is that a scam?
United States India
EN
English Español
← Back to all scams
MEDIUM phishing

A QR code sticker on a parking meter or menu sends you to a phishing site

Scammers paste fake QR codes over real ones on parking meters, EV chargers, restaurant menus, and shipping labels. Scanning the fake code opens a convincing payment page that steals your card details — or installs a malicious app prompt.

Also known as: quishing, QR sticker scam, fake QR overlay

What to do right now

  1. 1 Look at the QR code before scanning. If it's a sticker on top of another sticker or label, do not scan
  2. 2 When the URL appears, check it against the merchant's known domain BEFORE entering anything
  3. 3 For parking: use the city's official app (Park Mobile, MeterUp, etc.) installed beforehand — not a QR code on the meter
  4. 4 If you entered card info on a fake page, dispute the charges with your card issuer and replace the card
  5. 5 Report to the FTC at https://reportfraud.ftc.gov and the FBI's IC3 at https://www.ic3.gov.

Red flags

  • The QR code is a sticker pasted over another (often look closely — you'll see the edge)
  • The page after scanning asks for credit card details, account login, or to download an app
  • URL after scan is unusual ('paypaay.com', 'parkin-pay.io', shortlinks)
  • Page does not match the merchant's known brand
  • Code is in a high-traffic outdoor location: parking meter, public charger, package on porch

QR phishing — “quishing” — has grown rapidly because QR codes feel inherently trustworthy. They’re everywhere now (restaurants, parking, packaging) and most people scan without checking the URL.

A scanned QR is a clickable link, nothing more. Before you tap on the URL that appears, look at it. If it doesn’t look like the merchant you expect, back out. For payments, use a known app installed beforehand — that’s why your phone has Park Mobile or your bank app in the first place.

Known variants

  • Package quishing — a QR code on an unexpected package ('scan to confirm delivery') leads to a phishing page.

    Last seen: 5/15/2026

  • AI-polished IRS-themed phishing emails embed QR codes routing to pixel-perfect fake IRS websites. Victims are prompted to 'verify' their account or claim a refund, exposing their SSN and banking details.

    Last seen: 5/15/2026

Sources