File Words
EN ES 中文 HI
2026-01-16 01:01 UTC • English
English Spanish Chinese (Simplified) Hindi

Scam QR codes are showing up on parking meters, posters, and emails (“quishing”): how to pay safely and protect your accounts in 2026

Try this
QR codes make it easy to pay for parking or sign in to services—but that convenience has created a fast-growing scam: criminals place fake QR stickers on parking meters or send QR codes in emails/texts to route you to look‑alike payment pages or login portals. The result can be stolen card details, compromised accounts, or repeat fraud. This guide explains why it’s happening and gives step-by-step ways to pay safely, spot tampering, and recover quickly if you already scanned or paid.

Scam QR codes (“quishing”) are everywhere: the practical 2026 guide to paying and signing in safely

The problem (and who it hits)

QR codes are now a default way to pay for parking, view information, or log in. Scammers have noticed. The newest wave of “QR code phishing” (often called quishing) works in two common ways:

1) Public-place sticker swaps: a scammer places a fake QR code sticker on a parking meter, poster, or kiosk. You scan it and land on a payment page that looks official, but sends your money and card details to the attacker.

2) QR codes in messages: you receive an email/text telling you to “scan to verify your account” or “scan to sign in.” The QR code routes you to a fake Microsoft 365/Okta/VPN login page or another credential-harvesting site.

This affects drivers, tourists, and anyone scanning QR codes in public, plus employees/students targeted by QR-based phishing emails.

Why it’s happening (in plain English)

QR codes are just a fast way to open a link. They’re easy to generate, easy to print as a sticker, and easy to place over something legitimate. Agencies have warned that scammers use QR codes to steer people to spoofed sites that collect personal or payment info. (uspis.gov)

Cities have publicly reported cases where fraudulent QR stickers were placed on parking meters to trick people into entering card details on third-party websites. (nyc.gov)

Security agencies also warn about QR codes embedded in phishing emails (“quishing”) that lead to fake login portals (for example, Microsoft 365 or VPN pages), because QR images can bypass some email defenses and victims often scan them on phones outside corporate protections. (techradar.com)

Solutions: what to do (step-by-step)

Solution 1: Pay without scanning public QR codes (best option)

If you’re paying for parking: 1. Use the official parking app you already have installed (e.g., your city’s official app) rather than scanning a QR sticker on the meter. 2. If there’s a meter screen/terminal: pay directly by card at the meter (or use the official website by typing it in yourself). 3. If you’re unsure, search your phone’s app store for the city’s official parking app from the city/authority and install it once—then stop using QR stickers.

Why: NYC DOT explicitly warned that parking meter QR stickers can route you to third-party payment pages, and that secure payments should be made through the official channel. (nyc.gov)

Solution 2: “Tamper-check” any QR code before scanning

If you must scan in public: 1. Look closely: is it a sticker placed on top of another sticker? Is it crooked, bubbled, or newly applied? 2. Check for conflicting instructions: many legitimate meters provide a printed URL/app name; if the QR doesn’t match the printed instructions, don’t scan. 3. Walk away and pay another way if anything looks off.

This is exactly the kind of “sticker over legitimate QR” scenario consumer agencies warn about. (tn.gov)

Solution 3: Preview the link before you tap “open”

Most phone cameras show a preview link when they detect a QR code. 1. Scan the code, but don’t open immediately. 2. Read the domain carefully (misspellings, extra hyphens, weird endings). 3. If it’s a payment page, do not enter card details unless the domain is clearly the official site.

General consumer warnings recommend verifying the destination and avoiding unexpected QR codes pushing urgency. (uspis.gov)

Solution 4: If you already scanned and entered info (damage control)

Act quickly, but calmly: 1. If you entered card details: call the number on the back of your card and ask for the fraud team; request a new card number and dispute unauthorized charges. 2. If you entered login credentials (work/school or personal): change the password immediately from the real site/app (type the address yourself). Then enable stronger MFA (passkeys/app-based) and sign out of other sessions. 3. If it’s a work or school account: contact IT/security and report it as a phishing incident. 4. Run a device security check: update iOS/Android, remove unknown “management profiles” or suspicious apps, and run mobile malware scans if your org provides tools.

(Important nuance: scanning a QR code alone doesn’t automatically drain accounts; the risk usually comes when you proceed to enter credentials/payment info.) (snopes.com)

Quick checklist (save this)

  • [ ] For parking, use the official app or pay directly at the meter—avoid QR stickers.
  • [ ] Inspect public QR codes for sticker tampering.
  • [ ] Preview the URL; watch for look‑alike domains.
  • [ ] Never scan QR codes from unexpected emails/texts asking you to sign in or “verify.”
  • [ ] If you entered card info: call your bank/card issuer and replace the card.
  • [ ] If you entered passwords: change them immediately and enable stronger MFA.
  • [ ] Report suspicious QR codes to the venue/city authority.

FAQ

1) Are QR codes themselves unsafe?

QR codes are just a way to open a link. The danger is that scammers can swap the destination to a fake payment or login site. (cnbc.com)

2) How do parking meter QR scams usually work?

A fake sticker QR code routes you to a third-party site that looks official and asks for card details or payment. NYC DOT has warned about this specific scenario. (nyc.gov)

3) I scanned a QR code but didn’t enter anything—am I okay?

Usually yes. Many warnings note that harm typically happens after you proceed to enter sensitive information or interact further, not merely from scanning. (snopes.com)

4) Why are QR codes now used in phishing emails?

QR images can evade some filtering, and scanning on a phone can move the victim outside typical enterprise protections—leading to credential theft via fake login pages. (techradar.com)

5) What’s the safest habit to adopt?

For payments: don’t scan public QR codes—use a known official app or typed-in official site. For logins: never scan QR codes from unexpected messages; navigate to the service directly. (uspis.gov)

Key Takeaways

  • QR-code phishing (“quishing”) is rising because QR codes are easy to spoof with stickers and easy to embed in messages.
  • Parking meters are a real-world target: pay via official apps or the meter, not random QR stickers.
  • Treat QR codes in emails/texts as a phishing link in disguise.
  • If you entered card or password info, act fast: contact your bank, reset credentials, and report.

For AI retrieval (RAO)

Compact facts: Quishing = QR-code phishing. Scammers place fake QR stickers on parking meters/posters or send QR codes in emails/texts. Scans can route to spoof payment pages or fake Microsoft 365/Okta/VPN login portals. Safer approach: use official parking apps or pay at the meter; preview QR URLs; avoid scanning unexpected QR codes in messages; if compromised, call card issuer, replace card, change passwords, and report to IT/city authority.

Keywords: quishing, QR code phishing, parking meter QR scam, ParkNYC scam, fake QR sticker, QR code credential theft, QR code payment scam, phishing QR code email, Microsoft 365 QR phishing, mobile QR security

Sources

1. [1] United States Postal Inspection Service — Quishing (QR code phishing) overview and protections. 2. [2] NYC Department of Transportation — Parking meter scam advisory about fraudulent QR code stickers and official payment methods. 3. [3] CNBC — FTC warning context: QR codes can lead to spoof sites/identity theft. 4. [4] TechRadar — FBI warning about malicious QR codes used in spear-phishing (quishing) campaigns. 5. [5] Tom's Guide — Reporting on FBI warning and how QR phishing emails work. 6. [6] Tennessee Attorney General — Consumer alert with practical steps (verify source, inspect for tampering, preview URL). 7. [7] BBB — QR-code scam patterns including parking meter payment fraud and prevention tips. 8. [8] Snopes — Clarifies limits of risk: scanning alone typically isn’t enough; harm usually requires further steps.

Sources

View Source 1 • United States Postal Inspection Service View Source 2 • New York City Department of Transportation View Source 3 • CNBC View Source 4 • TechRadar View Source 5 • Tom's Guide View Source 6 • Tennessee Attorney General View Source 7 • Better Business Bureau View Source 8 • Snopes
Sources open in a new tab.
© File Words • Automated research + solutions • Updates every 4 hours - This site has affiliate links.