How do QR code scams work?

Scammers place stickers with malicious QR codes over legitimate ones on parking meters, restaurant tables, and public signage. The QR code leads to a fake payment page that captures your credit card details.

How can I tell if a QR code is malicious?

Check if it's a sticker placed on top of something else. On iPhone, the camera previews the URL before opening — verify the domain matches what you'd expect. Legitimate QR codes are usually printed directly on signage, not stuck on afterward.

Scam #10 · Medium Threat

That QR Code on the Parking Meter Wasn't Put There by the City.

You scanned it, a payment page opened, you entered your card for $4. The parking was real. The QR code wasn't.

What You Just Experienced

A sticker on a parking meter with a QR code. City branding. An ordinance number. "Pay for Parking Here." You scanned it, a payment page popped up, and it asked for your card number to pay $4.00.

The sticker was placed there by a scammer. The payment page wasn't the city's — it was built to capture your full card details. You paid $4 for parking and gave away your card number, expiration, CVV, and billing ZIP in the process.

Why QR Codes Are a Blind Spot

Here's the thing about QR codes: you can't see where they go before you scan them. With a URL, you can at least glance at the domain. A QR code is a black box. It could point to the city's parking system or it could point to a server in Eastern Europe. You have no way to tell from looking at it.

And we've been trained to scan without thinking. Restaurants replaced menus with QR codes. Event check-ins use QR codes. Parking, bike shares, transit — everything has a QR code now. The action of "scan and go" is automatic for most people.

Scammers exploit this by placing stickers on top of or near legitimate QR codes in public spaces. Parking meters are the most common target because people expect to pay and the amounts are small enough to not trigger scrutiny.

How to Protect Yourself

Look at the QR code before scanning. Is it a sticker placed on top of something? Does it look like it was added after the original signage? Legitimate QR codes are usually printed directly on the sign or meter, not stuck on.
Preview the URL. On iPhone, the camera shows you the URL before you open it. Check the domain. If it doesn't match what you'd expect — like your city's actual parking website — don't tap it.
Use the official parking app. Most cities have a dedicated parking app. Use that instead of random QR codes. It's one more app on your phone, but it's also one less attack vector.
Small amounts don't mean small risk. The $4 parking fee isn't the point. Your full card details are the point.

Before scanning any QR code in a public place: is it a sticker? Does it look added after the fact? Is the URL it shows you one you recognize? Three seconds of looking before tapping could save you from a compromised card.

Quick Version for Family

The sticker test: "Before you scan a QR code anywhere — parking meters, restaurants, flyers — look at it. If it's a sticker placed on top of something, be suspicious. Real QR codes are printed on the signage, not added later."

When in doubt: "If a QR code leads to a page asking for your credit card, pay through the official app or find another payment method. The 30 seconds it takes to download the real app is worth it."

← Replay This Simulation All Scams