QR Code Scams: 5 Quishing Variants and the Type-the-URL Rule

A fake QR-code sticker placed over (or next to) the legitimate QR code on a city parking meter routes drivers to a phishing site that captures credit-card info. NYC DOT issued a public warning in 2025. Real city parking codes are printed directly onto the meter housing, etched into metal, or printed under a clear protective laminate; if the QR is on a peelable sticker, it has been added or modified. The protective rule: type your city's parking-payment URL directly, or pay the meter with coins or card-tap if available.

A representative case from NYC DOT advisories and r/Scams threads: a driver parks in midtown Manhattan, scans the QR code on the meter to pay, and is routed to what looks like the official ParkNYC site — same color scheme, same logo, similar URL. She enters her credit-card information and pays $7.50 for two hours. Two days later her card shows $1,400 in charges from gas stations in different states. The QR code she scanned was a sticker placed over the real ParkNYC code; the destination was a phishing site that captured her full card details and mimicked a successful payment. Real ParkNYC payments work without entering card details — the city uses the official ParkNYC mobile app or the meter's own card-tap reader, both of which keep card data within established payment processors.

The variant has appeared in NYC, Austin, Houston, Atlanta, San Francisco, Boston, San Diego, Denver, and dozens of other U.S. cities in 2025. The protective infrastructure is the city parking authority's own app or the meter's physical card-tap reader. Drivers who default to the physical card-tap or the official app rather than scanning the meter's QR code structurally avoid the variant.

What stops it is the type-the-URL or use-the-app rule. For city parking, install the city's official parking app directly from the App Store or Google Play (search the official app name like ParkNYC, ParkMobile, PayByPhone). Do not scan QR codes on parking meters. If you have already scanned a fraudulent QR code and entered card details, dispute the charges immediately with your card issuer and call the issuer's fraud line. File at reportfraud.ftc.gov and report the parking-meter location to your city's transportation authority.

A fraudulent QR-code sticker placed on a restaurant menu or table tent routes diners to a phishing site that captures credit-card info while pretending to be the restaurant's ordering system. The variant exploits the QR-menu habit normalized during 2020-2022 and continued by many restaurants. Real restaurant QR codes are usually printed under laminate or onto laminated plastic table tents; a fresh paper sticker on top is the diagnostic.

A representative case: a diner at a casual restaurant scans the QR code on the table tent to pay her bill. The page that loads looks like a generic restaurant payment system — restaurant name visible at the top, item list correct, total $47.50. She taps "Pay with Card," enters her card information, and the page confirms the payment. Three days later the card statement shows the $47.50 to the restaurant plus an additional $2,800 in unauthorized charges to a chain of online merchants. The actual restaurant's payment system never received the $47.50 — the QR code routed to a phishing site that captured her full card details, and the restaurant's actual server brought a paper bill twenty minutes later when she had not paid through their official system.

The variant is structurally similar to parking-meter QR fraud — physical sticker overlay on a legitimate code — but harder to spot because restaurant QR codes vary widely in format (paper inserts, plastic stands, printed-on-menu, QR code on receipt) and diners do not have a strong baseline for what the legitimate code should look like. The protective rules: ask the server to confirm the menu / payment URL before scanning, type the restaurant's URL directly, or pay at the counter with the server. Avoid entering credit-card information on any QR-code-reached restaurant ordering page; pay at the counter or with the server using a card-tap reader instead.

What stops it is server-mediated payment plus URL verification. Pay at the counter or with the server using a physical card-tap or chip reader rather than through a QR-code-reached payment page. If you must use the QR code, ask the server to confirm the URL and inspect the destination domain before entering card information. If scammed, dispute the charges immediately and report to the restaurant (whose physical menu was tampered with) and to the FTC.

An unsolicited package arrives at the recipient's address with a QR code attached. The QR code routes to a phishing site that captures personal information (or in some cases installs malware). The FBI's 2025 alert documents the variant explicitly: "Unsolicited Packages Containing QR Codes Used to Initiate Fraud Schemes." The structural feature: an unexpected package alone is not the scam, but the QR code attached to it is.

A representative case from FBI alert documentation: a recipient finds an unmarked package on the doorstep containing a small consumer item (lip balm, USB cable, costume jewelry — items with low retail value). Attached to the package or printed on the inside of the box is a QR code with text reading "Scan to identify the sender" or "Scan to verify delivery." The QR code routes to a page asking for the recipient's name, address, phone number, and date of birth. In other variants, the page captures payment information for a "small return-shipping fee" or installs a tracking app on the recipient's phone. The package itself is the bait; the QR code is the actual fraud vector.

The variant overlaps with brushing scams (where unsolicited packages are sent to addresses to support fake reviews on e-commerce platforms) but the QR-code variant adds a fraud-extraction layer to the brushing infrastructure. The FBI's 2025 alert is unambiguous: do not scan QR codes attached to unsolicited packages. If you receive an unexpected package, contact the carrier (USPS, FedEx, UPS, Amazon) directly through their published number to verify the delivery, and dispose of any unsolicited package without scanning anything.

What stops it is the FBI's protective rule. Do not scan QR codes attached to unsolicited packages, regardless of what the messaging claims. If the package is genuinely unexpected, contact the carrier directly through their published number to verify before any scanning. If you have already scanned and provided personal information, place fraud alerts at the three credit bureaus, change passwords for any accounts that may have been compromised, and file at reportfraud.ftc.gov + ic3.gov.

A text message claims the recipient owes a small amount ($5-$15) in unpaid tolls and includes a QR code or link to pay. The destination phishing site mimics the state toll authority (E-ZPass, Sunpass, EZ-TAG) and captures credit-card info. Major waves hit Illinois, New Jersey, Virginia, and several other states in June-July 2025. Real state toll authorities communicate unpaid-toll notices by mail through the registered owner of the vehicle, not by text.

A representative case: a driver in New Jersey receives a text on a Tuesday morning: "E-ZPass Tolls Service: You have an outstanding toll balance of $12.75. Pay now to avoid a $50 late fee. [QR code or link]." She scans the QR code; the page is a polished E-ZPass clone with the agency's logo, layout, and a payment form. She enters her credit-card information to pay the $12.75 plus a $2 "convenience fee." The page confirms the payment. Three days later her card shows the $14.75 charge plus an additional $3,400 in unauthorized charges. The real E-ZPass NJ system has no record of any unpaid balance on her account. The text was a bulk-send fake; the QR code routed to a phishing site that captured her card details.

The toll-text wave that hit IL / NJ / VA in June-July 2025 generated thousands of complaints to state DOTs and consumer-protection offices. The protective architecture is straightforward: real state toll authorities mail unpaid-toll notices to the registered owner of the vehicle through USPS, with a printed account number and payable amount, and the resolution path is to log into the toll authority's published website (typed directly) to verify and pay. Texts claiming unpaid tolls are diagnostic of fraud across all U.S. state toll authorities.

What stops it is the type-the-URL rule plus the no-text-from-tolls rule. State toll authorities never text about unpaid tolls. If you receive a text claiming unpaid tolls, type your state's toll-authority URL directly (e-zpassny.com, sunpass.com, ez-tag.com, etc.) to verify your account balance. If you have already paid via the fake text, dispute the charges immediately and report at reportfraud.ftc.gov + your state DOT consumer-protection line.

A phishing email contains a QR code (typically as an embedded image) routing to a credential-harvesting page mimicking Microsoft 365, Google Workspace, Okta, or the employer's SSO portal. The QR-code framing bypasses traditional email spam filters. The variant has surged in 2025 according to multiple corporate-security advisories. The protective rule for workplace contexts: never scan a QR code in an unsolicited email; verify with IT through the established helpdesk channel before scanning.

A representative case from corporate-security advisories: an employee at a mid-size company receives an email purporting to be from IT, with a subject line like "Your password expires in 24 hours — scan to reset" and a body containing a QR code as an embedded image. The recipient scans the QR code with their phone; the page loads what looks like the company's SSO portal, asks for the employee's username and password (and sometimes a second-factor token), and "fails" the login with a generic error. The credentials have been captured. The attacker then uses the captured credentials to access the corporate environment from the attacker's network, typically from outside the geofence the SSO would block on a desktop login.

The QR-on-mobile aspect is structural: scanning a QR code with a phone routes the credential-harvesting page to the phone's browser, which is outside the corporate desktop's protected network and outside many of the security controls that would catch a desktop-side phishing attempt. Mobile devices typically lack the URL-inspection plugins, certificate-pinning enforcement, and DNS-filtering that desktop browsers in corporate environments have. Email-security vendors (Microsoft Defender, Proofpoint, Mimecast) have begun adding QR-OCR scanning in 2024-2025, but coverage is uneven and lagging behind attacker innovation.

What stops it is the IT-helpdesk verification rule. Never scan a QR code in an unsolicited work email, even if it appears to be from your IT department. Verify the request through the established IT-helpdesk channel before scanning. If you have scanned and entered credentials, contact your IT-security team immediately (the established channel, not via the phishing email). Change the password through the SSO portal directly (typed URL), enable additional MFA factors, and notify any teams whose accounts may have been compromised.