Is scanning a QR code in a public place that leads to a payment or login page safe?
QR codes can be tampered with to redirect to fraudulent sites. Always verify the URL before entering any credentials or payment details after scanning.
Last reviewed: 10 June 2026
Explanation
QR code fraud — sometimes called quishing — involves placing fraudulent QR code stickers over legitimate ones in public places: parking meters, restaurant menus, charging stations, and information boards. When scanned, the fraudulent code redirects to a convincing fake payment page or login portal that harvests your financial or account details.
The deception is effective because QR codes display as an opaque image — you cannot preview the URL before scanning. Most people scan and follow the link without checking the address bar on their phone carefully. By the time the fake page loads, it looks plausible enough to proceed.
Always check the URL in your browser's address bar after scanning a QR code and before entering any information. If the URL does not match the expected organisation's official domain, do not proceed. In parking situations, look for signs that a sticker has been placed over an original code — edges of the sticker may be visible.
Some browsers and phone camera apps now offer QR code URL preview before following the link. Using one of these adds a layer of protection.
Common red flags
- QR code is a physical sticker that looks placed over another code
- URL after scanning does not match the expected organisation's official domain
- Page asks for payment details immediately with no prior account verification
- URL contains misspellings or uses a subdomain like 'pay.council-parking.someotherdomain.com'
- No contact information or branding on the payment page beyond a logo
- Code was in an unusual location or appeared at a location not known for QR-based payments
What to do now
- Always check the URL in your browser before entering any information
- If in a parking or payment context, look for the service provider's official app instead
- Report tampered codes to the venue or organisation responsible for the location
- If you already entered payment details, contact your bank immediately
- Report to your national cybercrime authority and consumer protection body
- Take a photo of the tampered code as evidence for the report
Frequently asked questions
Is there a safe way to scan QR codes?
Use a QR scanner app or phone camera that shows you the URL before opening it, check the URL carefully, and only proceed if it matches the expected official domain.
Are QR scams only in physical locations?
No. Fraudulent QR codes also appear in phishing emails, printed mail, and social media posts. The same rule applies: verify the URL before entering any details.