Start Now

Most Common QR Code Scams & How to Avoid Them

QR codes are everywhere. Scammers exploit them to hide malicious links, steal money, and collect personal data. Learn the newest QR code scams, red flags, and how to stay safe.

Austin Hulak
Austin Hulak
Founder
Updated

Table of Contents

Quick Facts

About this scam type

QR code scams combine phishing and impersonation tactics with QR images to route victims to fake websites or crypto wallets. Scammers place fake QR stickers on parking meters, send codes in emails or texts, and even include them in counterfeit packages. Victims are tricked into entering credentials, financial info, or making untraceable payments. Because QR codes are easy to create and hard to visually verify, they are highly effective for hiding malicious links and adding urgency to scam tactics.

How scammers contact victims

Scammers distribute QR codes through SMS and email, printed stickers on public infrastructure like meters and tickets, and even include them in unsolicited packages. This multi-channel approach lets scammers target victims when they are distracted or rushed, making it easier to bypass suspicion and regular email filters.

Who is most at risk

Drivers in urban areas, older adults, busy consumers, students, and office workers are especially targeted. Drivers face urgent parking scams with QR codes on meters, while older adults and office workers are targeted through fake government or workplace communications. Scammers exploit moments of distraction or urgency, making these groups more vulnerable.

Understanding the risk level

QR code scams often lead to direct card fraud from fake payments, unrecoverable cryptocurrency transactions, and identity theft from credential phishing. Losses can be immediate and are often difficult to reverse, putting financial security, privacy, and even personal safety at serious risk.

Most Common QR Code Scams

How it works: Criminals place QR code stickers over real parking meters or issue fake parking tickets with a QR code. When scanned, the QR sends you to a fake payment site designed to steal your credit card details. Several U.S. cities, including New York and Oakland, have reported such scams, with residents losing money to $74 'parking fines' linked to fraudulent payment pages.

Signage says 'Pay for Parking Here' or 'Scan to Pay' with an app logo, but leads to an unofficial site.

Red Flag Signs:

  • • Sticker is placed over the original meter or is a different color than official city decals.
  • • Web address does not match the real city or parking app website.
  • • Payment site is not secure (no https) or uses suspicious domain spelling.
  • • Threatens extra penalties unless paid immediately through QR code.

How it works: You receive a surprise package with a QR code or a text message with a QR code to 'reschedule delivery.' Scanning the code leads to fake websites or installs malware. The USPS and FTC have both warned about these scams, where the QR code is embedded to trick you into revealing addresses, payment info, or login credentials.

[UPS] Our driver can’t find your address... provide your complete address at [URL].
The USPS package has arrived at the warehouse and cannot be delivered...

Red Flag Signs:

  • • Unsolicited package asks you to scan a QR code to reveal the sender.
  • • USPS or delivery service sends QR codes you did not sign up for. Real USPS texts use official short codes only after you opt in.
  • • Site asks for passwords or credit card numbers to release a package.

How it works: Impostors pretending to be government, police, a utility, or even a love interest call and insist you must pay or protect money by scanning a QR code with their crypto wallet address. You are sent to a nearby cryptocurrency ATM, told to scan the QR, and your funds become unrecoverable. Criminals often stay on the line to pressure you step by step.

Red Flag Signs:

  • • Anyone demanding payment with cryptocurrency or instructing you to scan a QR code for payment is a scam.
  • • The caller guides you through every step while you are at the ATM and refuses to let you hang up.

How it works: Attackers send phishing emails with empty bodies and PDF attachments that include a QR code. When scanned, these codes lead to fraudulent Microsoft 365 sign-in pages or tax-themed phishing lures. Microsoft documented millions of such QR scams in 2024 and 2025, targeting individuals and businesses alike.

'Notice: IRS Has Flagged Issues with Your Tax Filing' with a PDF attachment containing a QR code.
'Unusual Activity Detected in Your IRS Filing' with a QR code PDF linking to fake Microsoft login.

Red Flag Signs:

  • • Email has an empty body with a PDF that prompts scanning a QR code.
  • • QR code leads to a login page not hosted on the official Microsoft or company website.

How it works: You get an unexpected package, usually with no sender info, and a card that says 'scan to see who sent this' or 'register your prize.' The QR links to bogus sites that harvest personal info or try to install malware. The FBI and USPS have warned about this new scam trend.

Red Flag Signs:

  • • Random package with no sender info includes a QR insert.
  • • Site asks for sensitive information like Social Security number, birthdate, or card details after scanning.

Red Flags & Warning Signs

Top 5 Phrases Scammers Use

  1. 1
    "Scan to pay your parking fee now."

    Makes payment sound urgent and links directly from QR to fake site.

  2. 2
    "Your package is pending due to an incomplete address. Scan the code to confirm."

    Tries to create anxiety about missed deliveries so you act fast without thinking.

  3. 3
    "Important Action Required: IRS Audit. Scan the attached document."

    Uses fear of urgent tax problems to get you to scan a code and surrender credentials.

  4. 4
    "To protect your account, send payment by scanning this QR code."

    Claims security or account protection to justify urgent payment methods.

  5. 5
    "Verify your identity to avoid service shutoff. Use the barcode we sent."

    Threatens disruption to push you into quick action.

Scam Warning Signs

  • Stickers placed over original QR codes or mismatched colors
    Real QR codes are integrated with the meter or packaging and match official branding.
  • URLs that do not match official domains or use shorteners
    Legitimate organizations do not use random or shortened URLs with QR codes.
  • Urgency to pay a fine or release a package
    Scammers pressure you to act fast so you do not verify the source.
  • Demands to pay with crypto or gift cards
    No real government or utility requests crypto payments via QR code.
  • Unsolicited packages with QR inserts
    If you did not expect a parcel, especially with a QR code card, be wary.
  • PDFs with QR codes prompting logins or MFA resets
    Secure workplaces do not send credential resets through QR codes in attachments.

Legitimate Communications

  • City parking meters direct to official app or on-device payment, not third-party QR links
    Use only the payment method clearly listed on the device or official city website.
  • USPS texts arrive only if you opted in and use official short codes
    Unsolicited QR code texts from USPS are suspect and should be reported.
  • IRS does not contact you by text or email or ask for QR code or crypto payment
    IRS contacts by mail and never requests urgent payments via QR code.
  • Corporate sign-in pages reside on the vendor’s real domain
    Always check the full web address before entering credentials, even after scanning.
  • Government and law enforcement never request crypto payments
    If asked for cryptocurrency it is always a scam.

How to Protect Yourself

  1. 1.
    Inspect Before You Scan

    Look closely at QR codes on meters or packages. If a QR code is a sticker, looks tampered, or covers another code, do not scan it. Instead, pay at the meter directly or use the official app listed on the device or your city’s website.

    For family members who drive often, save the official parking app and bookmark the city site to avoid hasty scanning.

  2. 2.
    Verify Deliveries and Utility Notices Directly

    If you’re asked to scan a QR code related to a package or utility bill, manually visit the known site or use the app you already trust. Never scan QR codes sent by text or found in unexpected places.

  3. 3.
    Preview the Link Before Opening

    Most phone cameras will show the address when you hover before opening. Do not proceed if the domain is shortened or misspelled. Close the prompt if anything looks odd or unfamiliar.

  4. 4.
    Use Strong Passwords and Multi-Factor Authentication (MFA)

    If you ever scan a QR and it asks you to log in, close the site and change your password right away from a trusted device. Use MFA for important accounts to stop unauthorized access.

  5. 5.
    Never Pay by Crypto QR for Urgent Demands

    If anyone says you must pay via a cryptocurrency QR code, it is a scam. Hang up and call the real company, bank, or government agency using official contact info.

  6. 6.
    Limit Automatic QR Code Scanning

    Disable camera permissions for apps you do not trust, and use only your phone’s built-in camera for scanning. Avoid third-party QR scanners, which can themselves be risky.

Stay proactive. Sign up for Lifeguard to get alerts and real-time scam protection for you and your loved ones.

Get Protected

What to Do If You're a Victim

Act quickly—many QR code scams rely on speed. Taking the right steps can help you limit any damage and recover safely.

  1. 1.
    If You Entered Sensitive Info After Scanning (Do immediately)

    Disconnect from the site, change your account passwords, and enable MFA (multi-factor authentication) on any affected accounts. Contact your bank or card issuer immediately to block or replace cards if you gave out card information.

  2. 2.
    If You Paid by Card at a Fake Site (Do immediately)

    Call your credit or debit card issuer to dispute the charge and request a new card. Notify your bank and law enforcement, especially for parking or utility payment scams.

  3. 3.
    If You Sent Crypto via a QR Wallet (Do immediately)

    Immediately contact your cryptocurrency exchange and file reports with the FTC and FBI Internet Crime Complaint Center. Crypto payments are usually not reversible, so act as fast as possible.

  4. 4.
    Report the Scam to Authorities (Within 24 hours)

    Within 24 hours, report the incident to the FTC at ReportFraud.ftc.gov and to the FBI IC3. Seniors can call the DOJ Elder Justice Hotline for support.

  5. 5.
    For Scams Involving USPS or Packages (Within 24 hours)

    Report scam texts or packages to the Postal Service by emailing spam@uspis.gov and filing a report at USPIS.gov.

  6. 6.
    Report Fake Parking QR Stickers (Within 24 hours)

    Let your city’s parking department or payment app know about the fake sticker so it can be removed. For ParkNYC: call 1-800-428-4027 or email parknyc@flowbirdapp.com.

  7. 7.
    Place a Fraud Alert and Monitor Accounts

    If you gave personal or financial info, place a free fraud alert and consider a credit freeze with Equifax, Experian, and TransUnion. Carefully monitor your accounts and credit reports for any strange activity.

  8. 8.
    Check Devices for Threats

    Run a trusted security scan on your phone or computer, revoke any unwanted app permissions, and install any available security updates to protect your information going forward.

Need more support? See victim recovery resources at IdentityTheft.gov and the official FTC site. Lifeguard provides ongoing protection so you can act before scams cause harm.

Frequently Asked Questions

No, most QR codes are safe, but criminals use them to hide dangerous links. Always check the destination and make sure the source is trusted.

Identification

Some cities use parking apps or meters but do not place QR stickers on meters. For example, NYC does not accept QR code payments on meters. Always check your city’s official policy.

Identification

USPS only uses 5-digit short code texts if you have opted in. Any unsolicited USPS QR code text is almost always a scam. Report these to spam@uspis.gov.

Identification

No, the IRS will never initiate contact by text or email and will not ask for payment by QR code or crypto. Always verify tax notices in your secure IRS account.

Identification

Close the site, change your passwords, add two-factor authentication, and report to the FTC and IC3. Monitor all accounts and consider a credit freeze if sensitive info was given.

Recovery

Attackers add QR codes to PDF attachments to sneak past security filters and target Microsoft 365 logins. Always verify the sender and do not scan codes from suspicious emails.

Prevention

Usually not. Contact your crypto exchange and file reports with IC3 and the FTC immediately. Document everything for your records.

Recovery

Prevent Scams Before They Strike

Lifeguard helps families stay ahead of scammers. Get alerts, rapid recovery tools, and protection from the newest threats—helping you and your loved ones avoid costly QR code scams.

Start Protection Now
Share: