QR Code Scams: When a Simple Scan Sends You to a Fake Site
QR codes are everywhere—menus, parking meters, packages. Scammers are swapping in malicious codes that lead to fake logins and sneaky payments.
- A QR code can hide a dangerous link—treat it like a shortened URL you can’t read.
- Common traps include “parking/payment” pages, delivery rebooking, and fake account logins.
- You can scan safely by previewing links, checking the domain, and avoiding urgent payment prompts.
Why QR codes are suddenly a scammer’s favorite tool
QR codes feel convenient because they remove friction. No typing, no searching, no “did I spell that right?” You point your camera, tap once, and you’re on your way. That speed is exactly why scammers love them: they turn a moment of trust into a fast lane.
Think of a QR code like a sealed envelope with an address inside. When you scan it, your phone opens the envelope and says, “Want to go here?” The problem is you can’t see the address printed on the outside. With a normal link, you can at least read it and think, “That looks weird.” With a QR code, the weirdness is hidden until after you interact.
These scams are often called “quishing” (QR + phishing). They’re not obscure anymore—QR stickers are cheap to print, easy to place in public, and simple to scale. The best part (for the scammer) is that the setup can be low-tech: a printed label placed over a real QR code on a sign, parking meter, or counter display.
Here’s a real-life-style scenario that captures how ordinary it can look:
- You’re late. You pull into a parking lot and see a sign: “Pay by QR.”
- You scan. A page opens that looks like a typical payment screen.
- You pay quickly. The page thanks you, you walk away, and the day continues.
- Later… you notice the parking payment never shows up, or your card gets charged again somewhere else, or you receive a “verification code” text you didn’t request.
What happened? Sometimes you paid a scammer directly. Other times you entered card details into a fake form that quietly collected them. And in many cases, the page tries to push you into an account login—email, bank, workplace sign-in—because login details are even more valuable than a one-time payment.
The most common QR code scam patterns (and what they look like in the wild)
QR scams work because they blend into routines. You’re already primed to scan at a restaurant, kiosk, event, building lobby, or on a parcel notice. The scammer doesn’t need you to be careless—just busy.
Below are a few patterns you’re more likely to encounter in everyday life.
| Where you see it | What the scammer changes | What they want from you | The “tell” people miss |
|---|---|---|---|
| Parking meters / pay stations | A sticker placed over the real payment QR | Card payment to a fake merchant, or card details in a form | The site looks “generic,” and the URL isn’t the city/parking operator |
| Restaurant menus / table tents | Replaced QR that opens a cloned menu site | Phone number/email collection, “download our app,” or a fake tip/payment page | A sudden request to install something or enter card details for “reservation” |
| Delivery and package notices | A QR in an email, flyer, or sticker on a package | “Re-delivery fee,” address confirmation, or account login | Artificial urgency: “Must act today to avoid return” |
| Office posters / HR or IT notices | A QR that “goes to the new policy” or “security update” | Work credentials (SSO login), MFA approval, or device enrollment | It bypasses normal company channels (intranet, official email) |
One reason QR scams work well at work is that they exploit helpfulness. A poster says “Scan to reset your password” or “Scan to enroll in benefits.” It sounds plausible, and scanning feels safer than clicking a link in an email. But the risk is similar: you’re being routed to a destination you haven’t verified.
Another pattern is the “upgrade your account” flow. The QR opens a page that looks like Microsoft 365, Google, or a bank login. You enter your email and password, and the scammer immediately uses it to attempt sign-in. If you have two-factor authentication, they may prompt you to enter the code, or they trigger an MFA push and hope you approve it in a rush.
It can also be as simple as ad fraud and tracking. Not every malicious QR code is there to steal money instantly. Some are there to redirect you to pages that harvest device info, tie your scan to marketing profiles, or push you into spammy subscriptions. The harm is still real—it can lead to more targeted scams later.
How to scan QR codes safely (without becoming paranoid)
You don’t need to swear off QR codes. You just need a small “speed bump” habit: pause for five seconds and verify where you’re going. Most QR scams rely on you staying in autopilot.
Use this simple checklist the next time you scan:
- Preview the link before you open it. Many phones show a preview of the URL after scanning. Read it like you’d read a street sign. If it’s a random string, a misspelling, or a domain you don’t recognize, stop.
- Look for the real domain, not just a familiar logo. A fake page can perfectly copy a brand’s design. What it can’t easily fake is the official domain name. For example,
city-parking-pay.commight look believable, but if your city uses.govor a known operator domain, the mismatch matters. - Be extra cautious with payments and logins. A QR code that leads to “enter card details” or “sign in to continue” deserves scrutiny. If you weren’t expecting to log in, ask yourself why you’re being asked now.
- Check the physical context. If it’s a sticker on top of another sticker, wrinkled, misaligned, or looks newly placed, treat it as suspicious. Scammers often rely on quick sticker swaps.
- Use official apps when possible. For parking, transit, and deliveries, the safest route is often opening the official app and paying there, rather than scanning a random code in the environment.
- Don’t install apps from QR prompts. If a QR code tries to push you to download an app outside the official app stores, or offers an “APK,” that’s a red flag for malware.
If you’re thinking, “But I don’t know what a ‘good domain’ looks like,” you’re not alone. Here’s a practical mental trick:
- Read the last part first. The most important part is usually right before
.com,.org,.net, or your country code like.uk,.de. Scammers often hide the real destination in a long address. - Watch for lookalikes. A single extra letter, a swapped character, or a different ending (like
.coinstead of.com) can be enough to fool a quick glance.
When in doubt, use a “manual route” instead of the QR code. For example:
- If the sign says it’s the city parking site, open your browser and search for the city’s official parking payment page.
- If it claims to be your bank, open your bank’s app directly (not via a link).
- If it’s an office notice, go to the company intranet or ask IT/HR where the link should live.
What if you already scanned one and entered information? The fastest response is often the most helpful:
Contact your bank/card provider quickly, explain you may have submitted details to a fraudulent payment page, and ask about freezing the card or issuing a replacement. Review recent transactions and set up alerts for new charges.
Contact your bank/card provider quickly, explain you may have submitted details to a fraudulent payment page, and ask about freezing the card or issuing a replacement. Review recent transactions and set up alerts for new charges.
Change the password immediately from the official website or app (not the QR link). If you reused that password anywhere else, change it there too. Check for new forwarding rules in email, new devices/sessions, and unfamiliar security settings changes. If it’s a work account, notify your IT/security team.
Change the password immediately from the official website or app (not the QR link). If you reused that password anywhere else, change it there too. Check for new forwarding rules in email, new devices/sessions, and unfamiliar security settings changes. If it’s a work account, notify your IT/security team.
Often yes, but still be cautious. Close the page, don’t download anything, and keep an eye out for follow-up scams (emails/texts) that reference what you were doing. If your browser prompted downloads or permissions, review and remove anything you didn’t intend.
Often yes, but still be cautious. Close the page, don’t download anything, and keep an eye out for follow-up scams (emails/texts) that reference what you were doing. If your browser prompted downloads or permissions, review and remove anything you didn’t intend.
Finally, a useful mindset shift: treat QR codes as “links in the physical world.” You wouldn’t click a random shortened link taped to a lamp post. A QR code is the same thing—just prettier and faster.
And if you’re ever unsure in the moment, take a photo of the QR code and the surrounding sign first. That gives you time to inspect the URL calmly, compare it with an official source, or show it to someone (a coworker, venue staff, support desk) without standing there feeling rushed.