QR Code Scams — How Fraudsters Hijack Quick Response Codes
QR codes are everywhere — and scammers have found ways to weaponise them. Learn how QR code fraud works, where to find fake QR codes, and how to scan safely.
QR codes have become ubiquitous — on restaurant menus, parking meters, product packaging, event tickets, and business cards. Their convenience has made them a new attack vector for scammers, who have found several effective ways to weaponise them.
"Quishing" — QR code phishing — is now one of the fastest-growing fraud methods. Security researchers report significant increases in QR code scam incidents year on year, and the technique is specifically designed to bypass email security filters that scan for malicious links.
How QR code scams work
A QR code is simply a visual representation of a URL. When you scan it, your phone is directed to that URL. Scammers create QR codes that direct to malicious websites — phishing pages, malware installers, or fake login portals.
Because the destination isn't visible until you scan it, and because people have been conditioned to trust QR codes in legitimate contexts, they're an effective misdirection tool.
Where fake QR codes appear
Parking meters and parking apps — Scammers place stickers with their own QR codes over legitimate parking payment codes. You scan what looks like the official parking QR code but are taken to a fake payment page that harvests your card details. This is one of the most reported QR scam types in the US and UK.
Restaurant menus — Less common but reported: fake QR code stickers placed over legitimate restaurant menu codes, redirecting to phishing pages.
Phishing emails — QR codes embedded in emails directing to phishing sites. These bypass many corporate email security scanners that check text links but don't always analyse QR code images.
Fake parcel delivery notifications — "Scan here to track your package" — redirects to a phishing page asking for personal and payment information.
Event tickets — Fake event listings with QR codes for ticket purchase, collecting payment with no event or ticket existing.
Cryptocurrency scams — QR codes that encode a cryptocurrency wallet address. You're told to send crypto to the address to "verify" a transaction or claim a prize.
Fake charity collections — A person with a QR code claiming to collect for charity. Scanning leads to a page that takes your donation with no charity ever receiving it.
How to scan QR codes safely
Preview the URL before tapping — When you scan a QR code, your phone shows a preview of the URL before opening it. Read this carefully. A parking payment QR code should go to the official city council or parking operator's domain — not parkpay-secure.info or any random domain.
Check for tampering — In parking lots and other fixed locations, look for signs that a sticker has been placed over the original code. Edges of stickers, slightly raised surfaces, or codes that don't align with the official signage are warning signs.
FAQ
Usually, but verify the QR code hasn't been tampered with. In parking lots and restaurants, check that a sticker hasn't been placed over the original code. Preview the URL before visiting it.
Quishing is QR code phishing — using a malicious QR code to direct victims to a phishing website that steals credentials or installs malware.
Most phone cameras show a preview URL when you scan a QR code. Read it carefully before tapping. You can also use a QR scanner app that previews the URL without automatically opening it.
A QR code itself cannot install malware, but it can direct you to a website that attempts to do so. Never scan QR codes from unknown sources, and don't open any prompted downloads.