
You park the car, walk to the pay station, and see a convenient little square: scan to pay. Your phone opens a payment page, you enter your card number, and you head off to lunch. Weeks later, the fraudulent charges start, because the QR code you scanned was a sticker, printed for pennies and pasted neatly over the real one by someone who visited the parking lot before you did.
The sticker-over-the-sticker is the physical version of a broader problem: a QR code is a link you cannot read. Your eyes see a pixelated square; only your phone knows the destination, and by the time you find out, you may already be on a counterfeit page. The Federal Trade Commission warned in a consumer alert that scammers hide harmful links in QR codes precisely because people scan them with a trust they would never give a strange link in an email.
Where the fake codes show up
The parking meter is the signature example, and cities around the country have warned drivers about phony payment stickers on meters and pay stations. But the same trick works anywhere a code is posted in public: restaurant tables, gas pumps, flyers on utility poles, charity donation posters, even stickers slapped onto legitimate business signage. The scammer’s cost is a sheet of adhesive labels. The payoff is a stream of card numbers and logins typed into pages they control.
QR codes also arrive digitally. Scam emails and texts increasingly carry a code instead of a link, because codes can slip past the filters that catch suspicious URLs, and because scanning moves you from a laptop (where you might inspect the address) to a phone screen (where the address bar is small and easy to ignore). The FBI’s Internet Crime Complaint Center has likewise cautioned that criminals tamper with both physical and digital QR codes to redirect victims to malicious sites, steal credentials, and reroute payments.
The story on the other end of the code
What loads after a bad scan usually falls into one of three buckets. First, a fake payment page: parking, tolls, a package redelivery fee, an unpaid invoice. It looks official, takes your card number, and charges you nothing today, which is the point; the number is the product. Second, a fake login page for your bank, email, or a delivery service, harvesting your username and password. Third, and less common, a prompt to download an app or “update,” which can put malware on the phone itself.
The wrapper story leans on urgency, the same as every other scam channel: the package cannot be delivered, the account will be locked, the parking session is about to expire. A QR code plus a countdown is a combination that deserves instant suspicion.
How to scan like a skeptic
Start with the physical check. Before scanning a posted code, look at it and touch it. Is it a sticker layered on top of another code or on top of painted signage? Does the material or alignment not match the rest of the sign? On a parking meter or pay station, prefer the official app for that city or lot, or the pay-by-phone number printed into the equipment itself, over any adhesive code.
Then use the preview. Most phone cameras display the destination URL before opening it. Actually read it. A legitimate parking operator does not run its payments on a string of random words at an odd domain, and your bank’s site is not hosted at a lookalike address with an extra hyphen. If the preview is shortened or gibberish, stop.
Finally, keep the old email rule: never scan a code from an unexpected message, no matter how urgent the story. If a text says a toll is unpaid or a package is stuck, go to the agency’s or carrier’s website directly, or use their official app, and check there. If the issue is real, it will be waiting in your account. Keeping your phone’s operating system updated adds a further layer of protection, since updates patch the holes that malicious pages try to use.
If you scanned one
Scanning alone rarely causes harm; what you did next determines the damage. If you entered a card number, call the card issuer, report the charge risk, and request a replacement card. If you typed a password, change it immediately everywhere you use it, and turn on two-factor authentication for that account. If you downloaded anything, delete it and run whatever security scanning your phone offers, and consider a backup-and-reset if the phone behaves strangely.
Report the incident to the FTC at ReportFraud.ftc.gov, and if a physical sticker was involved, tell the business or the city agency that owns the equipment so they can remove it before it catches the next person.
The habit worth keeping
QR codes are genuinely useful, and they are not going away; menus, boarding passes, and payments will keep riding on them. The adjustment is small: treat every code as an unlabeled link from a stranger until the destination proves otherwise. Read the preview, favor official apps for anything involving money, and let unexpected codes go unscanned. A square of pixels never deserves more trust than the same link would get in an email from someone you have never met.