Security 2026-02-25 4 min By Cornelious Fazal

The QR Code Sticker Scam: How Criminals Hijack Legitimate Codes

Quick Answer

Criminals print fake QR codes on stickers and cover legitimate ones on parking meters, EV chargers, and restaurant tables.

Consumer Notice: If you believe you entered payment information after scanning a suspicious QR code, contact your card issuer or bank immediately to dispute the transaction and block further charges. Report the incident to the FTC at reportfraud.ftc.gov.

How the Sticker Overlay Attack Works

The QR sticker scam is the physical-world equivalent of a phishing email. A criminal uses a standard color printer and waterproof sticker paper to print a counterfeit QR code. The fake code is designed to match the font, color, and layout of the legitimate label it will cover.

The criminal walks up to the target (a parking meter, an EV charging station, a restaurant tabletop, or an ATM fascia) and presses the sticker directly over the legitimate code. The process takes under 10 seconds and requires no technical knowledge.

When a victim scans the code, they are directed to a near-perfect clone of the legitimate payment portal. They enter their credit card number, expiry date, and CVV. The criminal's server captures the data and either immediately uses it or sells it on dark web markets.

The Four Highest-Risk Locations in 2026

Law enforcement in the United States, United Kingdom, and Australia documented a surge in sticker overlay attacks between 2024 and 2026. These four location types are the most frequently targeted:

  • Parking meters and pay stations: City-operated meters are high-volume, low-supervision targets. Criminals place stickers on Friday afternoons and remove them before Monday inspections, logging thousands of fraudulent transactions over a weekend.
  • Electric vehicle charging stations: EV chargers in unsupervised parking lots (particularly at shopping centers and airports) are targeted because users expect to scan a code to initiate a payment session. The dollar amounts are larger per transaction than parking.
  • Restaurant and cafe tabletops: Individual table QR codes are extremely easy to overlay because the tables are not staffed. A criminal needs only 2 to 3 seconds per table to apply a sticker in an unstaffed seating area.
  • ATM surround stickers: A QR code printed on a sticker applied to the surround of an ATM fascia prompts users to "scan to resolve a card issue." The code leads to a credential harvesting page impersonating the bank.

The 5-Second Physical Inspection Method

You do not need any technology to detect most sticker overlays. Train yourself to perform this inspection before scanning any public QR code:

  1. Run your fingernail along the edge of the code. A genuine printed code is flush with its surface. A sticker overlay has a thin raised edge you can feel even if you cannot see it.
  2. Look for misaligned edges. Official printed codes are centered and aligned with the surrounding label. A hand-placed sticker is rarely perfectly aligned.
  3. Check the quiet zone. The blank white border around the code must be even on all four sides. A sticker that was cut slightly wrong will show an uneven border on one side.
  4. Compare the paper texture. Official labels use commercial print-quality stock. Stickers printed on a home or office inkjet printer have a slightly different sheen under light.
  5. Read the URL preview before tapping. The URL should match the service you are paying for. A parking meter operated by your city should show a government or known parking operator domain - not a random commercial URL.

How Business Owners Can Protect Their Legitimate Codes

If your business uses QR codes on public-facing materials, you are responsible for monitoring them for tampering. Four protective measures:

  • Use tamper-evident label stock: Print your codes on void-pattern security label stock that shows a "VOID" or "OPENED" pattern if someone tries to remove or cover the label.
  • Conduct weekly physical inspections: Any code deployed on unsupervised public surfaces should be physically inspected at least weekly for sticker overlays.
  • Use static codes pointing to your own domain: Generate a free static QR code that encodes your own website URL directly. The URL preview will show your recognizable domain name, making any impersonation immediately obvious to alert users.
  • Add a visual trust indicator: Print your business name and website address in text directly below the QR code. If the code preview does not match the printed URL below it, users know immediately that something is wrong.

Read our complete pre-scan safety verification guide and our deep dive into QR code scams in 2026 to understand the full threat landscape.

Frequently Asked Questions

The FBI received over 2,000 reports of QR code payment fraud in 2024, with the majority involving physical sticker overlays on parking meters and public infrastructure. Local law enforcement in major US cities have reported dozens of confirmed cases at individual meter locations, with total consumer losses in the hundreds of thousands of dollars per incident cluster.

No. A well-printed counterfeit QR code is visually identical to the legitimate code it covers. The criminal generates a code that encodes their malicious URL, then prints it at the same resolution and physical size as the original. Your only reliable detection methods are the physical edge inspection and the URL preview check before tapping.

Do not scan it. Photograph the tampered code from a safe distance without getting close enough to accidentally trigger your camera. Report the specific location and a description to the business, local parking authority, or city infrastructure department responsible for the asset. In the US, also file a report with the FTC at reportfraud.ftc.gov.

Restaurant menu codes are generally low-risk for payment fraud because they link to menu information, not payment portals. The risk increases at restaurants that use QR codes for direct payment at the table without a staff member present. Always verify the URL preview shows the restaurant's own domain before entering any payment details.

No code is fully tamper-proof. However, printing on tamper-evident void label stock significantly increases the difficulty of placing a clean overlay, as removing the existing label destroys its surface and makes tampering visible. Pairing this with regular physical inspection schedules is the most reliable protective approach for businesses in public-facing environments.
Back to Knowledge Hub