You scan QR codes constantly without thinking about it — the restaurant menu, the parking meter, the flyer taped to a lamppost. A QR code scam usually doesn't look like a scam at all, which is exactly the problem. It looks like a sticker. It looks like part of the wallpaper.
That gap between how QR codes look and what they can actually do is where quishing — QR code phishing — has quietly become one of the fastest-growing scam categories of 2026.
How QR Code Scams Work
A QR code scam works because the malicious part is invisible until the moment you scan it. Unlike a phishing email, where a suspicious link sits in plain text, a QR code hides its destination inside a pattern of black and white squares that no human can read without a camera.
Attackers exploit that blind spot by printing their own code on a sticker and placing it directly over a legitimate one — on a parking meter, a restaurant table tent, a flyer, or a delivery package. The fake code usually leads to a cloned login page, a fraudulent payment screen, or a malware download.
This isn't a small trend. Quishing incidents jumped 146% in the first quarter of 2026 alone, with nearly 18.7 million cases recorded in March, according to threat intelligence data reported by Watauga Democrat.
Where It Shows Up Most
Public parking meters are one of the most common targets, since the sticker format is easy to replicate. Police departments in Denver and Austin have documented fake QR stickers placed over legitimate parking codes, redirecting drivers to payment pages that steal card details.
Restaurant table tents, parcel delivery notices, fake court summons, and event posters round out the most common categories — all relying on the same trick: a context where scanning feels expected, not suspicious.
Email-based quishing has also grown. QR codes embedded in PDF attachments or images slip past traditional phishing filters that only scan visible text. According to the complete quishing guide from Is This QR Safe, this is exactly why security teams describe it as a blind spot in standard email defenses.
Why Even Careful People Fall For It
Most people scan QR codes without checking the destination first, and surveys have found that the majority of consumers can't reliably tell a malicious code from a legitimate one just by looking at it. High trust plus low verification is exactly what gives quishing room to grow even as awareness of regular email phishing improves.
How to Spot a Fake Code Before You Scan
Look at the sticker itself before you look at your phone. A code that's crooked, layered on top of a different sticker, or peeling at one corner is a strong sign someone placed it there after the fact.
Use your phone's built-in camera preview instead of a dedicated scanning app whenever possible. Most modern phones show you the destination URL before opening it — check whether the domain matches who you'd expect.
Dynamic QR codes route through a shortened link before reaching their final destination, which makes the preview less useful on its own. In those cases, look at whether the page that finally loads matches the branding, fonts, and layout you'd expect.
Pause on anything that asks you to log in or enter payment details immediately after scanning. Legitimate parking apps and ordering systems rarely require fresh credentials every single time.
What I Actually Found
What surprised me digging into this wasn't how sophisticated these scams are — it's how little sophistication they need. Most of the fake QR codes documented by police departments weren't elaborate forgeries. They were printer-paper stickers, sometimes a visibly different shade of white than the surface underneath, placed by someone who knew nobody really inspects a parking meter before paying it.
Most security advice focuses on apps and scanner tools that preview links before opening them. Those help, but they miss the simpler habit that actually prevents most of these scams: physically looking at the sticker for two seconds before you scan, not just checking the link after you've already decided to trust it.
If I had to pick one habit to actually keep, it would be treating any QR code on a payment-related surface — meters, parking lots, toll booths — as default-suspicious until proven otherwise. Those are the highest-value, lowest-effort targets for this exact scam.
Full piece with more detail and visuals: lucas8.com/qr-code-scam-parking-meter
Top comments (0)