How to Spot a QR Code Scam

How to Spot a QR Code Scam

QR codes have become a standard part of daily life — used for menus, payments, parking, and event check-ins. This ubiquity makes them an attractive vector for attackers, who replace or overlay legitimate QR codes with malicious ones.

How QR Code Scams Work

Attackers print fake QR code stickers and place them over legitimate codes in public spaces — parking meters, restaurant tables, posters, and even bank ATMs. When a victim scans the code, they are redirected to a convincing phishing page that harvests credentials or payment details.

In email-based attacks, QR codes are embedded in messages to bypass text-based phishing filters, since the URL is encoded in an image rather than plain text.

Warning Signs

• A QR code sticker that appears to be placed over an existing code
• Unexpected redirects to login pages after scanning
• URLs that do not match the expected organisation (check the preview before opening)
• Requests for payment or credentials immediately after scanning
• QR codes received in unsolicited emails or text messages

Safe Scanning Habits

1. Use a QR scanner that previews the URL before opening it.

2. Inspect physical QR codes for signs of tampering — peeling edges, misaligned stickers.

3. Never enter payment details or passwords on a page reached via a QR code unless you are certain of its legitimacy.

4. If in doubt, navigate to the organisation directly via your browser.

5. Report suspicious QR codes to venue staff or your IT security team.