What Are QR Code Scams?
QR code scams are attacks where criminals replace or distribute malicious QR codes that redirect victims to phishing sites, fake payment portals, or malware downloads. Also known as "Quishing" (QR + Phishing).
How Common Are QR Code Scams?
QR code-related fraud reports increased by over 400% between 2023 and 2025, according to the FBI's Internet Crime Complaint Center. Financial losses exceeded $12 million in the US alone.
This guide documents real QR code scam cases from 2024-2026, showing exactly how criminals operate and what warning signs to look for. Each case includes the attack method, financial impact, and lessons learned.
Real QR Code Scam Examples
Case #1: Parking Meter QR Code Scam (Austin, Texas – 2024)
Scammers placed fake QR code stickers on over 100 parking meters throughout Austin. The scam later spread to San Antonio, Houston, and cities in the UK.
How It Worked
- Stickers placed over legitimate payment QR codes
- Redirected to fake city parking payment site
- Collected credit card numbers, CVVs, billing addresses
Financial Impact
- Hundreds of victims
- Average loss: $300-$500 per person
- Some victims had identity stolen for larger fraud
⚠️ Warning Signs Missed
- Sticker edges were visible if inspected closely
- URL was parkaustin-pay.com (not parkaustin.org)
- No email receipt sent after "payment"
Want to check if a QR code is safe before scanning?
Check it instantly with RexoGate → (no upload, no tracking)
Case #2: Restaurant Menu QR Code Hijack (London, UK – 2024-2025)
A coordinated attack targeted 12+ restaurants in Central London, replacing table QR codes with malicious versions that harvested credentials.
How It Worked
- Attackers swapped table QR cards during busy hours
- Fake "WiFi login" pages asked for email/password
- Some variants offered fake "10% discount" forms
Financial Impact
- 5,000+ credentials harvested over 3 months
- Multiple social media account takeovers
- Several identity theft cases linked
Scanning a QR code at a restaurant?
Verify the destination first →
Case #3: Cryptocurrency Wallet Drainer (Crypto Conferences – 2024-2025)
Attackers targeted cryptocurrency conferences with fake promotional flyers containing QR codes that led to wallet-draining smart contracts.
How It Worked
- Flyers promised "exclusive token airdrops"
- Victims connected wallets to "claim" tokens
- Malicious contract drained all assets instantly
Financial Impact
- Largest single loss: ~$200,000 in ETH
- Combined losses exceeded $2 million
- Funds laundered through mixing services
Case #4: Fake Package Delivery Notices (Global – 2024-2026)
Fake "missed delivery" notices with QR codes appeared on doors and in mailboxes worldwide, impersonating major shipping companies.
How It Worked
- "Sorry we missed you" cards left at doors
- QR code to "reschedule delivery"
- Fake $1.50-$3.00 "redelivery fee" captured cards
Why It Worked
- Small fee seemed legitimate
- Online shopping normalized expected packages
- Professional-looking printed materials
How to Spot Fake QR Codes
Based on analysis of these real scams, here are the warning signs that indicate a QR code may be malicious:
Check for Stickers
Run your finger over the code. Stickers placed over original codes are a major red flag.
Verify the Domain
After scanning, check the URL for typosquatting (paypa1.com, amaz0n.com).
Question Payment Requests
Any QR code immediately asking for payment or login credentials should be verified first.
Use a Safety Checker
Tools like RexoGate analyze QR destinations before you visit – catching scams proactively.
Why You Can Trust This Guide
- Based on documented police reports & victim disclosures (2024-2026)
- Focused exclusively on real-world incidents, not hypotheticals
- Written by a team specializing in QR phishing detection
- No affiliate links, no sponsored content