QR code scams: why a square sticker can be risky
QR codes are useful shortcuts, but fake stickers and phishing messages can send you to risky links. Here is what to check before scanning.
QR code scams work because a small square can hide an ordinary web link. Most QR codes are useful shortcuts, but a fake sticker, payment notice or message can send your phone to the wrong place. The useful habit is simple: scan, pause, check, then decide. QR code scams UK users encounter most often appear in car parks, restaurants and public transport hubs.
The Short Version
- A QR code is usually just a machine-readable link.
- The code itself is not magic, but the page it opens can still be risky.
- QR code scams are most concerning when a code asks you to pay, sign in or enter personal details.
- Be especially careful with QR codes on stickers, parking signs, payment notices, emails and unexpected messages.
- Before paying or entering details, check the web address, the physical sign and the organisation behind it.
Why QR codes can be risky
A QR code is a shortcut. Your phone camera reads the pattern and offers to open a link, app or other action. That is useful when the code is genuine. It saves typing, especially on a phone. QR code scams UK users encounter most often appear in car parks, restaurants and public transport hubs.
The problem is that you cannot read a QR code with your eyes. You have to scan it before you can see where it wants to take you. That makes it easier for a scammer to hide a bad link behind something that looks ordinary.
The National Cyber Security Centre says QR codes in places such as pubs and restaurants are usually safe to use, but QR codes in open public spaces, such as stations and car parks, can be riskier. The concern is not that every QR code is dangerous. It is that a fake sticker can be placed over a real one, or a QR code can be used in a phishing message to disguise a suspicious link. QR code scams UK users encounter most often appear in car parks, restaurants and public transport hubs.
Think of a QR code as a link you have not checked yet. You would not type your card details into a random website because a poster told you to. QR code scams are really link scams in disguise, so the same common-sense checks still apply.
How QR code scams usually work
QR code scams usually work by sending you to a fake website that looks like the service you expected. The scammer creates a code that points to the fake page, then puts it somewhere people are likely to trust it. That could be on top of a real parking meter code, on a printed notice, in a fake delivery message, or inside an email that claims to be from a company you know. QR code scams UK users encounter most often appear in car parks, restaurants and public transport hubs.
The fake page may look convincing. It might copy the logo, colours and layout of a real service. It may ask you to pay a small parking fee, confirm delivery details, sign in to an account, or enter card information. The amount may be small because the scam depends on speed, not deep thought.
This is why QR code scams sit close to phishing. The NCSC’s phishing guidance explains that criminals often use authority, urgency and emotion to push people into acting quickly. If you want the broader warning signs, Cristoniq’s guide on how to spot a phishing email explains the pressure tactics that often appear in fake messages. QR codes can be another way to deliver the same trick. QR code scams UK users encounter most often appear in car parks, restaurants and public transport hubs.
Sometimes the scam continues after the scan. The web page may be only the first step. A phone call, message or fake support contact may then try to push you into giving away more information.
The checks to Make before you scan
The simplest defence against QR code scams is to treat the code like any other link. Start with the physical code. If it is a sticker placed over another sticker, looks freshly added to an old sign, is crooked, damaged or not part of the original design, do not scan it. QR code scams UK users encounter most often appear in car parks, restaurants and public transport hubs.
Then check the situation. Were you expecting to use a QR code here? A restaurant menu is normal. A parking sign may be normal, but it deserves more care because payment is involved. A QR code in an unexpected email asking you to scan it with your phone deserves more caution.
The UK government security guidance on QR codes describes them as machine-readable links and advises caution if a code is unlabelled, from an unknown person or appears to have been tampered with. After scanning, read the web address before you go further. Look for a sensible domain name, not a string of odd words, extra hyphens or a name that only resembles the service you expected. QR code scams UK users encounter most often appear in car parks, restaurants and public transport hubs.
Be especially careful before entering card details, passwords or one-time codes. Strong, unique passwords still matter, and a password manager can help you notice when a sign-in page is not the one you normally use. Two-factor authentication can also reduce the damage if a password is exposed, although it is not a reason to ignore a suspicious page.
What to do if a QR code takes you somewhere odd
If the page looks wrong, close it. Do not try to investigate by entering details. Do not download an app because the page tells you to. Do not call a phone number shown on the suspicious page. Use a route you trust instead, such as the organisation’s official website, the phone number printed on your card, or an app you already installed from the official app store. QR code scams UK users encounter most often appear in car parks, restaurants and public transport hubs.
If you entered a password, change it from the real website or app. If you reused that password elsewhere, change it there too. If you entered card details or made a payment, contact your bank using the number on the back of your card or inside your banking app. If money has gone or you believe a fraud has happened, report it through the UK’s official fraud reporting route for your area.
If an account may have been taken over, use Cristoniq’s guide on what to do if you get hacked as a recovery checklist. The important thing is to move quickly, but not through the suspicious page that caused the problem. QR code scams UK users encounter most often appear in car parks, restaurants and public transport hubs.
A worked example
Imagine you are in a town centre car park. The payment machine has a QR code on the side, and the sign says you can scan to pay. Before you scan, look at the code itself. If it appears to be a separate sticker covering another code, treat that as a warning sign.
You scan it and your phone previews a web address. The address is not the parking company’s normal name. It has extra words, a strange ending and no obvious connection to the car park operator. The page asks for your registration number, name, email address and card details. QR code scams UK users encounter most often appear in car parks, restaurants and public transport hubs.
The safer move is to stop. Check the official parking app listed on the main sign, search for the car park operator directly, or use another payment method. If you cannot confirm the payment route, do not pay through the QR link just because you are in a hurry.
This is not about fearing every QR code. It is about refusing to let QR code scams remove the checks you would normally make before paying online.
What This Means For You
QR codes are not the enemy. They are useful in restaurants, museums, events, deliveries, travel and small business services. Most of the time, scanning one will do exactly what you expect.
The practical habit is simple: scan, pause, check the destination, then decide. The moment money, passwords or personal information are involved, treat the QR code as seriously as any other link.
For small businesses, QR code scams are a reminder to make your own codes look official, inspect public-facing codes regularly and give customers another way to reach the same service. A clean sign, a clear web address and a named payment provider all help people trust the right route.
In Plain English
A QR code is usually just a link your phone can read. If the link goes to the right place, it is useful. If someone has swapped it for a fake one, it can send you to a scam page.
Check before you pay. Check before you sign in. If the code or the page feels wrong, stop and use the official website or app instead.