QR code scams (sometimes called "quishing") are growing as QR codes become more common. The scams aren't sophisticated — they exploit trust and convenience. Here are real examples and how to protect yourself.
Parking Meter Scams
One of the most reported scams. Attackers place fake QR stickers on parking meters or pay-and-display machines. The sticker covers the legitimate QR code. When drivers scan to pay, they're directed to a fake payment page that collects their card details.
This has been reported in major cities across the US, UK, and Europe. The FBI issued a specific warning about parking meter QR scams in 2022.
How to spot it: Look for sticker overlays — raised edges, different texture, or a sticker that doesn't match the machine's material. If in doubt, use the parking company's official app or pay at the machine directly.
Restaurant Table Overlays
A scammer places a fake QR sticker over the restaurant's real menu QR on the table. Customers scan and land on a page that looks like the restaurant's menu but also asks for credit card details ("Order and pay online"). The card details are stolen.
How to spot it: If scanning a "menu" QR asks for your credit card upfront, something is wrong. Legitimate restaurant QR menus show the menu — they don't require payment to view it. Alert the staff.
Fake Package QR Codes
You receive a package you didn't order with a QR code inside saying "Scan for delivery details" or "Scan to verify your address." The QR leads to a phishing page or a page that installs tracking cookies. This is often part of "brushing" scams where sellers send unsolicited packages to generate fake reviews.
How to spot it: If you didn't order something and it came with a QR code, don't scan it. Report the package.
Email QR Phishing
Phishing emails containing a QR code image instead of a traditional link. The email says "Your account requires verification — scan the QR code" or "Scan to view your invoice." The QR leads to a fake login page. This bypasses email link scanners because the URL is hidden inside an image.
How to spot it: Legitimate companies rarely use QR codes in emails. If an email asks you to scan a QR instead of clicking a link, be suspicious. Verify by going to the company's website directly.
Public WiFi QR Scams
A fake "Free WiFi" QR code in a cafe, airport, or hotel lobby. Scanning connects you to a rogue WiFi network that can monitor your internet traffic. Or the QR leads to a fake "WiFi portal" page that asks for personal details.
How to spot it: Verify with staff that the WiFi QR is legitimate. If the connection process asks for unusual personal information, disconnect.
How to Protect Yourself
Preview the URL. After scanning, most phones show the URL before opening it. Read it. Does the domain look right? Is it HTTPS? Is there a subtle misspelling?
Check for physical tampering. Before scanning any QR in a public place, look for sticker overlays. Feel the surface — is the QR printed on the original material or stuck on top?
Don't enter credentials from QR links. If a QR leads to a login page, don't log in. Instead, open the service's official app or website directly and log in there.
Don't download anything from QR links. If a QR code leads to a download prompt, decline. Legitimate QR codes for menus, payments, and information don't require downloads.
Use your phone's built-in scanner. Stick to the default camera app. Third-party QR scanner apps may themselves be malicious.
How Businesses Can Prevent QR Scams
Brand your QR codes. Custom colors and logos make fakes harder to replicate. Customers learn to recognize your branded codes.
Use your own domain. menu.yourrestaurant.com is instantly verifiable. A random short URL is not.
Inspect regularly. Check your physical QR codes daily for tampering. Make it part of your opening routine.
Use tamper-evident materials. Print QR codes on materials that show visible damage if someone tries to peel and replace them.
Educate customers. A small note near the QR: "Our official codes link to [yourdomain.com] only."
The Perspective
QR code scams are real but not common relative to the billions of legitimate QR scans happening daily. Basic awareness — preview URLs, check for tampering, don't enter credentials hastily — eliminates nearly all risk. The technology is safe; the awareness just needs to keep up.