The Safe Web Guide.
Scam Alerts, Latest Scam Alerts, Device ProtectionMonday, April 6, 2026

QR Code Scams: Why You Should Think Twice Before Scanning

You are at a local cafe, or perhaps you've just pulled into a car park. You see a QR code—those black-and-white pixelated squares—stuck to the table or the ticket machine. It says 'Scan to Pay' or 'Scan for Menu.' It is incredibly convenient. You pull out your smartphone, scan the code, and a payment page loads. You enter your credit card details and carry on with your day.

But a few hours later, you notice an unauthorized £500 charge on your account. What happened? You have likely been a victim of quishing (QR phishing). Criminals are now physically placing stickers over legitimate QR codes in public places, or sending them in emails, to redirect you to fake websites designed to harvest your online privacy and bank details.

How QR Code Scams Work

QR codes are just fancy links. When your camera 'sees' the code, it automatically opens a website. Scammers love them because, unlike a written web address, a human cannot 'read' a QR code to see if it looks suspicious. They rely on the inherent trust we have in physical signs and posters.

The 'Parking Meter' Trap

This is the most common version in 2026. Scammers stick a fake 'Scan to Pay' QR code on a council parking machine. The code takes you to a fake payment site that looks official but is actually stealing your card details while you think you are paying for 2 hours of parking.

3 Ways to Spot a Fake QR Code

  • Check the Sticker: Look closely at the QR code. Is it printed directly on the sign, or is it a small sticker pasted over the top? If you can peel it back or if the edges are curling, do not scan it.
  • Inspect the Preview URL: When you scan a code with your phone camera, a small link preview usually pops up on your screen before the site opens. Look at it! If you are at a council car park but the link says something like 'pay-parking-easy.net', close your camera.
  • Beware of Email QR Codes: If you receive an email from 'Microsoft' or your bank containing a QR code to 'secure your account,' delete it. This is a tactic used to bypass phishing filters that scan for links but often ignore images.

What to Do If You've Scanned a Bad Code

If you entered payment details, call your bank immediately. If you just scanned it but didn't enter data, you might still be at risk for malware. Some malicious QR codes are designed to download viruses to your phone. Run a full system scan with a trusted mobile antivirus immediately.

The Golden Rule: Whenever possible, avoid using QR codes for payments. Type the official website address into your phone's browser yourself, or use a dedicated app like RingGo or JustPark for parking.

Ready for more insights?