QR code scams: how to spot and avoid fake QR codes

QR codes exploded in popularity during the pandemic—now restaurants place them on menus and bills, small businesses use them for payments, and marketers rely on them in promotional campaigns. Public services also use QR codes heavily, such as on parking meters, buses, trains, and stations. They are convenient, fast, and trusted, and that is exactly what makes them so appealing to scammers.

QR code scams are now sweeping through the U.S., with multiple state authorities, from the FTC to Hawaii Electric, issuing QR code scam warnings to consumers. Other countries are battling with a rise in QR code fraud. In the UK, the number of reported scams involving fake QR codes has risen from just 100 in 2019 to over 1,380 five years later.

Read on to learn how and why QR code scams work, how to tell if a QR code is legit, and what to do if you’ve scanned a fraudulent code.

Understanding QR code scams

A QR code scam is when criminals use malicious QR codes to trick people into visiting spoofed websites, downloading harmful apps, or sharing personal sensitive information. These QR codes are placed strategically where they would be disguised as legitimate ways to access more information or make a payment. That’s why people tend to lower their guard and scan the codes, only to be scammed.

Unlike suspicious links in emails, you can’t preview the underlying link by hovering over a QR code (though some QR code scanning apps provide a link preview feature). This makes it easy for scammers to hide their intentions and exploit users’ trust and curiosity.

The risks of scanning a fake QR code

QR codes are not inherently dangerous—you can’t get scammed just by seeing one in your inbox. The danger lies in two factors. First, scammers may already have your contact information (if the QR code arrived via email or at your doorstep), which means your personal data has been compromised. Second, malicious QR codes become risky when you scan them and visit the website they take you to. 

What do fake QR codes disguise?

• Phishing websites with login or payment forms designed to steal all the entered information, such as usernames, passwords, and credit card data.
  
• Silent malware downloads that are triggered automatically upon website access, infecting your device with a virus.
  
• Unexpected app actions, for example, launching apps in the background to send emails, messages, or payment data.
  
• Payment fraud, where fake QR codes auto-launch payment screens to steal money.

One example of this would be scanning a QR code on a parking meter, only to be redirected to a fake payment site that steals your credit card details.

Once scanned, QR codes enable scammers to access your payment and personal information, which in turn can be misused for identity theft, digital account takeover, financial fraud, and device infection with keyloggers (spying on the data you enter) and ransomware (locking your sensitive data until you pay a ransom).

Most common QR code scams

Here’s a list of the most widespread types of QR code scams, so you can learn to recognize and steer clear of them.

Phishing emails with QR codes

With rising public awareness of phishing risks, people have become less likely to click suspicious links. That prompted scammers to switch from phishing to quishing (a combination of QR code and phishing), hoping their targets will scan the code without verifying it.

In quishing, scammers embed malicious QR codes in emails to bypass spam filters and obscure  the underlying link for the user. They may disguise the code as a parcel delivery notification, account alerts, or invitations to claim a lottery or giveaway prize, pressing the recipient to act with both urgency and a sense of excitement over the unknown. These are exactly the triggers that make people scan the code immediately without thinking.

Fake QR codes in phishing emails typically lead to malicious websites with forms to fill out, which promptly steal all the entered information, such as credit card data, account login credentials, or personally identifiable details.

Public payment scams

You might see fake QR codes at train stations, on parking meters, vending machines, or charity donation boxes, typically placed in high-traffic locations. They can be slapped on top of legitimate QR codes or placed prominently where they are easy to spot.

These fake QR codes take users to spoofed payment pages that resemble the legitimate ones but may differ in subtle details. In the background, these pages send the entered information directly to scammers, who can steal your payment card data. This is especially tricky for first-time users who might not be familiar with local payment services and therefore fall for the scam easily.

QR code scams on social media

QR code scammers populate social media, taking advantage of anonymity and the massive user base that can be targeted. Instagram, TikTok, Facebook, and X (formerly Twitter) remain the top social media platforms where fake and malicious QR codes scattered across posts, shorts, and stories.

Scammers post enticing offers, fake contests, and giveaways that require you to scan a QR code to register or claim your prize. These codes may promise gift cards, free merchandise, or access to secret groups.

Once scanned, the QR code can redirect to a phishing site that steals your social account credentials, email, or payment card data. Having your credentials, scammers can take over your social account and exploit it to further target your network.

Venmo and Zelle QR code scams

Payment apps like Venmo and Zelle allow quick money transfers via QR codes, and scammers exploit this, especially when it comes to peer-to-peer transactions on popular online marketplaces. Fake QR codes can be part of a Facebook Marketplace scam or a fake listing on Craigslist, shared by fake buyers or sellers who send them for “easy payment” but are only looking to charge money from you.

Beware of Zelle and Venmo scams if someone sends you a QR code for payment in a marketplace transaction, a tech support message, or a message allegedly coming from your bank. Only use peer-to-peer instant money transfer apps with your friends and family. Even if the QR code is legit, you might never receive what you paid for, and these apps notoriously offer almost zero buyer protection.

QR codes in package delivery scams

The recent rise in QR codes found in unsolicited packages was the reason behind the QR code scam warnings issued by the FTC and the Internet Crime Complaint Center (IC3). 

This scam has come to be known as brushing, where scammers send unexpected packages to people’s doorsteps to fraudulently boost their online marketplace ratings through fake customer reviews. This is their way of tampering with the marketplace seller scoring system, but also another opportunity to harvest your personal data if you’re curious enough to scan the attached QR code to find out who sent the package.

In a variation of package delivery scams, you might get an email, text, or a slip under your door saying you missed a delivery or there’s a problem with your package that requires action. Instead of a clickable link, the message contains a QR code to scan to “reschedule” delivery or “confirm” your address.

Forged QR codes in restaurants

Since the pandemic, many cafes and restaurants have started to use QR codes for digital menus and payments. Scammers take advantage of this by sticking forged QR codes over the legitimate ones, redirecting customers to fake websites so the payments go directly into their accounts. Examples of these fake QR codes can be seen on table menu stickers, receipts, curbside pickup signs, or codes for splitting bills.

Apart from stealing the restaurant’s revenue, these QR codes can also harm customers by stealing their credit card data or compromising their devices with malware.

QR code cryptocurrency scams

Scammers can pose as representatives of fake cryptocurrency exchanges, influencers, investment coaches, or advisors promising high returns on new schemes, announcing “airdrops” and giveaways, or offering “special access.” They share forged QR codes to fake exchanges, apps, and crypto wallets in crypto communities and on social media platforms like Discord, X, and YouTube. 

Victims might also be tricked into connecting their wallets to malicious websites that drain their assets. Some scams combine QR codes with links to fake apps to steal private keys.

Malicious QR code apps

Some apps that advertise themselves as QR code scanners are actually malware. These are typically downloaded outside of official app stores, marketed as suspicious “free QR code readers” with few reviews, or are apps impersonating legitimate QR scanners.

When installed, they request excessive permissions to access contacts, the phone camera, or even banking apps. In the background, they may install spyware that monitors keystrokes, messages, and banking logins, launch ransomware, or run hidden adware that floods your device with ads.

How to tell if a QR code is fake

How to identify a fake QR code? Before you scan a suspicious QR code, run a quick mental check using the points below:

• Look for signs of tampering: Is the QR code sticker covering another one? Does it look out of place or have peeling corners?
  
• Check the location: Does it make sense for the QR code to be placed here? A random sticker on a lamppost is probably not safe. 
  
• Confirm if it’s solicited: Did you receive it in an unexpected email, text message, or package you didn’t order? If yes, it’s better to skip it.
  
• Verify the source: Can you trust the source of the QR code? If it’s from a random seller on an online marketplace or a social media influencer you don’t know personally, the QR code may be unreliable.
  
• Preview the link: Many QR scanners show you a link preview before clicking. Check for odd domains, misspellings, or strange characters.

• Watch for urgency: Is there pressure to scan the QR code immediatel? Are you urged to act with claims of exclusive offers, one-day special discounts, or QR code expiration? If yes, it’s better to ignore it.

What to do if you scanned a malicious QR code

If you scanned a fake QR code by mistake, consider taking these quick steps depending on what happened after you accessed the website.

If you entered your personal information: 

• Immediately change your passwords and enable two-factor authentication for all affected accounts.
  
• Contact your bank or payment service provider if you entered your credit card details or transferred money to the scammer. In case of confirmed QR code fraud, banks may be able to reverse  the transaction.
  
• Report the scam to relevant authorities, such as the Federal Trade Commission, the IC3, or IdentityTheft.gov if you suspect your sensitive personal data has been compromised.

If malware has been downloaded:

• Disconnect from the internet to prevent further data transfer.
  
• Run a full security scan using your trusted antivirus software. 
  
• Install your device updates to patch vulnerabilities.
  
• If the infection persists, factory-reset your device.

How to protect yourself from QR code scams

Protecting yourself from QR code scammers is a matter of smart security habits and applying relevant tools and settings on your device:

• Avoid scanning QR codes in random public places or in unsolicited emails and text messages. 
  
• Look closely for signs of tampered or pasted-over QR stickers.
  
• Always preview link URLs when scanning QR codes.
  
• Keep your device updated with the latest OS and app versions.
  
• Use security software that flags suspicious links.
  
• Enable two-factor authentication on major accounts, such as your email and banking app.
  
• Be wary of QR scanner apps. Your phone camera should be enough to scan QR codes.

By combining smart habits with effective tools and settings, you can minimize your chance of falling victim.

FAQs

How to check if a QR code is safe?

Legitimate QR codes are shared by verified, trusted sources in solicited communication. Other than that, especially if a QR code is placed in a high-traffic public location, it’s most likely to be a scam.

Can scammers send fake QR codes?

Yes, scammers send out fake QR codes in phishing emails, text messages, unsolicited packages, and by sticking them over legitimate codes in public places.

Are barcode scams common?

Yes, barcode scams are increasingly common. As a broader category of quishing, or QR code phishing, they are used to target people in public places, on social media, and online marketplaces to steal victims’ personal information and money.

Is it safe to scan QR codes in restaurants or public places?

Generally, yes, if you trust the business. You should still check that the QR code hasn’t been tampered with (e.g., pasted as a sticker over the original, placed unevenly, or showing mismatched branding).

How can you identify an imposter QR code without scanning it?

You can identify a fake QR code by looking at the context and physical presentation. Check for signs of tampering, inspect the branding and print quality, analyze its placement, and question the source. If anything looks suspicious, it’s likely a scam.