Phishing Active · 2023–2026 QR code fraud

Scanned a QR code and something felt off? Here's what to know.

ScamChecker.online · Last verified May 2026 · Active and growing · 5 min read

In a nutshell

Fake QR codes turn up on parking meters, unexpected packages, restaurant tables, and inside texts and emails.
A QR code hides the web address, so you can't see where it leads until after you scan.
Scanning takes you to a fake payment or login page built to capture your card details or passwords.
If you scanned and entered anything, act quickly - the steps are below.

Our verdict

Treat any unexpected QR code as a link you can't read. A code on a sticker, an unsolicited package, or an urgent message is the warning sign. Scanning is the same as clicking an unknown link, except you can't check it first.

Does this sound familiar?

You went to pay for parking, track a package, or open a menu - and a QR code was right there, on an official-looking surface. You scanned it without much thought, because that's what QR codes are for. The page that opened asked for a card number or a login, and only afterwards did something feel wrong.

Below are reconstructed examples of where fake codes show up, recreated to show how they typically appear. The surface changes - the trick doesn't. (Illustrations, not real photos. Domains shown are fictional examples of what a malicious link looks like.)

Parking meter

Public pay station

Scan to Pay

A sticker placed over the real signage. The meter looks official, so the code inherits that trust.

Unexpected package

You didn't order it

Scan to identify sender

A box arrives with only a QR code inside. Scanning leads to a spoofed retailer or carrier page asking for your details.

Unknown

+1 (555) 555-0199

Text Message · Today 4:51

USPS: your package is on hold due to an unpaid fee. Scan the code or open the link within 24h to reschedule delivery: track-usps-redelivery[.]com

Same scam, delivered as a link. The deadline pushes you to act before you stop to check the address.

The setting varies: a parking meter, a shipping box, a restaurant table, a flyer, a text. The mechanism is always the same - a code you can't read, leading somewhere you can't see.

How it works

Quishing works because a QR code removes the one habit that protects you with a normal link: reading the address before you tap. (The screens below are illustrations of how these pages typically appear.)

The code appears somewhere trusted

A fake code is placed where you already expect one: a sticker over a parking meter, a code on an unexpected package, a poster, or a link in a text. It borrows the authority of wherever it sits. Nothing looks wrong, because there's no sender to doubt and no link to read.

City Parking · Bay 14

Pay station

Scan to Pay

A code on a sticker is the single most common quishing setup. If it peels, it isn't official.

You scan - and can't vet it in time

Scanning takes about two seconds, with no pause to think. Most phones show a URL preview, but the text is small and often cut off, so people tap straight through. The address rarely matches the real business - it just looks close enough.

Open this link?

https://citypark-pay-portal[.]com/meter/bay14

Open Cancel

The real city portal isn't "citypark-pay-portal.com." A lookalike domain is the tell - if you can see the address at all.

The page asks for payment or a login

The destination is a convincing copy of a parking portal, a carrier's tracking page, a retailer, or your bank's sign-in. It asks for a card number to "pay the fee," or a username and password to "verify your account." Everything you type goes to the scammer.

⚠citypark-pay-portal[.]com

City Parking - Pay Now

Card number

Expiry · CVV

Name on card

Pay $4.50

A real parking payment goes through the official app you downloaded yourself - not a page reached from a sticker.

They have what they needed

There was never a fee, a package, or a parking charge. What you entered is now theirs: a card to charge, a password to reuse on your other accounts, or - if a download started - malware on your phone. The "service" was the bait.

What they do with it…

↑

Card charged repeatedly$$$

↑

Password tried on email, bank↩

↑

Details sold or reused→

⚠️

No real transaction existed

The fee, the package, the parking charge - none of it was real. The page existed only to collect what you typed.

The QR code wasn't the service. It was the hook.

Remember

A QR code is just a link you can't read. Treat it like one.

Didn't expect the code? Don't scan it.

Pay through the official app you installed, not a sticker.

Can't see the full address? Don't open it.

Red flags to catch it early

None of these alone is proof. Several together means stop.

A QR code on a sticker

Especially one placed over existing signage on a meter, pump, or sign. Stickers peel; printed-in official codes don't.

A code on something you didn't expect

An unsolicited package, a random flyer, or a letter "from" a company you have no account with.

Urgency or a deadline

"Scan within 24 hours," "final notice," "reschedule now." Pressure exists to stop you from checking.

"Package on hold - scan to release within 24h"

The address doesn't match the real business

A lookalike or unrelated domain in the preview. The real company's site is rarely a string of extra words and hyphens.

citypark-pay-portal[.]com instead of the city's own .gov site

It asks for payment or a login straight away

A legitimate menu or info code doesn't open onto a card form or a sign-in page.

You're told to scan to "verify" or "release" something

If you didn't start the action, a code asking you to confirm, release, or track it is suspect.

Already scanned or entered your details?

If you've just scanned a code and entered something

Close it, contain it, report it - in that order

Acting in the first hour limits most of the damage.

Close the page and don't enter anything more Don't complete a payment or finish a login. If a file started downloading, don't open it.

If you entered card details, contact your bank or card issuer now Ask them to block the card and watch for charges. The number on the back of your card is the one to call - not any number from the scam page.

If you entered a password, change it everywhere you reused it Start with email and banking. Turn on two-factor authentication. Scammers try a stolen password across your other accounts within minutes.

If a download started, check your device Disconnect from Wi-Fi and mobile data, delete the file, and run a security scan. On a phone, removing the app or file is usually enough; if unsure, a factory reset after backing up clean data is the safe option.

Report it - and warn whoever owns the location Report to the authorities below. If it was a parking meter or pump, tell the parking authority or business so they can remove the sticker. If it impersonated a carrier, tell the real carrier.

Where to report it

Start here

FTC - ReportFraud.ftc.gov

Federal Trade Commission. Covers QR-code phishing, online fraud, and identity theft. Your report feeds investigator databases.

reportfraud.ftc.gov

If money or accounts were affected

FBI - IC3.gov

Internet Crime Complaint Center. The FBI has tracked rising QR-code phishing complaints. Useful where a payment or account was compromised.

ic3.gov

If you shared a login or personal information

IdentityTheft.gov

FTC tool that builds a personal recovery plan if your credentials or financial details were exposed.

identitytheft.gov

If the code impersonated the US Postal Service or arrived on an unexpected package, you can also report to the US Postal Inspection Service at uspis.gov. Forward scam texts to 7726 (SPAM).

Start here

Action Fraud

UK national fraud and cybercrime reporting. Online or by phone: 0300 123 2040.

actionfraud.police.uk

To report the scam page itself

NCSC - report a scam website

The National Cyber Security Centre takes reports of phishing sites and scam emails (forward to report@phishing.gov.uk).

ncsc.gov.uk

Forward scam texts to 7726 free of charge. If a card was used, contact your bank's fraud team directly - UK rules give strong protection for authorised push payment fraud.

Start here

Scamwatch (ACCC)

Australian Competition and Consumer Commission. Your report helps warn others and track emerging patterns.

scamwatch.gov.au/report-a-scam

If a device or account was compromised

Australian Cyber Security Centre

cyber.gov.au/report-and-recover/report

If identity information was shared

IDCARE

Australia and New Zealand's national identity and cyber support service. Free specialist help.

idcare.org

Canada

Canadian Anti-Fraud Centre

antifraudcentre-centreantifraude.ca

European Union

Europol Cybercrime Reporting

europol.europa.eu

Anywhere - if money was lost

FBI IC3 (accepts international reports)

ic3.gov

Not sure where to report? Search "[your country] report online fraud," and contact your bank if any payment or card detail was involved.

How big is this problem?

QR codes became part of everyday life - menus, boarding passes, parking, payments - and fraud followed the habit. The FBI's complaint center has logged a sharp rise in QR-code phishing since 2023,2 and the FTC has issued specific consumer alerts about malicious codes, including ones arriving on unexpected packages as a twist on the "brushing" scam.1

2023–25

Period over which the FBI reported a steep climb in QR-code phishing complaints2

73%

Share of people who say they scan QR codes without checking the destination, per one industry survey3

26M+

Americans estimated to have been sent to a malicious site via QR code, in the same industry survey3

<5%

Estimated share of fraud victims who ever file a report - real totals are far higher than official figures1

Public agencies have flagged specific cases. New York City's Department of Transportation warned that scammers were posting fake QR codes on parking meters, and the FTC cautioned the public against scanning codes that arrive on packages they didn't order.1 4 The codes also show up overlaid on legitimate event signage, restaurant tables, and posters.

The design works on one weakness: a QR code can't be read by a human. With a normal phishing link you might notice a wrong domain. A code hides the address until after you scan, and on a small screen the preview is easy to skip. That single gap - no visible link, no sender to question, a two-second action - is what the whole scam is built around.

Sources

Federal Trade Commission consumer alerts on QR-code phishing, including the warning about codes on unexpected packages (a "brushing" variant). See consumer.ftc.gov and report at reportfraud.ftc.gov. Official guidance, the unexpected-package variant, and the under-5% reporting estimate.
FBI Internet Crime Complaint Center (IC3), reporting on the rise in QR-code phishing complaints, 2023–2025. ic3.gov. Trend in complaint volume.
Industry survey on QR-scanning behaviour reported in consumer press (NordVPN, via CNBC/NBC coverage, 2025). The 73% and 26M+ figures. Cited as a single industry survey, not official government data.
New York City Department of Transportation public warning on fake parking-meter QR codes, reported by CNBC/NBC, 2025. The parking-meter sticker case.

Researched and maintained by ScamChecker.online

We document recurring online scam patterns using primary sources - government agencies, law enforcement, and security researchers. The parking apps, carriers, and retailers shown here are legitimate services being impersonated, not the source of these codes. Ads on this page do not influence our reporting. Read about how we research or who we are.

Last verified: May 2026 · Reviewed against current FTC and FBI guidance