Imagine that you’re heading to the city with some friends to listen to live music. You pull into a parking spot and locate the parking meter. A sticker on the meter says, “Pay for parking—scan to pay now!” You don’t have any cash or coins on you, so this seems like the most convenient option. After all, you’re in a rush and want a quick payment option. Without hesitation, you scan the sticker with a QR code and enter your credit card details to pay for parking.
Could you have been scammed? According to an article from the Washington Post, fraud investigators revealed that at least 10% of QR codes attached to online orders, restaurant tabletops, and public posters are scams.
Fake QR codes have surged since 2022 and now contribute to an estimated $75 billion in annual losses from consumers, according to LexisNexis Risk Solutions’ government division, which partners with federal agencies to fight against these scams.
What is QR Code Fraud?
QR code phishing—or quishing for short—is a scam where attackers use malicious QR codes to deceive people into visiting fake websites, downloading malware, or handing over sensitive data such as login credentials or payment details. It’s essentially phishing, but through a QR code instead of a regular email link.
Here’s how it works:
- Malicious QR codes are planted.
Scammers print and place fake QR codes in public spaces—on posters, menus, parking meters, flyers, or over legitimate QR codes. - You scan it.
The QR code might look harmless, but when scanned, it leads you to one of the following locations:- A phishing site that mimics a real service and asks for personal data.
- A malicious app download that installs malware or spyware on your phone.
- A payment page where you unknowingly send money to a scammer’s wallet.
- You are compromised!
Your data or credit card details are stolen or your device is infected. Because QR codes themselves don’t show where they are taking you (unlike clickable links), they’re easy to abuse.
QR Code Scam Examples:
QR codes are found in numerous places. Here are some notable examples of ways QR codes can be used maliciously:
- A scammer places a fake QR code over a parking meter to steal payment information and personal data.
- A restaurant menu QR code leads to a phishing site that looks like a food ordering app, asking users to log in or make a payment. These sites can also install malware on mobile devices.
- A phishing email contains a QR code to bypass email filters and direct users to a fake login page to steal credentials and gain access to user accounts.
- A realistic-looking invoice is sent via email or postal mail with a QR code for “easy payment.” The QR code leads to a malicious website to either collect payment card details or install malware.
How to Spot a Fake QR Code Scam
Recognizing a fake QR code scam can be tricky, but there are some key signs and habits you can use to protect yourself. Here’s a quick guide of actionable steps to prevent QR code scams:
- Look for signs of tampering
- Peeling stickers or QR codes pasted over another one (e.g., on parking meters or restaurant menus) are a red flag.
- If the QR code looks out of place or slapped on crudely, don’t scan it.
- Check the surrounding context
- Does it make sense for a QR code to be there?
- Are you being asked to pay, sign in, or enter sensitive data unexpectedly?
- Be extra cautious with public QR codes used in:
- Flyers
- Posters
- Gas stations
- Parking meters
- Restaurants
- Preview the URL before opening
- Most smartphones (like iPhones and Androids) show a preview of the URL before you tap it.
- Watch for:
- Misspelled domains (e.g., micros0ft-login.com)
- Random or unfamiliar URLs
- Suspicious short links (like bit.ly or tinyurl) unless you fully trust the source
- Beware of urgency or scare tactics
- Messages like:
- “Your account will be locked! Scan now!”
- “Pay your fine immediately!”
- “Get a free gift, just scan!”
- Scammers manipulate pressure tactics. Take your time and think before you scan.
- Don’t log in or enter data unless you’re sure
- Legit QR codes rarely ask for passwords, banking info, or personal ID numbers right away.
- If a QR code sends you to a login page—verify the website independently (e.g., go directly to the official site instead).
Ways to protect yourself:
- Verify the source before scanning a QR code in public or online.
- Preview the URL if your phone allows you to (some camera apps show the URL before opening).
- Use a QR code scanner with security features or built-in browser protection.
- Don’t enter personal data into any site you’re unsure about after scanning a QR code.
- Be cautious of QR codes sent via unsolicited emails, mailers, or messages.
If your organization utilizes QR codes to direct customers to services like ticketing or parking, similar to payment card devices, it is important to protect publicly posted QR codes and inspect them regularly to confirm they have not been replaced. Verify the QR codes are directing customers to the correct website or application. When possible, protect QR codes by placing them within sight of employees, or behind glass.
As QR code scams become more common and sophisticated, staying informed is the first line of defense. What once seemed like a simple shortcut can now impact your data privacy and finances. By adopting safer scanning habits and recognizing red flags, consumers can protect themselves in a world where convenience is increasingly targeted by cybercrime.
Download our image below for quick tips on how to stay vigilant.
