QR Code Scams: How Fake QR Codes Steal Your Information
In Austin, Texas, someone stuck fraudulent QR code stickers on 29 public parking meters. Drivers scanned them expecting to pay for parking and instead entered their credit card information on a convincing fake payment site. The scam ran for weeks before the city caught on. Similar attacks have since hit parking meters in Houston, San Francisco, London, and Sydney.
QR codes exploded during COVID when restaurants replaced physical menus with scannable codes. That pandemic habit trained billions of people to scan without thinking. Scammers noticed.
What Is Quishing?
"Quishing" — QR code phishing — exploits the fact that humans can't read QR codes with their eyes. Unlike a suspicious URL where you might notice "paypa1.com" instead of "paypal.com," a QR code is a black-and-white square that reveals nothing about its destination until you've already scanned it.
This makes QR codes a perfect delivery mechanism for phishing. The scammer creates a QR code that points to a malicious URL, then places it somewhere people expect to scan: a restaurant table, a flyer, a parking meter, an email from "your bank."
Where Fake QR Codes Appear
Parking meters and public signage. Stickers placed over legitimate QR codes or added to meters that don't normally have them. The fake payment pages look professional and collect credit card details.
Restaurant menus. Scammers place stickers on tables in busy restaurants, redirecting diners to fake "menu" pages that request payment information or download malware.
Email and postal mail. Phishing emails increasingly include QR codes instead of clickable links because QR codes bypass many email security filters. Some scammers send physical letters — appearing to come from banks, utilities, or government agencies — with QR codes that lead to credential-harvesting sites.
"We noticed a package sent to you at our warehouse. Scan the QR code below to confirm your delivery address and payment details." — Physical mailer with a fraudulent QR code received by residents in multiple UK cities.
Fake business cards and flyers. At conferences, meetups, and job fairs, scammers distribute materials with QR codes that lead to malware downloads or phishing pages.
Think it might be a scam?
Paste it here for a free, instant verdict.
Free · No signup required · Cmd+Enter to scan
Crypto ATMs and payment terminals. Fake QR codes placed near or on legitimate machines redirect cryptocurrency payments to attacker wallets.
What Happens When You Scan a Malicious QR Code
Depending on the attack, scanning a malicious QR code can:
- Redirect to a phishing page that harvests login credentials, credit card numbers, or personal information
- Trigger a malware download — especially on Android devices where sideloading is possible
- Add a malicious Wi-Fi network to your device, enabling man-in-the-middle attacks
- Initiate a payment to the scammer via mobile payment apps
- Subscribe you to premium SMS services that charge recurring fees to your phone bill
- Open a pre-filled message in your email or SMS app to spread the scam to your contacts
Real-World QR Code Scam Examples
The parking meter scam. Multiple US and European cities have reported fraudulent QR code stickers on public parking infrastructure. Drivers enter payment details on fake sites, losing an average of $200-500 in fraudulent charges.
The fake delivery notice. A postcard arrives claiming a package is waiting. The QR code leads to a page requesting a $2.99 "redelivery fee" — which captures your full payment card details for future fraud.
The restaurant table tent. In 2025, a scam ring in Miami placed fake QR code table tents in over 40 restaurants, redirecting to a "digital menu" that prompted users to enter their phone number and credit card for "ordering." The real restaurant staff didn't notice the extra table tents for days.
The crypto scam. QR codes displayed at Bitcoin ATMs redirect payment to the scammer's wallet instead of the intended recipient. One operation stole over $400,000 before being detected.
How to Scan QR Codes Safely
Preview the URL before opening it. Most smartphone cameras show the URL a QR code points to before navigating. Read it carefully. Look for misspellings, unusual domains, or suspicious strings. If your camera doesn't show previews, use a QR scanner app that does.
Look for physical tampering. If a QR code appears to be a sticker placed over another code, don't scan it. Legitimate QR codes at businesses are typically printed directly on materials, not stuck on top.
Don't scan QR codes from unsolicited emails or mail. If your bank sends you a letter with a QR code, don't scan it. Instead, type your bank's URL directly into your browser or use their official app.
Verify with the business. If you're scanning a QR code at a restaurant or store, ask staff if it's legitimate. This takes five seconds and can prevent fraud.
Check the destination with a verification tool. If a QR code leads to a URL you're unsure about, paste it into IsThisAScam before entering any information. The tool checks domain reputation, page content, and known phishing patterns.
Keep your phone updated. Software updates patch vulnerabilities that malicious QR codes might exploit. Enable automatic updates on both iOS and Android.
Use a dedicated QR scanner with security features. Some scanner apps check URLs against phishing databases before opening them. These add a layer of protection that the default camera lacks.
What to Do If You Scanned a Malicious QR Code
If you entered payment information on a site reached via a suspicious QR code, contact your bank immediately to freeze the card and dispute charges. Change passwords for any accounts you logged into. Run a malware scan on your device. Monitor your credit report for unauthorized activity.
If you only scanned the code but didn't enter information or download anything, your risk is lower — but still scan your device for malware and monitor your accounts.
Received something suspicious? Check it now for free →