How Scammers Replace Real QR Codes With Malicious Ones

QR codes have a fundamental design problem: you cannot see where they lead until after you scan them. Scammers exploit this trust with a remarkably simple attack. They print their own QR code on a sticker, walk up to a legitimate QR code in a public place, and stick their version right on top. The whole thing takes about five seconds.

The FBI issued a public warning about this tactic in early 2022, and the FTC followed with its own consumer alert. Fraudulent QR code stickers have been found on parking meters, restaurant tables, electric vehicle charging stations, and even charity donation signs.

How QR Code Replacement Actually Works

A scammer creates a phishing website that mimics a legitimate payment portal. They generate a QR code that points to this fraudulent site, print it on adhesive sticker paper, and physically place it over a real QR code. The fake code is typically printed to match the approximate size of the original. A single person can cover dozens of locations in an afternoon.

Where Fake QR Codes Show Up Most Often

Parking meters and pay stations are the most documented attack vector. In 2022, Austin discovered more than 100 fraudulent QR code stickers on public parking meters. Restaurant tables, EV charging stations, public transit stops, trailheads, rental scooters, fake package delivery notices, and event venues are also common targets.

What Happens When You Scan a Fake QR Code

The most common outcome is landing on a phishing payment page that looks like a legitimate service. You enter your credit card information, which goes directly to the scammer. Other possibilities include credential harvesting, malware download prompts, browser notification enrollment, and Wi-Fi network enrollment controlled by the attacker.

How to Spot a Tampered QR Code

Run your finger over the QR code to feel for a raised sticker edge. Check for misalignment with surrounding design. Look for adhesive residue. Preview the URL before opening — it should match the expected service domain. Verify HTTPS on any payment page.

How to Protect Yourself

Use official apps downloaded directly from your app store for parking, EV charging, and transit. Type URLs manually for payments when possible. Be especially cautious with any QR code that leads directly to a payment form. Report suspicious QR codes to the location manager.

What to Do If You Already Scanned a Suspicious Code

Close the page immediately without entering information. If you entered payment details, contact your bank. Change compromised passwords from a different device. Revoke any browser notification permissions you granted.

If you are unsure whether the page was legitimate, copy the URL and check it with Scamwise for a free, instant analysis.

Report to the FTC at ReportFraud.ftc.gov and FBI IC3 at ic3.gov. If the code was on public infrastructure, also report it to local authorities.