I was paying for parking in Melbourne's CBD last year when I noticed something odd. The QR code on the meter had a slightly raised edge, it was a sticker placed on top of the original. I peeled it off and sure enough, there was a completely different QR code underneath. Someone had stuck a fake payment QR code over the legitimate one. If I'd scanned without looking, my card details would have gone straight to a scammer's fake payment page.
QR code scams, sometimes called "quishing" (QR + phishing), are one of the fastest-growing cyber threats in Australia and worldwide. Attackers paste fake QR codes over legitimate ones in public places, embed them in phishing emails, or print them on fake flyers and posters. When you scan one, it sends you to a malicious website designed to steal your credentials, install malware, or trick you into making a payment.
In this guide, I'll walk through the most common QR code scams, show you how to spot them, and give you a free tool to check any QR code safely.
The 6 Most Common QR Code Scams
1. Parking Meter and Payment Scams
This is the most widespread QR code scam. Criminals place fake QR code stickers on parking meters, public transport ticket machines, and EV charging stations. When you scan to pay, you're directed to a fake payment page that captures your credit card information. These scams have been reported in major cities across the US, UK, and Australia.
2. Restaurant Menu Scams
Since the pandemic normalised QR code menus, scammers have started replacing legitimate restaurant QR codes with their own. The fake code redirects to a convincing-looking page that asks you to "log in" or "download the menu app", capturing your credentials or installing malware in the process.
3. Package Delivery QR Codes
You find a "missed delivery" notice on your door with a QR code to "reschedule." Scanning it takes you to a fake courier website that asks for your address, phone number, and a small "redelivery fee", giving scammers both your personal information and payment details.
4. Email QR Code Phishing (Quishing)
Traditional phishing emails contain clickable links that email security filters can detect and block. To bypass these filters, attackers have started embedding QR codes in emails instead. The email might claim to be from IT support asking you to "verify your account" by scanning the code, or from HR directing you to a "benefits portal." Because the malicious URL is encoded in an image rather than a text link, many email filters miss it entirely. This is what frustrates me most about QR code security, local councils and businesses across Australia have rushed to put QR codes on everything from parking meters to restaurant tables without any plan to monitor whether those codes have been tampered with, essentially creating an open invitation for scammers to place their own stickers on top and redirect unsuspecting people to phishing pages.
5. Cryptocurrency Scams
Fake QR codes that encode cryptocurrency wallet addresses are used to redirect payments. You think you're paying a legitimate vendor or donating to a cause, but the QR code sends your crypto to a scammer's wallet. Unlike credit card fraud, cryptocurrency transactions are irreversible.
6. Wi-Fi Network Scams
QR codes in cafes, hotels, and airports that claim to connect you to free Wi-Fi can instead connect you to a rogue network controlled by attackers. Once connected, they can intercept your traffic, capture login credentials, and monitor your online activity.
How to Scan QR Codes Safely
You don't need to stop using QR codes entirely. Just be cautious.
Preview before you open. Most phone cameras show you the URL before opening it. Always read the URL carefully before tapping. Look for the same red flags you'd check in any link: misspellings, unusual domains, and suspicious paths.
Check for physical tampering. Before scanning a QR code in a public place, look for signs that a sticker has been placed over the original code. If the QR code is raised, has different printing quality, or looks out of place, don't scan it.
Use a QR code security scanner. If you're unsure about a QR code, take a photo of it and upload it to a security tool like ScanTotal's QR Code Scanner. It will decode the QR code and check the embedded URL against threat databases without you having to visit the link.
Don't scan QR codes from emails. This is almost never necessary for legitimate purposes. If an email from your company or bank asks you to scan a QR code, go directly to the website by typing the address in your browser instead.
Use official apps for payments. Rather than scanning a QR code on a parking meter or vending machine, use the official payment app. Download it directly from the App Store or Google Play, not from a QR code.
Can You Get Hacked Just by Scanning a QR Code?
Scanning a QR code itself just decodes data, it doesn't execute code or install anything. The danger comes from what you do next. If the QR code contains a URL and you open it, you could land on a phishing site or trigger a download. If it contains a Wi-Fi network configuration, you could connect to a malicious network. If it contains payment information, you could send money to a scammer.
The key is to always review what the QR code contains before taking action. Your phone's camera shows you the decoded content, use that preview as your first line of defence.
What I Do Now Before Scanning Anything
Since that parking meter incident in Melbourne, I check every single QR code before I scan it. I look for raised edges, sticker residue, different printing quality, anything that suggests the code's been tampered with. If I do scan one, I read the URL preview on my phone before I tap it, and if anything looks off, I take a photo and run it through our QR scanner instead. It takes five seconds. The scammers who slapped that fake sticker on the meter were counting on people being in a rush and not looking closely. Don't give them that advantage.