Back to Blog
phone scamsQR codesphishingmalware

QR Code Scams: How to Check Before You Scan

ScamSecurityCheck Team
February 5, 2026
6 min read
Share:

QR Code Scams: How Fake QR Codes Steal Your Information

QR codes are everywhere — on restaurant menus, parking meters, event tickets, product packaging, and even business cards. We've been trained to scan them without thinking. And that's exactly what scammers are counting on.

In cities across the US, scammers have been caught placing fake QR code stickers on parking meters. Drivers who scan them expecting to pay for parking are instead redirected to a convincing phishing site that steals their credit card details. In Austin, Texas, police reported dozens of fraudulent QR code stickers found on public parking meters in a single sweep.

But parking meters are just the beginning. Fake QR codes are showing up in restaurant table tents, direct mail, text messages, emails, and even on flyers posted in public spaces.

How the Scam Works

Fake QR Code Stickers in Public Places

Scammers print their own QR codes on stickers and place them over legitimate QR codes. A parking meter, for example, might have a real QR code that takes you to the city's payment app. The scammer pastes their sticker directly on top. The replacement code leads to a site that looks nearly identical to the real parking payment page — same colors, same logo, same layout — but it's a fake designed to harvest your credit card number, name, and billing address.

This same technique works on restaurant table tents (where you scan to see a menu or pay your bill), EV charging stations, public transit ticket machines, shared bikes and scooters, and real estate "for sale" signs.

QR Codes in Phishing Emails and Texts

Scammers also embed QR codes directly in phishing emails and text messages. You might receive an email that appears to be from your bank, a shipping company, or a government agency with a QR code asking you to "verify your account" or "confirm your identity."

Here's an example of a scam email:

Subject: Action Required — Verify Your Account

Dear Customer, We have detected unusual activity on your account. For your security, please scan the QR code below to verify your identity and restore full access. Failure to verify within 48 hours will result in account suspension.

The QR code in the email directs you to a phishing page that mimics your bank's login screen. Any credentials you enter go straight to the scammers.

QR Codes That Install Malware

Some malicious QR codes don't just lead to phishing sites — they trigger automatic downloads of malware, spyware, or adware onto your phone. Once installed, this software can log your keystrokes, steal passwords, access your contacts, or even take over your camera and microphone.

QR Codes in Physical Mail

The FBI has warned about fake letters and postcards sent through physical mail containing QR codes. These often impersonate utility companies, government agencies, or financial institutions. They create urgency ("Scan immediately to avoid service interruption") to get you to act before thinking critically.

Why This Scam Works

QR codes are inherently opaque. Unlike a URL where you can at least glance at the web address before clicking, a QR code reveals nothing about its destination until after you scan it. We've been conditioned to trust QR codes because businesses use them constantly. Scanning feels safe because it's so routine.

The scam also exploits the mobile environment. When you scan a QR code on your phone, the resulting webpage appears on a small screen where it's harder to spot subtle differences in URLs. Mobile browsers also tend to truncate or hide the full URL, making it easier for phishing sites to pass as legitimate.

Red Flags to Watch For

  1. QR code stickers placed on top of other QR codes. Look for signs that a sticker was added over an original — peeling edges, different paper quality, or misalignment with the surrounding design.

  2. QR codes in unsolicited emails or texts. Legitimate companies rarely ask you to scan a QR code to verify your account or resolve an issue. They'll direct you to their app or website by name.

  3. Urgency or threats in the message. "Verify immediately," "your account will be locked," or "scan within 24 hours" are classic pressure tactics.

  4. The QR code leads to a URL you don't recognize. After scanning, check the URL in your browser before entering any information. Look for misspellings, extra characters, or unfamiliar domains.

  5. Requests for sensitive information after scanning. A legitimate parking meter app won't ask for your Social Security number. A restaurant menu QR code shouldn't ask for your login credentials.

  6. Physical QR codes in unexpected locations. Be suspicious of QR codes on random flyers, stickers on ATMs, or codes taped to mailboxes.

  7. QR codes that trigger file downloads. A QR code should take you to a website, not initiate a download. If your phone asks to download a file after scanning, decline immediately.

What to Do If You've Scanned a Suspicious QR Code

If you haven't entered any information yet: Close the browser tab immediately. Clear your browser history and cache. You're likely fine — just scanning a QR code and loading a page without entering data usually isn't harmful.

If you entered login credentials: Change your password for that account immediately. Enable two-factor authentication if you haven't already. Check for unauthorized activity on the account.

If you entered payment information: Contact your bank or credit card company immediately to report potential fraud. Request a new card number. Monitor your statements for unauthorized charges.

If a file was downloaded: Do not open the file. Delete it immediately. Run a security scan on your phone. If you did open the file, consider a factory reset as a precaution.

Report it: File a report with the FTC at reportfraud.ftc.gov. If the QR code was on public infrastructure (parking meter, transit station), report it to the local authorities.

How to Protect Yourself

Use your phone's built-in QR code scanner rather than a third-party app — built-in scanners typically preview the URL before opening it. Always check the URL after scanning before entering any information. When in doubt, navigate directly to the company's website by typing the URL manually rather than scanning a code. Consider using a QR code scanning app that checks URLs against known phishing databases.

For parking meters and other payments, use the official app if available rather than scanning a QR code on the physical device.

Think you've encountered a suspicious QR code or phishing message? Paste the URL or message text into our free scam scanner for an instant analysis. Our AI-powered tool checks for phishing patterns, suspicious domains, and known scam indicators in seconds.

CD

Courtney Delaney

Founder, ScamSecurityCheck

Courtney Delaney is the founder of ScamSecurityCheck, dedicated to helping people identify and avoid online scams through AI-powered tools and education.

Learn more

Support Our Mission

ScamSecurityCheck is built to protect people from online fraud. Your contribution helps us keep building free security tools and resources.

Found This Helpful?

Try our free AI-powered Scam Scanner to analyze suspicious messages and protect yourself from fraud.

Try the Scam Scanner