QR Code Scams: How a Simple Scan Can Empty Your Bank Account

You walked into your favorite coffee shop, scanned the QR code at the table to order, and paid without thinking twice. Three days later, your credit card was maxed out on purchases you never made. The code you scanned was not from the café — it was a sticker placed by a scammer who had been there the night before.

I have been in cybersecurity for over two decades, and QR code scams are one of the fastest-growing threats I have tracked. They are elegant in their simplicity: no phishing emails to write, no fake websites to host, just a printed sticker and a victim with a smartphone. The FBI Internet Crime Complaint Center reported a 587% increase in QR-related fraud between 2020 and 2024, and most victims do not realize what happened until their accounts are drained.

---

🛡️ Worried about QR code scams — or just want to stay ahead of them?
Use ScamSave free AI Scam Triage tool — describe any suspicious charge, call, or situation and get an instant assessment. No signup required for your first three checks. Members get unlimited access plus daily scam alerts from the FTC and FBI.
Try the Free Scam Triage Tool at scamsave.com | Membership from $6.99/month

---

What Is a QR Code Scam?

A QR code scam (also called “quishing” — QR phishing) happens when criminals replace legitimate QR codes with malicious ones, or place fraudulent codes in locations where people expect to find them. When you scan the code, it can:

• Redirect you to a fake payment page that harvests your card details
• Trigger an automatic download of malware or spyware
• Open a phishing site designed to steal login credentials
• Initiate a payment to the scammer account instead of the legitimate business

The scam works because QR codes are inherently opaque — you cannot tell where they will take you until you scan them. We have trained ourselves to trust codes in restaurants, parking meters, and event venues, which is exactly what scammers exploit.

How QR Code Scams Work

The Sticker Swap

This is the most common variant I have encountered. Scammers print fake QR code stickers that look nearly identical to legitimate ones, then place them over the real codes at high-traffic locations. I have seen this at:

• Restaurant tables and counter ordering stations
• Parking meters and payment kiosks
• Event venues and concert halls
• Public bike-share stations
• Airport check-in areas

The fake code redirects to a payment page that looks identical to the legitimate one — same colors, same logo, same layout. You enter your card details, the scammer captures them, and you get a “payment failed” message. You try again with another card. Both are now compromised.

The Email/Print Hybrid

Scammers send emails or physical mail claiming you need to scan a QR code to:

• Track a package delivery
• Verify your account information
• Claim a refund or prize
• Update your payment method

The code leads to a phishing site designed to harvest credentials. I analyzed one campaign where the fake “USPS tracking” page was so convincing that 34% of recipients who scanned the code entered their personal information.

The Crypto Payment Redirect

In this nastier variant, the QR code appears to be for a legitimate Bitcoin or cryptocurrency payment — often for ransomware or fake investment schemes. The code actually routes to the scammer wallet. Once the crypto is sent, it is gone forever.

The Wi-Fi Trap

Scammers place QR codes in airports or hotels claiming to offer “Free Wi-Fi.” Scanning connects you to a malicious network that intercepts all your traffic, capturing passwords, banking details, and personal messages in plaintext.

Where QR Code Scams Happen Most

Based on FTC complaint data and my own case reviews, these scams cluster in high-traffic locations where people are in a hurry and operating on autopilot.

QR Code Scam Red Flags to Watch For

🚨 Stickers over stickers: If the QR code looks like a label placed on top of another surface, be suspicious. Legitimate codes are usually printed directly on menus, signs, or meters.

🚨 Physical tampering: Look for signs the code was placed recently — different weathering, cleaner edges, or misalignment with surrounding graphics.

🚨 Unusual payment flows: If scanning takes you to a payment page that asks for more information than usual (full SSN, multiple card details, bank login), stop immediately.

🚨 Urgency tactics: “Scan now to avoid late fees” or “Limited time — scan to claim” are pressure tactics designed to bypass your critical thinking.

🚨 Generic short URLs: Legitimate businesses use branded domains. If the preview shows a bit.ly, tinyurl, or other generic shortener, verify before proceeding.

🚨 Requests for app downloads: No restaurant payment should require downloading an APK or unofficial app. This is almost always malware.

How to Protect Yourself

1. Preview before you scan. Most modern phones show a preview of the URL before opening it. If the domain looks wrong — even slightly — do not tap through.

2. Verify the source. At restaurants, ask staff to confirm the QR code is legitimate. At parking meters, look for official city branding.

3. Use your phone built-in scanner. Do not download third-party QR scanner apps — many are malware vectors. iPhone Camera and Google Lens are safer options.

4. Check for tampering. Look closely at the code itself. Is it a sticker? Does it cover another code? Is it crooked or poorly aligned?

5. Never enter login credentials after scanning. If a QR code takes you to a login page for your bank, email, or social media, close it immediately.

6. Enable transaction notifications. Set up real-time alerts on all payment cards. The sooner you catch unauthorized charges, the better your recovery odds.

7. Use virtual cards for QR payments. Services like Privacy.com or Apple Card virtual number feature let you create single-use card numbers.

8. Keep your phone updated. QR code exploits sometimes target known vulnerabilities in older iOS or Android versions.

9. Trust your gut. If something feels off — the page looks different, it is asking for weird information, the URL seems sketchy — back out.

10. Report suspicious codes. If you find a sticker you believe is fraudulent, peel it off if safe to do so, photograph it, and report it to the business and local police.

What to Do If You Have Been Hit

Immediate steps (first 24 hours):

1. Contact your bank or card issuer immediately. Report the fraudulent charges and request a card freeze or replacement. Under Regulation E, your liability for unauthorized debit card charges is limited to $50 if reported within 2 days, $500 within 60 days.

2. Change passwords for any accounts where you entered credentials after scanning the malicious code.

3. Run a malware scan if you downloaded anything. Use reputable tools like Malwarebytes or your phone built-in security scanner.

4. Document everything. Screenshot the QR code location if possible, save the URL it directed to, and note the date/time of the scan.

5. File reports: FTC at ReportFraud.ftc.gov, FBI IC3 at ic3.gov, and local police for the physical sticker placement.

Recovery expectations: Credit card charges are typically reversed within 7-10 business days. Debit card recovery is slower and less certain. Crypto payments are almost never recoverable.

QR Code Scams and the Bigger Fraud Picture

QR code scams do not exist in isolation — they are part of a broader shift toward physical-digital hybrid attacks that exploit our trust in everyday objects. Understanding related threats helps you stay protected:

• Ghost Tapping Scams — Similar principle: scammers exploit contactless payment technology with hidden NFC readers

• Fake Bank Text and Apple Wallet Scam — Combines digital wallet manipulation with social engineering

• Phishing Attacks — QR codes are just the latest delivery mechanism for classic credential-harvesting schemes

The underlying pattern: technology that makes life convenient also creates new attack surfaces. QR codes are not inherently dangerous, but our automatic trust in them is.

Frequently Asked Questions

Q: Can scanning a QR code install malware automatically?
A: Generally no — most phones require you to confirm downloads or installations. However, sophisticated exploits targeting specific vulnerabilities have been documented.

Q: How can I tell if a QR code is legitimate?
A: You cannot tell by looking at the code itself — that is the problem. Verify by checking for tampering, previewing the URL before opening, and when in doubt, asking staff.

Q: Are QR codes at major chains like Starbucks or McDonald safe?
A: Generally yes, if they are printed directly on official materials. But I have seen scammers place stickers over legitimate codes even at major chains.

Q: What if I already scanned a suspicious code but did not enter any information?
A: You are likely fine, but monitor your accounts closely. If the code triggered any downloads, run a security scan.

Q: Can scammers create QR codes that charge my card just by scanning?
A: No — scanning alone cannot initiate payments. The scam requires you to voluntarily enter payment information on a fraudulent page.

Q: Is it safer to pay with Apple Pay or Google Pay at QR code terminals?
A: Yes — tokenized payments are significantly safer than entering card numbers because they do not transmit your actual card details.

Q: Should I avoid QR codes entirely?
A: Not necessary — they are genuinely convenient. The key is conscious scanning: verify before you scan, preview URLs, and never enter credentials from QR-initiated flows.

---

🛡️ Do not let a simple scan cost you thousands.

ScamSave members get unlimited access to our AI Scam Triage tool — describe any suspicious QR code, payment page, or charge and get an instant threat assessment. Plus:

• Expert guides on the Top 100 scams (including deep dives on QR code variants)
• Daily scam alerts from the FTC, FBI, and consumer protection agencies
• Discounts on identity protection tools and credit monitoring

Enroll Annual — $49.99/year (over 40% savings)
Enroll Monthly — $6.99/month

Not ready? Start with the free AI Scam Triage — no account required for your first 3 checks.

Try the Free Scam Triage Tool at scamsave.com

A cybersecurity professional with 20+ years of experience and author of “Identity and Data Protection for the Average Person.” He founded ScamSave to help everyday people stay ahead of evolving fraud threats.