📱

QR Code Scams

6 minute read

That QR code on the parking meter, restaurant table, or flyer might not go where you think. Here's how to stay safe.

QR codes are everywhere now. Menus, parking meters, event tickets, product packaging, business cards. We’ve been trained to pull out our phones and scan without a second thought. And scammers are counting on exactly that.

The problem with QR codes is that they’re opaque. You can look at a link and get a sense of where it goes. You can’t look at a QR code and tell anything about the destination. It’s just a square of black and white dots. That makes them a perfect vehicle for sending you somewhere dangerous.

Here’s how to tell the difference between a legitimate QR code and one designed to steal your money or information.

What QR Code Scams Look Like

The Parking Meter Sticker

You pull into a downtown parking spot. There’s a QR code sticker on the meter that says “Scan to pay.” You scan it, enter your credit card information on what looks like a city parking portal, and drive off. The site was fake. Your card is now in a scammer’s hands – and you’ll probably get a real parking ticket too.

This scam has hit cities across the US, including Austin, Houston, San Antonio, and Denver. Scammers place adhesive QR code stickers directly on top of legitimate ones – or on meters that never had QR codes in the first place.

The Restaurant Table Tent

A small card on your restaurant table says “Scan to view our menu” or “Scan to leave a tip.” The code takes you to a page that asks for your payment details. It looks professional and matches the restaurant’s branding. But the restaurant didn’t put it there.

The Fake Parking Ticket

You return to your car and find what looks like a parking violation on your windshield. Instead of a traditional fine, it has a QR code and says “Scan to pay your fine online and avoid additional penalties.” The ticket looks official, with a city logo and case number. But it’s completely fake.

The Mail and Package Insert

You receive a piece of mail – maybe a postcard or letter – with a QR code. “Scan to confirm your identity,” “Scan to claim your refund,” or “Scan to update your delivery preferences.” The branding looks like it’s from the postal service, a bank, or a government agency.

The Event Flyer or Poster

A poster on a college campus or community bulletin board advertises a free event, a job opportunity, or a giveaway. “Scan for details.” The QR code takes you to a site that asks for your personal information to “register” – name, email, phone number, maybe even your student ID.

How QR Code Scams Work

Step 1: A scammer creates a fake website designed to steal information or payment details. The site usually looks convincing – professional design, correct logos, plausible URL.

Step 2: They generate a QR code that points to this fake site.

Step 3: They place the QR code where people will scan it without thinking. This could be a sticker over a legitimate QR code, a printed flyer, a fake official notice, or an insert mailed to your home.

Step 4: You scan the code, land on the fake site, and enter your payment info, login credentials, or personal details.

Step 5: The scammer captures whatever you entered. If it was a credit card, they use or sell it. If it was a login, they access your accounts. If it was personal information, they use it for identity theft.

Some QR code scams skip the fake website entirely and instead trigger a malware download or prompt you to install a malicious app.

Red Flags to Watch For

Physical signs of tampering – A QR code sticker placed on top of another sticker, or a code that looks like it doesn’t quite belong. Edges that are peeling up, different paper stock, or slightly different sizing than the surface it’s on.

Unexpected payment requests – If scanning a QR code immediately asks for your credit card number, pause. Legitimate parking systems, for example, usually route through well-known apps like ParkMobile or PayByPhone.

The URL looks wrong – When you scan a QR code, your phone usually shows you the URL before opening it. Check it. A parking meter QR should take you to a city government site or a recognized parking app, not “cityparking-pay.xyz.”

No context for the code – A random QR code sticker on a gas pump, ATM, or public surface with no clear branding or explanation for why it’s there.

Pressure or urgency – “Scan immediately to avoid penalties.” Legitimate organizations give you time and multiple ways to respond.

The page asks for too much – A menu QR code should show you a menu, not ask for your email, phone number, or payment details.

How This Scam Has Evolved with AI

QR code scams used to be easy to spot because the fake websites they led to were often poorly designed – broken layouts, typos, low-resolution logos. That’s changed dramatically.

Scammers now use AI tools to generate pixel-perfect clones of legitimate websites in minutes. The fake parking payment site you land on might be indistinguishable from the real one. The URL is the only reliable tell, and many people don’t check it.

AI also makes it easy to generate convincing print materials. A scammer can create professional-looking parking tickets, official notices, or restaurant table cards with proper formatting, logos, and language. The physical materials themselves look legitimate because AI can replicate the visual style of any brand or government agency.

Some scammers are also combining QR codes with AI chatbots. You scan a code, land on what looks like a customer service page, and an AI chatbot walks you through “verifying your identity” or “processing your payment” – collecting your information the entire time.

How to Protect Yourself

Preview the URL before you open it. When your phone scans a QR code, it shows you the destination URL. Look at it before tapping. If it doesn't match what you'd expect, don't open it.

Before You Scan

  • Look for tampering. Is the QR code a sticker placed on top of something else? Does it look like it belongs there?
  • Ask yourself if a QR code makes sense here. A menu at a restaurant? Sure. A random sticker on an ATM? Suspicious.
  • Check if there’s an alternative. Can you go to the website directly instead of scanning? Can you download the official app?

When You Scan

  • Check the URL preview. Your phone’s camera app will show you where the QR code leads before you open it. Read the URL carefully.
  • Look for HTTPS. Legitimate payment sites use HTTPS. But remember, scam sites can too – HTTPS alone doesn’t mean a site is safe.
  • Use your phone’s built-in camera app rather than a third-party QR scanner app. Some third-party scanners have been found to be malicious themselves.

For Parking Meters Specifically

  • Use the official parking app directly. Download ParkMobile, PayByPhone, or whatever your city uses, and pay through the app. Don’t scan the meter.
  • Pay at the meter with coins or card if the meter has a built-in payment system.
  • Look up your city’s parking website and check which payment methods they actually support.

What to Do If You Scanned a Malicious QR Code

If You Didn’t Enter Any Information

  1. Close the browser tab immediately
  2. You’re most likely fine – simply visiting a page is usually not enough to cause harm on a modern phone

If You Entered Payment Information

  1. Call your bank or credit card company immediately
  2. Report the charge as potentially fraudulent
  3. Request a new card number
  4. Monitor your statements for unauthorized charges

If You Entered Login Credentials

  1. Go to the real website and change your password immediately
  2. Enable two-factor authentication if you haven’t already
  3. Change the password anywhere else you’ve used the same one

If You Downloaded or Installed Something

  1. Delete the app immediately
  2. Restart your phone
  3. Run a security scan if your phone has one built in
  4. Change passwords for accounts you’ve accessed on that device
  5. Consider a factory reset if you’re concerned

For complete recovery steps: I Think I Was Scammed

How to Report QR Code Scams

  • Report to the FTC: ReportFraud.ftc.gov
  • Report to local authorities – If you find a fraudulent QR code sticker on a parking meter or public infrastructure, contact your city government or local police non-emergency line
  • Notify the business – If you find a suspicious QR code at a restaurant, store, or other business, let the staff know. They may not realize someone placed it there
  • Report to the FBI’s IC3 for internet-related fraud: ic3.gov

Quick Summary

  • Never scan a QR code without checking the URL preview your phone shows you

  • Look for physical signs of tampering – stickers placed over other stickers, codes that look out of place

  • Use official apps instead of scanning when paying for parking or other services

  • If a QR code asks for payment or personal info, go directly to the official website instead

  • Report suspicious QR codes to the business, local authorities, and the FTC