A QR code sticker on a parking meter or menu sends you to a phishing site
Scammers paste fake QR codes over real ones on parking meters, EV chargers, restaurant menus, and shipping labels. Scanning the fake code opens a convincing payment page that steals your card details — or installs a malicious app prompt.
Also known as: quishing, QR sticker scam, fake QR overlay
Already happened to you? Do this in the next few minutes
- 1 Call your bank or card's fraud line right now. Use the number on the back of your card — not any number from the message or caller. Ask them to stop or reverse the payment and freeze the account.
- 2 If you paid by gift card, wire, or an app (Zelle, Venmo, Cash App): contact that company immediately and report it as fraud. Acting fast sometimes recovers the money.
- 3 Report to the FBI at ic3.gov and the FTC at reportfraud.ftc.gov. The sooner, the better.
What to do right now
- 1 Look at the QR code before scanning. If it's a sticker on top of another sticker or label, do not scan
- 2 When the URL appears, check it against the merchant's known domain BEFORE entering anything
- 3 For parking: use the city's official app (Park Mobile, MeterUp, etc.) installed beforehand — not a QR code on the meter
- 4 If you entered card info on a fake page, dispute the charges with your card issuer and replace the card
- 5 Report to the FTC at https://reportfraud.ftc.gov and the FBI's IC3 at https://www.ic3.gov.
Red flags
- ⚠ The QR code is a sticker pasted over another (often look closely — you'll see the edge)
- ⚠ The page after scanning asks for credit card details, account login, or to download an app
- ⚠ URL after scan is unusual ('paypaay.com', 'parkin-pay.io', shortlinks)
- ⚠ Page does not match the merchant's known brand
- ⚠ Code is in a high-traffic outdoor location: parking meter, public charger, package on porch
QR phishing — “quishing” — has grown rapidly because QR codes feel inherently trustworthy. They’re everywhere now (restaurants, parking, packaging) and most people scan without checking the URL.
A scanned QR is a clickable link, nothing more. Before you tap on the URL that appears, look at it. If it doesn’t look like the merchant you expect, back out. For payments, use a known app installed beforehand — that’s why your phone has Park Mobile or your bank app in the first place.
Known variants
-
Package quishing — a QR code on an unexpected package ('scan to confirm delivery') leads to a phishing page.
Last seen: 5/15/2026
-
AI-polished IRS-themed emails and physical mailed letters embed QR codes routing to fake IRS websites. The IRS does not use QR codes in official correspondence. Victims are prompted to 'verify' their account or claim a refund, exposing their SSN and banking details.
Last seen: 6/12/2026
-
Court-impersonation smishing escalated in 2026: texts embed AI-generated court notices with fake judge names, state seals, and case numbers. The QR code sits inside the image to bypass spam filters. In April 2026, 32 people showed up at a Phoenix courthouse for nonexistent hearings; similar incidents in Connecticut. Now reported in 12+ states.
Last seen: 6/2/2026