QR Code Scams: The Hidden Danger You Scan Every Day

Picture this: you pull into a downtown parking spot, walk up to the meter, and see a QR code with a label that says “Scan to Pay.” You pull out your phone, scan it, and enter your credit card number on what looks like a perfectly normal payment page. You go about your day.

Except that QR code was a sticker — placed by a scammer directly over the real one. Your credit card number is now in someone else’s hands.

This isn’t a hypothetical. QR code phishing attacks have surged 587% since 2023, and the reason is simple: you can’t see where a QR code sends you before you scan it. Unlike a link in an email that you can hover over to check the URL, a QR code is a black box. It could send you anywhere.

The good news? Once you know what to look for, these scams are surprisingly easy to avoid. Let’s fix that.

What Is Quishing?

Quishing is a combination of “QR code” and “phishing” — and it’s exactly what it sounds like. A scammer uses a QR code to send you to a fraudulent website designed to steal your personal information, login credentials, or payment details.

At its core, a QR code is nothing more than a URL encoded as an image. When you scan one, your phone reads that image and opens the embedded link. The problem is twofold:

• You can’t inspect the link beforehand. With a regular hyperlink, you can hover over it to see the destination. QR codes don’t give you that option — at least not until after you’ve already scanned.
• QR codes bypass most security filters. Email security software scans for malicious links, but a QR code is just an image. Many corporate and consumer email filters don’t analyze the URLs hidden inside QR code images, making quishing a favorite technique for getting past defenses.

Where Scammers Are Placing Fake QR Codes

Quishing isn’t limited to your inbox. Scammers are getting creative with physical QR codes placed in everyday locations where you’d never think to question them.

Parking Meters and Payment Kiosks

This is one of the most common real-world quishing attacks. Scammers print fake QR code stickers and place them directly over the legitimate payment QR codes on parking meters. Cities like Austin, Texas discovered over 30 tampered meters in a single sweep. You think you’re paying for parking; you’re actually entering your credit card information on a scam website that looks nearly identical to the real payment portal.

Restaurants and Bars

The COVID-19 pandemic normalized QR code menus and ordering. Scammers exploit this by replacing the QR codes on table tents, menus, or window stickers with their own. Instead of pulling up the restaurant’s ordering page, you land on a cloned site that collects your payment information when you try to place an order or pay your bill.

EV Charging Stations

Electric vehicle charging stations from networks like ChargePoint and Blink often use QR codes for quick payment. Scammers apply fake QR code overlays on the machines, directing drivers to fraudulent payment pages. Since many EV drivers are accustomed to scanning to pay, the interaction feels completely normal.

Shipping Packages and Mail

Fake “track your package” or “schedule a redelivery” QR codes are showing up on packages left at doorsteps and in physical letters sent through the mail. Some scammers even send official-looking letters claiming you’re owed a utility refund, complete with a QR code that leads to a portal requesting your Social Security number and bank routing information.

Phishing Emails

QR codes embedded in emails are one of the fastest-growing attack methods. A message might say “Scan to verify your account,” “Scan to view your secure document,” or “Scan to update your payment method.” Because the malicious link is hidden inside an image, email security scanners often let these messages sail right through to your inbox.

“Your Microsoft 365 session has expired. Scan the QR code below to re-authenticate your account and avoid losing access to your files.”

Messages like this are designed to create urgency and get you to scan without thinking.

How QR Code Scams Work

The mechanics of a quishing attack are straightforward, which is part of what makes them so effective:

1. The scammer creates a convincing fake website — a bank login page, a parking payment portal, a package tracking form — that closely mimics the real thing.
2. They generate a QR code that points to their fake site instead of the legitimate one.
3. They place the QR code where you’d expect a real one — over a parking meter, on a restaurant table, in an email, or on a piece of mail.
4. You scan the code and see what looks like a normal page. The design, branding, and layout all look right.
5. You enter your credentials, payment info, or personal data — and it goes straight to the scammer.

The entire process takes less than a minute, and most victims don’t realize anything happened until fraudulent charges appear on their statement or they get locked out of an account.

Real-World QR Scam Examples

These aren’t theoretical — they’ve already happened:

• The Austin Parking Scam: Over 30 parking meters in Austin, Texas were found with fraudulent QR code stickers directing drivers to a fake payment site that harvested credit card numbers. The Austin Police Department issued a public warning, but not before dozens of drivers had their information stolen.

• The Restaurant Table Tent: A scammer in the UK replaced QR codes on table ordering cards at a popular restaurant chain. Diners entered their card details on a cloned site and didn’t realize anything was wrong until unauthorized charges appeared on their statements days later.

• The Utility Refund Letter: Homeowners in multiple states received official-looking letters claiming they were owed a utility refund. The letters included QR codes that led to a fake portal collecting Social Security numbers, bank routing numbers, and home addresses — everything needed for identity theft.

How to Protect Yourself

You don’t need to stop scanning QR codes entirely. You just need to build a few quick habits.

Before You Scan

• Look for signs of tampering. Is there a sticker placed on top of another sticker? Are the edges misaligned? Does the material look different from the rest of the sign or meter?
• Consider whether the QR code makes sense in context. Is this a location where you’d normally expect a QR code, or does it seem out of place?
• Ask yourself if you were expecting this QR code. Did you seek it out, or was it unsolicited — taped to your door, included in unexpected mail, or sent in an email you weren’t expecting?

After You Scan, Before You Enter Anything

• Check the URL your phone shows you. Your camera app should preview the link before opening it. Read it carefully.
• Verify it’s the correct domain. The official site might be cityparking.com — a scam site might be city-parking-pay.net or cityparking-secure.info. Look for subtle differences.
• Look for HTTPS. The lock icon in your browser indicates an encrypted connection. Its absence is a red flag (though its presence alone doesn’t guarantee safety).
• If anything looks off, close the page immediately. Don’t enter any information. It’s always better to find another way to pay or log in.

General Protection Tips

• Use your phone’s built-in camera app. It previews the URL before opening it, giving you a chance to inspect the link. Avoid third-party QR scanner apps that may open links automatically.
• Don’t scan QR codes in emails. If an email contains a QR code asking you to log in or verify something, type the website URL directly into your browser instead.
• Use official apps when available. If you’re paying for parking, use the city’s official parking app. If you’re charging your EV, use the charging network’s app. Skip the QR code entirely when you can.
• Keep your phone’s operating system updated. Updates include security patches that protect against the latest threats, including malicious websites.

For more on spotting phishing patterns, check out our guide on 5 Signs You’re About to Fall for a Phishing Scam.

What to Do If You’ve Been Scammed via a QR Code

If you suspect you’ve fallen for a quishing attack, act fast. The sooner you respond, the more damage you can prevent.

1. Contact your bank or credit card company immediately if you entered any payment information. They can freeze your card and reverse unauthorized charges.
2. Change your passwords for any accounts you logged into through the QR code link. Use a strong, unique password for each account.
3. Enable two-factor authentication on any affected accounts to add an extra layer of security even if your password was compromised.
4. Monitor your bank and credit card statements closely for 90 days. Look for any charges you don’t recognize, no matter how small — scammers often test with tiny transactions first.
5. Report the scam to the FTC at ReportFraud.ftc.gov. Your report helps authorities track scam patterns and warn others.
6. If it was a physical QR code, report it to the business or city where you found it. They may not know the fake code is there, and your report could protect the next person.

Teaching Your Family to Stay Safe

QR code scams are especially dangerous for teens and older adults — two groups that are frequent targets but may not be aware of the risk.

• Talk to your kids about not scanning random QR codes they see on flyers, stickers, or social media posts. Scammers target younger users with promises of free gift cards, game currency, or exclusive content.
• Help older family members understand that QR codes can be just as dangerous as suspicious links. If they receive a letter or package with a QR code they weren’t expecting, encourage them to call you or the company directly before scanning.
• Make it a family rule: if a QR code asks for a password, credit card number, or Social Security number, stop and verify through another channel first.

The Bottom Line

QR codes are convenient, but they hide where they’re sending you. Every QR code you scan is an unknown link — and you’d never click an unknown link in an email, so don’t treat a QR code any differently.

Before you scan, look for tampering. After you scan, check the URL. And if anything feels off, close the page and find another way. A few seconds of caution can save you from weeks of dealing with fraud, stolen accounts, and identity theft.

When in doubt, skip the scan and go directly to the official website or app.

Stay informed about the latest digital safety threats. Subscribe to the Scute newsletter for weekly tips delivered to your inbox.