The QR Code Scam That's Catching Everyone Off Guard

You walk up to a parking meter in downtown Austin. There is a QR code sticker on it that says "Pay Here — Scan to Pay." You scan it with your phone, a payment page opens, you enter your credit card number, and you drive away thinking you paid for parking.

You did not pay for parking. You just gave your credit card number to a criminal. The QR code was a sticker placed by a scammer over (or next to) the real payment option. The website looked exactly like a city parking portal. But it was fake — and your card will be charged for purchases you never made within hours.

This is "quishing" — QR code phishing — and it is one of the fastest-growing scam techniques in 2026.

How QR Code Scams Work

QR codes are just links in visual form. When you scan one, your phone opens whatever URL is encoded in the code. The problem: you cannot see the URL before you scan. A QR code that looks legitimate could link to literally anything — a phishing site, a malware download, or a fake payment portal.

Scammers exploit this by placing fake QR codes in locations where people expect to scan them:

Parking Meters and Pay Stations

The most common variant. Scammers print stickers with fake QR codes and place them on or near parking meters, pay stations, and parking garage kiosks. The fake code leads to a convincing payment page that collects your credit card information.

Cities affected include Austin, Houston, San Antonio, Denver, and dozens more. The FBI and FTC have issued warnings specifically about this variant.

Restaurant Tables

A sticker on the table says "Scan to view menu" or "Scan to pay." Instead of the restaurant's real menu or payment system, the QR code leads to a phishing site that asks for your credit card or installs a tracking cookie.

EV Charging Stations

Fake QR codes placed on electric vehicle chargers redirect users to counterfeit payment pages instead of the actual charging network's payment system.

Public Signs and Flyers

Fake QR codes on signs for event tickets, promotions, or public services. "Scan for free Wi-Fi" or "Scan for event details" — the code leads to a malicious site.

Package Deliveries

A note on your door or mailbox says "Your package could not be delivered — scan to reschedule." The QR code leads to a phishing site asking for personal information.

How to Protect Yourself

1. Preview the URL Before Opening

When you scan a QR code, most phone cameras show a URL preview before opening the link. Read the URL before tapping.

• Real: austin.gov/parking, parkmobile.io, chargepoint.com
• Fake: parking-pay-austin.com, park-mobile-payment.net, chargepoint-pay.xyz

If the URL looks suspicious — unfamiliar domain, extra words, misspelled brand — do not open it.

2. Check for Stickers Over Stickers

Legitimate QR codes at parking meters and businesses are usually printed directly on the machine or laminated. Scam QR codes are stickers placed on top. If the QR code looks like a sticker applied over something — especially if the edges are peeling or it does not match the rest of the signage — it is likely a scam.

3. Use the Official App Instead

For parking: download the city's official parking app (ParkMobile, PayByPhone, ParkNow) and pay through it directly — never through a QR code you did not verify.

For EV charging: use the charging network's official app (ChargePoint, Electrify America, Tesla) rather than scanning codes on the charger.

For restaurants: if the QR code seems off, ask the server for a physical menu or the restaurant's actual URL.

4. Never Enter Payment Information From a QR Code You Did Not Verify

If a QR code leads to a page asking for your credit card number, stop. Legitimate parking systems and businesses use established payment processors — not random-looking web forms. If the page does not look exactly like the service you expect, close it.

5. Check Your Statements

If you have scanned a QR code and entered payment information in the past, check your credit card statements for unfamiliar charges. Report any unauthorized charges to your card issuer immediately — federal law limits your liability to $50 for unauthorized credit card charges if reported promptly.

What to Do If You Were Scammed

1. Call your credit card company immediately. Report the charge as fraudulent. Request a new card number. Most card issuers will reverse the charge.
2. Check for other unauthorized charges. Scammers often test with a small charge before making larger ones.
3. Report to the FTC at reportfraud.ftc.gov
4. Report to local police — especially if the QR code was on a parking meter (this helps the city remove fake stickers)
5. Report to the FBI's IC3 at ic3.gov if the loss is significant

Why This Scam Is Growing

QR codes became mainstream during COVID (contactless menus, payments, check-ins) and stayed. People are now conditioned to scan QR codes without questioning them — which is exactly what scammers count on.

The scam is also incredibly cheap to execute. A scammer prints 100 stickers for a few dollars, walks around downtown placing them on parking meters, and collects credit card numbers for weeks before anyone notices. The cost-to-return ratio for the criminal is extremely favorable.

Key Takeaways

• Scammers place fake QR code stickers on parking meters, restaurant tables, EV chargers, and public signs
• When scanned, the fake code leads to a phishing site that steals your credit card information
• Always preview the URL before opening a scanned QR code — read the domain carefully
• Check for stickers placed over other stickers — this is the most common physical tell
• Use official apps (ParkMobile, ChargePoint) instead of scanning unknown QR codes
• Never enter payment info from a QR code you did not independently verify
• If scammed: call your card company immediately, report to FTC and local police

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.