ScamWatch

If you feel you're being scammed in United States: Contact the Federal Trade Commission (FTC) at 1-877-382-4357 or report online at reportfraud.ftc.gov

Fake QR Codes and Payment Phishing: How Scammers Use QR Stickers to Redirect You to Tech Support and Checkout Pages

Close-up of a contactless payment using a smartphone and QR code scanner in a modern retail setting.

Fake QR Codes: the rising threat of “quishing”

QR codes are convenient — and invisible until you scan them. That convenience is exactly what scammers exploit. Over the last year, law enforcement and multiple news outlets have warned about a surge in QR‑code phishing — commonly called “quishing” — where criminals place fake QR stickers or send unsolicited packages with QR codes that push victims to phishing pages or malware downloads. These traps range from counterfeit payment checkouts to pages instructing victims to call or connect to tech‑support services controlled by scammers.

Public advisories from the FBI’s Internet Crime Complaint Center and major news organizations highlight this emerging trend and recommend extra caution when scanning unknown QR codes.

How scammers use QR stickers and where you’ll see them

Attackers reuse very simple social engineering patterns and a few easy technical tricks:

  • Sticker overlays: A fake QR sticker is placed over a legitimate merchant’s payment code (parking meters, vending machines, small merchants). When scanned, funds or card data route to the scammer’s account instead of the business.
  • Fake checkout pages: The QR opens a spoofed payment page that looks like a vendor or payment processor and requests card data, OTPs, or credentials.
  • Tech‑support redirects: QR codes lead to pages that give alarming system messages, a fake support phone number, or instructions to install remote‑access software — a common route into remote‑access scams.
  • Brushing/unsolicited packages: Scammers send mystery parcels containing a printed QR code; curiosity or the promise of a prize pushes recipients to scan and reveal sensitive data or install malware.
  • Fake tickets, charity or coupon offers: Scammers post or hand out QR codes that promise discounts, refunds, or donations to elicit quick scans and payment or credential entry.

Local enforcement and transit agencies have found counterfeit QR stickers on parking meters and public kiosks, and the FBI specifically warned about unsolicited packages with malicious QR codes in a recent PSA.

Practical checks: how to verify a QR code before you act

Treat a QR code like a link: pause and verify before you tap.

  1. Preview the link: Most phones and QR apps let you preview the URL before opening it. Check the domain carefully — legitimate vendors use recognizable domains (and HTTPS). If you can’t preview, don’t proceed.
  2. Prefer official apps/sites: For payments, open the merchant or parking app yourself (or type the known URL) instead of scanning a code on a public surface.
  3. Watch for overlay tampering: If a printed QR on a meter, poster or terminal looks like a sticker on top of another label, assume it’s malicious. Businesses can use tamper‑evident labels or print short URLs alongside the code to help customers verify legitimacy.
  4. Never install apps or grant permissions from an unknown QR landing page: Legitimate sites rarely require installing an executable or asking for broad device permissions to make a payment.
  5. Use a secure QR scanner or mobile security app: Some security apps flag known malicious domains and block dangerous downloads. Keep your OS and apps updated to reduce malware risk.

Security firms and consumer guides recommend these same practical steps and note that dynamic QR flows (that change per transaction) are generally safer than static codes — but user verification remains essential.

If you’ve been targeted — immediate actions and how to report

If you think you scanned a malicious QR code and shared payment or login information, take these steps right away:

  • Contact your bank or card issuer and report the transaction; ask for charge reversal or card block if payments were sent.
  • Change passwords for any accounts that may be affected and revoke any newly granted app permissions or connected apps.
  • Run a mobile malware scan and uninstall any suspicious apps you did not knowingly install.
  • Report the incident to the FBI IC3 at www.ic3.gov, and file a complaint with the FTC at reportfraud.ftc.gov. Also notify local law enforcement and your merchant (if a business was impersonated).
  • Preserve evidence: keep screenshots, the scanned URL, the physical sticker or package, timestamps and any messages or calls you received.

Businesses can reduce risk for customers by using tamper‑evident QR labels, printing a short human‑readable URL near the code, rotating dynamic QR tokens, and training staff to check and remove suspicious stickers. Public advisories from law enforcement emphasize reporting and public awareness as key defenses.

Bottom line: QR codes are powerful convenience tools — but they’re still just links in disguise. Pause, verify, and use official apps or typed URLs for payments or support requests. When in doubt, don’t scan; report suspicious QR codes to the authorities and your bank.

Related Articles

Scattered keyboard keys spelling 'SCAM' on a red-lit wooden surface, symbolizing online fraud.

Why “Allow This App” Is the New Phishing: Consent‑Phishing, OAuth Scams & an Admin Playbook

A woman wearing headphones focused on her laptop in a dimly lit room with neon lights.

LLM‑Assisted Spear‑Phishing: How Attackers Use Personal Data + Prompts to Bypass Filters — Detection Templates for Security Teams

Businesswoman in stress at outdoor table, seeking support from colleague.

How Tech Support Scams Hijack Legitimate Websites — 6 Signs to Spot Fake Support Numbers