QR Code Scams: 4 Common Tricks And How To Fight Back

Learn how scammers misuse QR codes, how to spot red flags, and simple steps you can take to protect your money and personal information.

By Sneha Tete, Integrated MA, Certified Relationship Coach
Created on

QR codes make it fast and easy to view a menu, pay for parking, track a package, or log in to an account. But the same convenience that helps you can also help scammers. Cybercriminals increasingly hide harmful links behind QR codes to steal passwords, financial data, and other personal information.

This guide explains how QR code scams work, where you are most at risk, and what steps you can take to reduce your chances of becoming a victim. It draws on guidance from consumer protection agencies and cybersecurity experts to give you practical, easy-to-follow advice.

Why QR Codes Are a Target for Scammers

A QR code is simply a machine-readable pattern that encodes a web address or other data. When your phone scans the code, it usually opens the link without you typing anything.

For scammers, QR codes have several advantages:

  • They hide the real link. You cannot see the full URL until after scanning, which makes it easier to direct you to a fake site.
  • They look routine and harmless. People now expect QR codes on menus, fliers, parking signs, and bills, so they often scan without thinking.
  • They can bypass some security checks. Many email and spam filters look for dangerous links in text but are less effective at analyzing images containing QR codes.
  • They are easy to place or replace. A scammer can cover a real code with a sticker or print fake codes on cheap materials and distribute them widely.

How QR Code Scams Typically Work

Although individual schemes differ, most QR code scams follow a similar pattern:

  1. You see a QR code on a sign, in an email, text, letter, or package.
  2. The surrounding message urges you to scan the code to pay a fee, confirm a delivery, resolve an account problem, or claim a prize.
  3. When you scan, your phone opens a site that may look like a familiar company, government agency, or bank.
  4. The site asks you to log in, enter payment information, or download an app.
  5. If you comply, scammers capture your data or install malware on your device.
Read More

The Future of AI: Preventing a Big Tech Monopoly >

The Future of AI: Preventing a Big Tech Monopoly

Because the QR code hides the destination until you scan it, scammers rely on urgency, fear, or curiosity to push you into acting quickly.

Common Types of QR Code Scams

QR code fraud can appear in many forms. Understanding the most common patterns helps you recognize risks earlier.

1. Fake Login Pages and Phishing Sites

One widespread tactic is often called “quishing” (QR phishing). Scammers design QR codes that open a website mimicking a bank, delivery company, government office, or familiar online service.

  • The page may copy logos, colors, and layout from the real site.
  • You are prompted to enter usernames, passwords, or one-time passcodes.
  • Once submitted, those details go directly to the criminals, who can use them to access your accounts.

2. Malicious Payment Requests

Some scammers attach QR codes to payment-related signs or bills to divert money:

  • Covering a real parking meter or invoice QR code with a malicious one that routes payments to the scammer’s account.
  • Sending an email or text that appears to be from a utility, subscription service, or government agency, instructing you to scan the code to avoid late fees or penalties.

In these schemes, you may believe you have paid a legitimate bill while the real organization never receives the money.

3. Unsolicited Packages and Mailings

Law enforcement and cybercrime reporting centers have documented scams where criminals send unsolicited packages or letters containing QR codes to potential victims.

  • The package may look like it comes from a retailer, a shipping company, or a government program.
  • There may be little or no sender information, encouraging you to scan the code to “learn more” or “verify delivery.”
  • The QR code then leads to a site asking for personal or financial details or attempting to install malware.

4. Malware and Device Takeover

Some QR codes direct you to download apps or files that contain malware. Once installed, this software can:

  • Monitor your keystrokes or screen activity.
  • Steal saved passwords, financial details, and personal data.
  • Lock your device and demand a ransom to restore access.

Because the download often begins from a website opened by your QR scanner, you may not realize it is unsafe until damage is done.

Where You’re Most Likely to Encounter Risky QR Codes

Not every QR code is dangerous, but some environments are more frequently abused by scammers. Stay alert in situations like these:

  • Parking meters and kiosks – Fraudulent codes can be placed on top of legitimate ones to capture parking payments.
  • Restaurant menus and table toppers – A sticker with a fake code might redirect you to a phishing site or a payment page unrelated to the restaurant.
  • Posters, fliers, and public signs – Codes on advertisements, event promotions, or surveys in public spaces are easy to tamper with.
  • Emails and text messages – Links delivered via QR image may be designed to slip past filters or trick you into scanning from your phone.
  • Bills and notices – A scam letter or fake invoice may instruct you to scan a QR code instead of using your usual payment method.
  • Unsolicited packages – Packages with no clear sender that ask you to scan a QR code for more information are a serious red flag.

Red Flags That a QR Code May Be Dangerous

Before you scan, pause and check for warning signs. The more red flags you see, the less likely you should be to trust the code.

Red Flag What It May Indicate
QR code appears on a sticker covering another code or part of a sign Possible tampering or replacement of a legitimate code with a fraudulent one.
Urgent language like “scan now or lose access” Pressure tactic commonly used in scams to push quick decisions.
Sender, package, or message is unexpected Potential unsolicited contact intended to lure you into scanning.
URL preview looks odd or mismatched with the claimed sender May be a spoofed website designed to imitate a real organization.
Page immediately asks for login credentials or payment details Phishing attempt to steal account access or financial information.

How to Safely Use QR Codes

You do not need to avoid QR codes entirely. By adding a few simple checks, you can dramatically lower your risk.

1. Inspect Physical QR Codes Before Scanning

  • Look closely to see if a sticker has been placed on top of a printed code or sign.
  • Check whether logos, fonts, and colors match the rest of the sign or brand.
  • If you see scratches, misalignment, or different printing quality, treat the code with suspicion.

2. Verify the Source Independently

  • If a code claims to be from a government agency, bank, or major company, confirm through a channel you already trust.
  • Type the known website address directly into your browser or use the official mobile app instead of relying on the QR code.
  • For deliveries or packages, use the official tracking tools on the company’s website rather than scanning a code from a label or insert.

3. Check the URL Preview Carefully

Most modern phones show the destination web address when you point your camera at a QR code, before you open it.

  • Read the full URL slowly. Look for small spelling changes, extra characters, or unusual domains (for example, .info or .top instead of the organization’s typical domain).
  • If the link is shortened or looks random, consider going directly to the website you expect instead of tapping the preview.

4. Avoid Scanning Codes from Unsolicited Messages

  • Be cautious with QR codes in emails or texts you did not expect, even if they appear to come from a known company.
  • Do not scan a code simply because it warns of account problems, missed deliveries, or legal issues. Contact the organization using a verified phone number or website to check first.

5. Strengthen Your Device and Accounts

  • Keep your phone’s operating system and security software updated so known vulnerabilities are patched.
  • Use strong, unique passwords for your important accounts and turn on multi-factor authentication (MFA) whenever available.
  • Avoid installing apps prompted by a QR code unless you can verify they come from your device’s official app store and a reputable developer.

What to Do If You Scanned a Suspicious QR Code

If you realize after scanning that something is wrong, quick action can limit the damage.

Immediate Steps

  • Close the browser tab or app if the site looks fake or starts acting strangely.
  • Do not enter any information (passwords, card numbers, personal data) on the page.
  • If any file or app began to download, cancel the download and do not install it.
  • If you already opened or installed something, consider disconnecting from the internet and running a reputable mobile security scan where available.

If You Entered Personal or Financial Information

  • Change passwords for any accounts that may have been exposed, starting with email and financial accounts, from a device you believe is secure.
  • Contact your bank or card issuer to report possible fraud, ask about reversing suspicious charges, and request new cards if needed.
  • Monitor statements and credit reports closely for any unusual activity and consider placing a fraud alert or credit freeze if recommended by your financial institution.

Reporting the Scam

  • Notify local law enforcement if you lost money or were directly targeted by a QR-related fraud.
  • Report the incident through national cybercrime complaint portals where available, such as online fraud reporting centers operated by law enforcement or government agencies.
  • If the scam impersonated a well-known organization, inform that organization so it can warn others.

Practical Everyday Habits to Reduce QR Code Risk

By building a few small habits into your daily routine, you can enjoy the convenience of QR codes with far less risk.

  • Pause before you scan. A few seconds of thought is often enough to notice something is off.
  • Prefer known channels. When in doubt, go directly to the official app or website instead of relying on a QR code.
  • Ignore urgency. Treat any QR code that pressures you to act immediately as a likely scam signal.
  • Educate family and coworkers. Share what you know so others are less likely to fall for QR code tricks.

Frequently Asked Questions (FAQs)

Q: Are all QR codes risky, or just some?

Many QR codes are legitimate and safe, especially those you access through trusted apps or official websites. The greatest risk comes from codes in unexpected places, unsolicited messages, or situations where you feel pressured to act quickly without verification.

Q: How can I tell if a QR code is real or has been tampered with?

Look for stickers placed over printed signs, differences in color or print quality, misaligned codes, or logos that seem blurry or off-brand. If anything about the sign or message seems inconsistent, avoid scanning and instead navigate to the organization’s website manually.

Q: Is it safer to use my phone’s built-in camera or a separate QR scanning app?

Security experts generally recommend using your phone’s built-in camera or trusted system features rather than third-party scanner apps. Many built-in scanners show a URL preview and benefit from your device’s existing security protections.

Q: What should I do if I scanned a QR code and now suspect it was a scam?

Close the page immediately, do not enter any information, and avoid installing anything the site suggests. If you already shared data, change affected passwords, contact your bank or card issuer, and monitor your accounts closely. Reporting the incident to law enforcement or cybercrime reporting services can also help protect others.

Q: Can a QR code infect my phone without me doing anything else?

Scanning a QR code by itself usually only opens a link. You often need to tap, download, or install something before malware can be installed. However, because some sites try to trick you into taking those steps, it is essential to stay alert and close any page that seems suspicious before interacting with it.

References

  1. Scammers hide harmful links in QR codes to steal your information — Federal Trade Commission. 2023-12-21. https://consumer.ftc.gov/consumer-alerts/2023/12/scammers-hide-harmful-links-qr-codes-steal-your-information
  2. Protecting Yourself from QR Code Scams and Cyber Threats — University of Illinois Chicago, IT. 2025-10-29. https://it.uic.edu/news-stories/security-and-qr-codes/
  3. QR Code Scams and How to Protect Yourself — Signal Financial Federal Credit Union. 2025-01-24. https://www.signalfinancialfcu.org/2025/qr-code-scams-and-how-to-protect-yourself
  4. Be Aware of QR Code Scams — Fidelity Bank. 2024-06-10. https://www.fidelity-bank.com/news/be-aware-of-qr-code-scams
  5. QR code scams: A guide to protect yourself — Commerce Bank. 2025-02-18. https://www.commercebank.com/personal/ideas-and-tips/2025/qr-code-scams
  6. QR Code Security Guide — Duke University IT Security. 2024-03-15. https://security.duke.edu/security-guides/qr-code-security-guide/
  7. Protecting Yourself from QR Code Fraud — Social Security Administration. 2023-11-09. https://blog.ssa.gov/protecting-yourself-from-qr-code-fraud/
  8. Stay Cautious of QR Code Scams — Liberty Bank. 2024-05-01. https://bankliberty.com/resource-library/id-theft-security/stay-cautious-qr-code-scams
  9. Unsolicited Packages Containing QR Codes Used to Initiate Fraud — FBI Internet Crime Complaint Center (IC3). 2025-07-31. https://www.ic3.gov/PSA/2025/PSA250731
Sneha Tete
Sneha TeteBeauty & Lifestyle Writer
Sneha is a relationships and lifestyle writer with a strong foundation in applied linguistics and certified training in relationship coaching. She brings over five years of writing experience to waytolegal,  crafting thoughtful, research-driven content that empowers readers to build healthier relationships, boost emotional well-being, and embrace holistic living.

Read full bio of Sneha Tete