How to Spot a QR Code Scam: A Practical Guide to Staying Safe

Why QR Codes Became a Scammer's Best Friend

Cast your mind back to 2020. Restaurants ditched paper menus overnight, councils stuck QR codes on parking meters, and suddenly we were all scanning little black-and-white squares without a second thought. The pandemic accelerated QR code adoption at a remarkable pace. According to a 2023 report by Juniper Research, global QR code interactions exceeded 2.2 billion, a figure that has only continued to climb since then.

Here is the problem with that: we trained ourselves to scan first and ask questions later. And scammers, who are nothing if not observant, spotted the opportunity immediately. The very thing that makes QR codes convenient, the fact that you cannot read them with the naked eye, also makes them a perfect vehicle for fraud. You have no idea where a QR code will send you until your phone processes it. That blind trust is precisely what criminals exploit.

In the UK alone, Action Fraud reported a significant uptick in QR code related fraud from 2023 onwards, with losses linked to QR code scams reaching into the millions. The National Cyber Security Centre (NCSC) issued specific guidance on QR code safety in 2024, a clear sign that the threat had moved from niche to mainstream.

The Types of QR Code Scams You Need to Know About

QR code scams are not a single trick. They come in several forms, and understanding each one makes you far harder to fool.

Fake Parking Meter QR Codes

This has become one of the most common scams in British towns and cities. Fraudsters place a sticker bearing a fake QR code directly over the legitimate one on a parking meter or pay-and-display machine. When you scan it, you are taken to a convincing but fraudulent payment page that harvests your card details. In 2023, RAC reported that councils across England and Scotland had identified tampered parking meters in over 60 local authority areas. The sums stolen per individual are often small, between five and fifteen pounds, which means many victims never even realise they have been scammed.

Tampered Restaurant and Pub QR Codes

The hospitality industry's shift to QR code menus created another opening. Criminals place fake QR code stickers on tables, redirecting diners to phishing sites that mimic payment platforms. Some of these sites ask you to 'pre-authorise' a payment or enter card details to view the menu, something a legitimate venue would never require.

Phishing Emails and Letters with QR Codes

This is where things get particularly clever. Traditional phishing emails contain suspicious links that email security filters can detect. But a QR code in an email or printed letter bypasses those filters entirely, because the malicious URL is encoded in an image rather than written as clickable text. Criminals send official-looking emails or even physical letters purporting to be from banks, HMRC, or energy companies, complete with a QR code that leads to a credential-harvesting website.

Fake Delivery Notices

With online shopping now a staple of daily life, fake delivery notices have become a reliable lure. A card dropped through your letterbox, or an SMS with a QR code, claims a parcel could not be delivered and asks you to scan to rearrange. The QR code leads to a site requesting personal information or a small 'redelivery fee' that hands your payment details to criminals.

Tampered Public QR Codes

QR codes on public noticeboards, bus stops, tourism information boards, and even charity collection points have all been targeted. Anywhere a QR code sits in public view, unmonitored, is a potential target. Scammers simply stick their own code on top of the genuine one. It costs them pennies and takes seconds.

How Quishing Works: QR Code Phishing Explained

The security industry has coined the term 'quishing' to describe QR code phishing, and it is worth understanding how it operates beneath the surface.

A standard phishing attack sends you a link. Your email provider or browser can scan that link, check it against databases of known malicious sites, and warn you. QR codes sidestep this process entirely. When a QR code is embedded in an email as an image, most security filters treat it as a harmless graphic. The malicious URL is hidden within the pattern of the code itself, invisible to automated scanning tools.

According to research published by Abnormal Security in late 2024, quishing attacks increased by over 400% compared to 2022. HP Wolf Security's quarterly threat report noted that QR code attacks accounted for a growing share of endpoint threats, with attackers increasingly targeting corporate environments where employees might scan a QR code from what appears to be an internal communication.

The attack chain typically works like this. You receive an email, letter, or encounter a physical QR code. You scan it with your phone. Your phone opens a browser and navigates to a URL. That URL leads to a site designed to look exactly like a legitimate login page, perhaps for your bank, Microsoft 365 account, or a government service. You enter your credentials, and the attackers capture them in real time. Some sophisticated quishing sites even act as a relay, passing your credentials to the real site and logging you in so you never suspect anything went wrong, while simultaneously giving the attacker full access to your account.

Real-World UK Examples

These are not hypothetical risks. They have affected real people across the United Kingdom.

In late 2023, multiple councils including Newcastle and several London boroughs confirmed that fraudulent QR codes had been placed on parking machines. Motorists who scanned them were directed to payment pages that cloned the appearance of legitimate council payment portals. Some victims only discovered the fraud when they received parking fines for 'non-payment' despite having entered their card details.

In early 2024, a widely reported scam involved fake QR codes placed on electric vehicle charging stations across the Midlands and South East. Drivers scanning the codes to pay for charging were redirected to fraudulent sites. The charging network operator issued warnings, but not before a significant number of users had been affected.

The Metropolitan Police warned in 2024 about a wave of fake council tax letters containing QR codes, sent to households across London. The letters, printed on convincing headed paper, claimed recipients were owed a rebate and needed to scan the QR code to claim it. The linked site harvested names, addresses, dates of birth, and bank details.

Trading Standards teams across the UK have also flagged instances of fake QR codes appearing on charity collection boxes and donation points, redirecting well-meaning contributors' payments to criminal accounts.

How to Spot a QR Code Scam Before You Scan

Knowing how to spot a QR code scam comes down to building a few simple habits. None of these take more than a few seconds, but they can save you a great deal of trouble.

Preview the URL Before You Open It

Most modern smartphones will show you a preview of the URL a QR code links to before you actually visit it. On iPhones, the built-in camera app displays the URL at the top of the screen. On Android devices, Google Lens and most camera apps do the same. Before tapping that link, read the URL carefully. Does it match what you would expect? A parking payment should go to the council's official domain, not to a string of random characters or a suspicious-looking web address.

Look for Stickers Over Stickers

This is one of the simplest and most effective checks. If you are scanning a QR code in a physical location, look at it closely. Does it appear to be a sticker placed on top of another code? Are the edges peeling? Does the material or print quality differ from the rest of the signage? If a QR code looks like it has been added after the fact, treat it with suspicion. Legitimate QR codes are usually printed directly onto signage or incorporated into the original design.

Check the Domain Name Carefully

Scammers rely on domain names that look almost right at a glance. They might use 'counci1-parking.co.uk' with a numeral one instead of the letter L, or 'royalmai1-redelivery.com' instead of the genuine Royal Mail domain. Take an extra moment to read the full URL. Look for misspellings, extra words, unusual top-level domains, or subtle character substitutions. If in doubt, do not proceed. Instead, navigate to the organisation's website directly by typing the address yourself.

Be Wary of QR Codes That Ask for Payment or Personal Details

A legitimate QR code on a restaurant table should take you to a menu, not ask for your card details. A genuine council parking QR code will direct you to an established payment platform, not an unfamiliar page requesting your full card number. If a QR code leads you to a page asking for sensitive information and it feels unexpected or unnecessary, stop.

Safe QR Code Scanning Practices

Use your phone's built-in camera rather than a third-party QR scanner app. The default camera apps on both iOS and Android have QR reading capabilities and will show you the URL before opening it. Some third-party QR apps have been found to contain malware themselves or to skip the URL preview step.

Keep your phone's operating system and browser up to date. Security updates frequently include patches for vulnerabilities that malicious websites attempt to exploit. An up-to-date phone is significantly harder to compromise, even if you do accidentally visit a dodgy site.

Consider using a dedicated security app or browser with built-in phishing protection. Tools like those offered by major antivirus providers can warn you if a URL is on a known blacklist, adding an extra layer of defence between you and a scam site.

Never scan a QR code from an unsolicited email, text message, or letter unless you can independently verify its legitimacy. If your bank sends you a letter with a QR code, do not scan it. Instead, log into your banking app directly or call the number on the back of your card.

Be especially cautious with QR codes in public places. A code on a professional, well-maintained sign inside a business is lower risk than one on a sticker slapped onto a lamppost. Context matters.

What to Do If You Have Scanned a Malicious QR Code

If you entered payment card details, contact your bank or card provider immediately. Most UK banks have 24-hour fraud lines, and they can freeze your card and begin the process of recovering any stolen funds. Under the Payment Services Regulations 2017, you may be entitled to a refund for unauthorised transactions, provided you report them promptly.

If you entered login credentials, change the password for that account straight away. If you use the same password elsewhere, change it on those accounts too. Enable two-factor authentication wherever it is available.

If you downloaded anything after scanning the QR code, do not open the downloaded file. Run a security scan on your device. In serious cases, consider performing a factory reset after backing up your important data.

Report the scam. In the UK, you can report fraud to Action Fraud at actionfraud.police.uk or by calling 0300 123 2040. You can also report suspicious emails to the NCSC by forwarding them to report@phishing.gov.uk. If the scam involved a physical QR code, report it to the venue or local council so they can remove the fraudulent code and warn others.

Monitor your accounts and credit report for the following weeks and months. Criminals do not always use stolen information immediately. A free statutory credit report from Experian, Equifax, or TransUnion can help you spot any unusual activity.

Age-Specific Guidance: Helping Everyone Stay Safe

Supporting Older Adults

Research from Age UK and the Office for National Statistics consistently shows that older adults are disproportionately targeted by fraud, and QR code scams present particular challenges. Many older people adopted QR codes during the pandemic without having the broader digital literacy context that helps younger users spot red flags.

If you are helping an older relative or friend, the most useful thing you can do is show them, practically, how to preview a URL on their specific phone. Encourage them to adopt a simple rule: if a QR code asks for money or personal details, stop and ask someone they trust before proceeding.

It is also worth noting that some older adults may feel embarrassed about falling for a scam. Creating a non-judgmental environment where they feel comfortable telling you about suspicious encounters is far more protective than any technical measure.

Teaching Children and Young People

Children and teenagers are often highly comfortable with QR codes but may lack the critical thinking skills to question where a code might lead. For younger children, the message can be simple: never scan a QR code without a trusted adult present. For teenagers, it is worth discussing the concept of quishing and explaining that QR codes can be just as dangerous as clicking an unknown link. Encourage them to preview URLs and to be sceptical of QR codes encountered in unexpected places.

How Businesses Can Protect Their Customers

Regularly inspect your QR codes. Make it part of your daily or weekly routine to check that QR codes on your premises have not been tampered with or covered by fraudulent stickers. Train your staff to do the same.

Print QR codes directly onto materials rather than using stickers where possible. A QR code printed onto a laminated menu, etched into a sign, or integrated into a poster is much harder for a criminal to tamper with than a sticker that can simply be covered over.

Use a branded short URL that customers can recognise. Rather than linking your QR code to a long, opaque URL, use a branded short link that clearly identifies your business.

Display your expected URL alongside the QR code. Adding text such as 'This code links to www.yourbusiness.co.uk/menu' gives customers a way to verify the destination before or after scanning.

Consider using dynamic QR codes from a reputable provider. Dynamic QR codes allow you to change the destination URL without reprinting the code. More importantly, reputable providers offer analytics that let you monitor scan activity.

Educate your customers. A small notice near your QR codes reminding people to check the URL before entering any information costs nothing and demonstrates that you take their security seriously.

The Bigger Picture

QR code scams are not going away. If anything, as QR codes become embedded in more aspects of daily life, from healthcare check-ins to public transport ticketing, the opportunities for exploitation will only grow.

In the meantime, the most effective defence is awareness. Knowing how to spot a QR code scam, understanding the tactics criminals use, and building a few simple checking habits into your routine will put you ahead of the vast majority of threats. You do not need to be a technology expert. You just need to pause for a moment before you scan.

That brief pause, a glance at the URL, a check for tampered stickers, a moment of thought about whether the request makes sense, is the difference between staying safe and handing your details to a stranger. It is a small habit with an outsized impact, and it is one worth sharing with everyone you care about.