Security 2026-02-10 3 min By Cornelious Fazal
Generate a Safe Static QR Code Free · No signup · Permanent

The 5 Most Common QR Code Scams in 2026 | How to Stay Safe

Quick Answer

Scammers are using QR codes to steal money and data. Learn about 'Quishing', fake parking tickets, and the top 5 scams happening right now.

Warning sign showing a malicious QR code sticker placed over a legitimate parking meter QR code

Why Scammers Target QR Codes

QR codes are a perfect vehicle for fraud: they hide the destination URL from the human eye, look identical whether legitimate or fake, and trigger trust because they're used everywhere from restaurant menus to government services. The FBI's Internet Crime Complaint Center (IC3) first issued a formal alert about QR code fraud in January 2022, naming the technique "quishing" - QR phishing.

Unlike email phishing, which most people now recognise, quishing is relatively new. Victims don't know to be suspicious of a code on a physical surface the way they would be of a suspicious link in an email.

Scam 1: The Parking Meter Overlay

This is the most widespread QR code scam in the physical world. Fraudsters print professional-looking "Pay Here" stickers and paste them over the legitimate QR code on a parking meter or ticket machine.

What happens: You scan the fake code. The site looks identical to the real payment portal. You enter your card details. Scammers steal your payment information - and you still get a parking fine because you never actually paid the council or city.

Reported scale: In 2022, the city of Austin, Texas, reported fraudulent QR code stickers on parking meters across the downtown area. UK police forces have issued similar warnings for city centre car parks.

How to avoid it:

  • Touch the code first: If the QR code feels like a sticker applied on top of the machine, do not scan it - check the machine surface around it.
  • Use the official app: Most councils and parking operators have their own app. Using it directly bypasses QR code fraud entirely.
  • Pay at the machine: Use the card slot or coin slot on the meter rather than scanning if you're unsure.

Scam 2: Fake Package Delivery Notices

You find a card on your door or in your mailbox: "We attempted delivery. Scan to reschedule." The QR code leads to a convincing fake copy of a courier site (UPS, FedEx, Royal Mail, Amazon).

What happens: The fake site asks for your address confirmation and a small "redelivery fee." Some variants request identity verification. Either way, scammers steal your card details or identity. There was never a package.

How to avoid it:

  • Check the URL preview: Before tapping, read the full URL your phone shows. fedex-redelivery-uk.com is not FedEx. Real courier sites use fedex.com, royalmail.com, or ups.com without additions.
  • Track manually: Go directly to the courier's official website and type your tracking number in manually.

Scam 3: The Street "Accidental Transfer"

A stranger approaches you claiming to have lost their wallet and asks if they can send you money digitally in exchange for cash. They show you a QR code to scan to "receive" the money.

How it works: The code doesn't send you money. It opens a payment request asking you to pay them - or installs malware on your phone via a malicious web page.

How to avoid it: Never scan a QR code shown to you by a stranger on the street. If you want to help someone, offer cash or buy a ticket directly - don't use your phone.

Scam 4: Malicious Menu QR Codes

This is the restaurant version of the parking meter attack. Someone pastes a fake QR code sticker over the legitimate menu code on a table in a restaurant or café.

Red flag: After scanning, the page asks you to download a "Menu Viewer" app. A real restaurant menu should open a PDF or website directly. No legitimate menu requires an app download.

How to avoid it:

  • If a menu scan asks you to install an app, stop immediately and alert staff.
  • Ask the waiter for a physical menu if you're unsure.

Scam 5: Fake Public WiFi QR Codes

A printed sign at a café, airport, or hotel says "Free Fast WiFi - Scan to Connect." The QR code connects you to a hacker's rogue hotspot instead of the establishment's real network.

What happens: The attacker can intercept unencrypted traffic - passwords, form submissions, and login sessions - from all connected devices.

How to avoid it:

  • Ask staff for the exact network name before connecting.
  • Use a VPN on all public WiFi connections.
  • Avoid logging into banking or sensitive accounts on public networks regardless of how you connected.

How Do You Know If a QR Code Is Safe?

Use this 3-second check every time you scan a code in a public place:

  1. Feel it: Does the code look or feel like a sticker applied over something else?
  2. Read the URL preview: Before tapping the notification, check the full web address your phone shows. Is it the official domain?
  3. Question the request: Does the site ask for a password, payment, or app download unexpectedly? A red flag.

A QR code that opens a normal website with no login request, payment form, or download prompt is almost always safe.

What to Do If You've Been Scammed via a QR Code

Act fast if you've entered payment or personal details on a site reached through a suspicious QR code:

  1. Contact your bank immediately - report a potential card compromise and request a freeze or replacement.
  2. Change passwords for any accounts you may have accessed from that device while connected to a suspicious network.
  3. Report to Action Fraud (UK: actionfraud.police.uk) or the FBI's IC3 (US: ic3.gov) - reports help law enforcement track and dismantle scam campaigns.
  4. Report the physical location to local police if the fake QR code was on a meter or public sign - the code may still be in place defrauding others.

Generating Safe QR Codes for Your Own Use

If you're creating QR codes for guests, customers, or events, use a generator that creates static codes. Static codes encode the destination directly - there's no redirect server that a third party could compromise or take over. Our free WiFi QR code generator creates permanent, privacy-first codes that run entirely in your browser.

Stay alert. Scan with your eyes before you scan with your camera. Most QR code scams are easy to avoid once you know the patterns.

Frequently Asked Questions

Quishing is QR phishing - a fraud technique where criminals create or replace legitimate QR codes with malicious ones that direct victims to fake websites designed to steal payment details, login credentials, or identity information. The FBI first issued a formal quishing alert in January 2022.

Before scanning, check whether the code looks like a sticker applied over another surface. After scanning, read the full URL your phone shows before tapping - confirm it matches the official domain. If the destination asks for a password, payment, or app download out of context, do not proceed.

Yes, but only if you tap a link and download something from the destination site. Simply scanning a QR code with your camera does not install anything. The risk comes from visiting a malicious page and then downloading an 'app' or entering credentials. Always check the URL before tapping any notification.

Contact your bank immediately to freeze or replace your card. Change passwords for any accounts accessed during the incident. Report the scam to Action Fraud (UK) at actionfraud.police.uk or the FBI's IC3 at ic3.gov. If the fake code is on a physical surface in public, report the location to local police so it can be removed.

Legitimate menu QR codes are safe - they simply open a PDF or website. The red flag to watch for is if a scanned menu code asks you to download an app. No genuine restaurant menu requires an app install. If you see this request, stop scanning and ask staff for a physical menu.

Yes. Fake QR codes on delivery notices, parking meters, and public signs have been used to direct victims to convincing fake sites that harvest name, address, date of birth, and payment card data. Treat a QR code's destination the same way you'd treat an unknown email link - check the URL before entering any personal information.
Back to Knowledge Hub