use QR codes for lunch payment, library check-out, attendance tracking, and classroom activities. This creates a normalized scanning environment for students — and a potential attack surface.

Questions worth asking your child’s school:

• Are QR codes in physical school spaces (posters, hallways) from a managed, school-controlled source?
• Do students scan QR codes that lead to external login pages using school credentials?
• Has the school provided any digital literacy guidance specifically about QR code verification?

The answer to most of these will be “we haven’t thought about it.” That’s not negligence — it reflects how new this attack surface is. Sharing this article with a school tech coordinator or health teacher costs nothing and might matter.

What to Watch For Over 3 Months

Month 1: Install a URL-preview QR scanner on your teen’s phone and set it as the default. Walk through the difference between the built-in camera scan and the preview-enabled scanner together so they understand what they’re gaining.

Month 2: Do a family audit of recent QR scans. Ask your teen to recall the last five QR codes they scanned — where they were, what they led to. Most teens won’t remember, which illustrates the reflexive nature of the behavior. Use this as a teaching moment, not a criticism.

Month 3: Role-play one fake scenario: send your teen a text message with a made-up “prize” QR code (just a link to a blank page) and see how they respond. Debrief together. Track whether the new scanner habit stuck.

Frequently Asked Questions

Can a QR code install malware just by scanning it?

Simply scanning a code and previewing the URL cannot install malware. The risk occurs when you navigate to the destination and interact with it — downloading a file, entering credentials, or clicking through prompts. This is why previewing the URL before opening is the key protective step.

How do I know if a QR code I scanned was malicious?

Signs include being taken to an unfamiliar URL, seeing a login page for a service you didn’t expect, or receiving an email notification about a new sign-in shortly after scanning. If you entered credentials on an unfamiliar page, change that account’s password immediately and enable 2FA.

Are QR codes on school materials safe to scan?

Generally yes, but not unconditionally. Verify that physical QR code materials in school match what the school has officially communicated via email or portal. A code posted on a flyer in a hallway is lower confidence than one in an official school document.

What’s the safest QR scanner app for teens?

Any scanner that displays the full URL before navigating is appropriate. Kaspersky QR Scanner and Trend Micro QR Scanner both do this. The key feature to look for is a “preview” or “confirm before open” setting. Avoid scanners that navigate instantly without showing the URL.

Can attackers embed QR codes in legitimate-looking PDFs or documents?

Yes, and this is an increasing attack vector in workplace contexts. For teens, this most commonly appears in fake gaming guides, modding tutorials, or “exclusive content” PDFs shared in Discord. Any QR code embedded in a document from an unknown source should be treated with the same skepticism as a link from an unknown sender.

---

About the author

Ricky Flores is the founder of HiWave Makers and an electrical engineer with 15+ years of experience building consumer technology at Apple, Samsung, and Texas Instruments. He writes about how kids learn to build, think, and create in a tech-saturated world. Read more at hiwavemakers.com.

Sources

1. Federal Bureau of Investigation, Internet Crime Complaint Center. (2023). Public Service Announcement: Cybercriminals Tampering with QR Codes to Steal Victim Funds. IC3. https://www.ic3.gov/Media/Y2023/PSA230117
2. Federal Trade Commission. (2024). Scammers Hide Harmful Links in QR Codes to Steal Your Information. Consumer Advice. https://consumer.ftc.gov/consumer-alerts/2024/01/scammers-hide-harmful-links-qr-codes-steal-your-information
3. Proofpoint. (2024). 2024 State of the Phish Report. Proofpoint Research. https://www.proofpoint.com/us/resources/threat-reports/state-of-phish
4. Cybersecurity and Infrastructure Security Agency. (2023). Phishing Guidance: Stopping the Attack Cycle at Phase One. CISA. https://www.cisa.gov/resources-tools/resources/phishing-guidance
5. Vishwanath, A. (2015). Examining the distinct antecedents of e-mail habits and its influence on the outcomes of a phishing attack. Journal of Computer-Mediated Communication, 20(5), 570–584. https://doi.org/10.1111/jcc4.12126
6. FBI San Francisco Field Office. (2022). QR Code Caution: Criminals Are Manipulating QR Codes. FBI.gov. https://www.fbi.gov/contact-us/field-offices/sanfrancisco/news/press-releases/qr-code-caution