How to Safely Scan QR Codes
6 minute read
QR codes are everywhere — parking meters, restaurants, flyers. Most are fine. Here's how to tell which ones aren't.
QR codes went from a novelty to something we use every day in a remarkably short time. Restaurants replaced menus with them. Cities put them on parking meters. Packages, concert tickets, payment apps — they’re everywhere. And because we’ve been trained to scan without thinking, scammers noticed.
The good news: protecting yourself doesn’t mean avoiding QR codes entirely. It means adding one small step before you trust where they send you.
Why QR Codes Became a Scam Vector
During the pandemic, QR codes went from “that thing nobody uses” to “the way everything works.” Contactless menus, contactless check-in, contactless payment. We all got used to pointing our phone cameras at little squares and tapping whatever popped up.
That habit — scan and tap without checking — is exactly what scammers exploit.
Here’s the thing about QR codes: they’re just URLs in disguise. When you scan one, you’re clicking a link. And just like you wouldn’t click a suspicious link in an email, you shouldn’t blindly follow a QR code.
The difference is that with an email link, you can at least hover over it and see where it goes. A QR code? You have no idea what’s behind it until you scan it.
The Most Common QR Code Attacks
Sticker Overlays
This is the simplest and most common trick. A scammer prints a fake QR code sticker and places it over a legitimate one.
Think about it — when’s the last time you looked closely at a QR code on a parking meter, a restaurant table, or a public bulletin board? Scammers count on that. They slap their QR code right on top of the real one, and you’d never notice unless you were looking for it.
This has hit parking meters especially hard. Scammers place stickers over the city’s payment QR code. You scan it, land on a site that looks like the city’s parking app, enter your credit card number — and the scammer has it.
Fake Parking Tickets and Fines
You come back to your car and find a notice on your windshield: a parking violation with a QR code to “pay the fine online.” The notice looks official. The QR code takes you to a convincing payment page.
The catch: the whole thing is fake. There was no violation. The page exists only to steal your payment information.
Real parking tickets come from your city’s parking authority and typically direct you to an official government website. If you get a ticket, look up your city’s parking fine payment site yourself — don’t scan a code on the ticket.
Malicious QR Codes in Mail
Some scammers have moved to physical mail. You receive a letter that looks like it’s from your bank, a utility company, or a government agency. It includes a QR code to “verify your account” or “update your information.”
The letter might even have real logos, real addresses, and look completely legitimate. But the QR code leads to a phishing site designed to harvest your login credentials.
QR Codes in Emails and Texts
This one is clever. Scammers embed QR codes in phishing emails specifically because many email security filters don’t scan images for malicious URLs. The email might say “Scan this QR code with your phone to verify your account.” By moving you from your computer (which might have security software) to your phone (which probably doesn’t), they bypass multiple layers of protection.
Fake Wi-Fi Network QR Codes
Coffee shops and airports often post QR codes to join their Wi-Fi. Scammers create their own QR codes that connect you to a rogue Wi-Fi network instead. Once you’re on their network, they can potentially intercept your traffic. If you see a QR code for Wi-Fi, ask a staff member to confirm it’s the real one.
How to Safely Scan QR Codes
1. Preview the URL Before Opening
This is the single most important habit. When you scan a QR code, your phone shows you the URL before you open it. Actually read it.
| URL Preview | Safe? |
|---|---|
| cityparking.gov/pay | Likely legitimate |
| c1ty-parking-pay.com | Scam — misspelled, wrong domain |
| bit.ly/3xK2mPq | Suspicious — no way to tell where it goes |
| restaurant-name.com/menu | Likely legitimate |
| menu-download.xyz/r?id=38291 | Suspicious — strange domain |
If the URL looks unfamiliar, misspelled, or uses a URL shortener that hides the destination, don’t open it.
2. Physically Inspect the QR Code
Before you scan a QR code in a public place, take a second to look at it.
- Is it a sticker placed on top of something? Run your fingernail along the edge. If there’s a sticker over another code, that’s a red flag.
- Does it look like it belongs there? A QR code taped to a parking meter with scotch tape is suspicious. One that’s printed directly on the meter or on official signage is more trustworthy.
- Is it in a strange location? A QR code stuck to a random pole or bench should be ignored entirely.
3. Use Your Phone’s Built-In Camera
Stick with your phone’s default camera app to scan QR codes. Both iPhone and Android have built-in QR scanning that shows you the URL before opening it.
Avoid third-party QR scanner apps. Some are fine, but others have been caught injecting tracking, showing ads, or — in the worst cases — modifying the destination URL. Your phone’s camera does the job perfectly well.
4. Never Enter Payment Info From a QR Code Link
This is a hard rule worth following: if a QR code takes you to a page asking for credit card or bank details, stop.
Instead, navigate to the company’s website or app directly. If you need to pay for parking, download the city’s official parking app from the App Store or Google Play. If a restaurant wants you to pay via QR code, ask for an alternative.
5. Be Extra Cautious With QR Codes That Trigger Downloads
A legitimate QR code at a restaurant takes you to a menu webpage. It should never try to download a file to your phone. If scanning a QR code triggers a download prompt, cancel it immediately.
Real-World QR Scam Examples
Parking Meter Scams Across the US
In 2022 and 2023, cities including Austin, Houston, and San Antonio reported fake QR code stickers appearing on parking meters. The codes led to convincing payment pages that stole credit card information. Some victims didn’t realize what happened until fraudulent charges appeared on their statements weeks later.
The “Crypto QR Code” ATM Scam
A scammer calls pretending to be from your bank or the IRS, claiming you owe money. They direct you to a cryptocurrency ATM and tell you to scan a QR code they send to your phone. That QR code is the scammer’s crypto wallet. You’re essentially depositing cash directly into their account — and there’s no way to reverse it.
Restaurant Menu Swap
In several European cities, scammers replaced legitimate restaurant menu QR codes on outdoor tables with codes leading to phishing pages. The page looked like a menu but prompted visitors to “create an account” to view it, capturing email addresses and passwords that victims likely reused on other sites.
What to Do If You Scanned a Bad QR Code
If you think you’ve scanned a malicious QR code, act quickly:
If you only opened a suspicious website (didn’t enter anything):
- Close the browser tab immediately
- Clear your browser history and cache
- You’re most likely fine — just opening a page usually isn’t enough to cause harm
If you entered login credentials:
- Change that password immediately — on the real site, not through the QR code link
- If you use that password anywhere else (I know, I know), change it there too
- Enable two-factor authentication on the affected account
- Watch for unauthorized activity
If you entered payment information:
- Call your bank or credit card company immediately
- Report the card as compromised — they’ll issue a new one
- Monitor your statements for unauthorized charges
- Consider a temporary fraud alert with credit bureaus
If a file was downloaded:
- Do not open the file
- Delete it immediately
- If you already opened it, run a malware scan on your device
- If it was on your phone, consider restarting it in safe mode and removing any unfamiliar apps
The Bottom Line
QR codes aren’t inherently dangerous — they’re just links. And like any link, the key question is: do you trust where it’s taking you?
The one habit that protects you from almost every QR code scam is reading the URL preview before you tap through. That tiny pause — two seconds of attention — is the difference between convenience and compromise.
Quick Checklist
- Always preview the URL before opening a scanned QR code
- Physically inspect QR codes in public for sticker overlays
- Use your phone’s built-in camera, not third-party scanner apps
- Never enter payment details on a page reached via QR code
- If a QR code triggers a download, cancel immediately
- When in doubt, navigate to the website directly instead of scanning
- Treat QR codes the same way you’d treat links in emails — with healthy skepticism