QR Code Scam Checker

Spot quishing (QR-code phishing) on parking meters, restaurant menus and posted letters — plus the safe-scan rule that defeats every quishing attempt.

Last reviewed: 21 May 2026 · ScamSupport research

Quishing — QR-code phishing — is a scam that hides a malicious web link inside a QR code, so the usual instinct (read a link before you tap it) does not apply. The National Cyber Security Centre describes QR-code fraud as still relatively small next to other kinds of cyber fraud, but it is rising — and it concentrates in open spaces such as car parks and railway stations. This guide covers where malicious codes appear, how the attack works, and how to scan safely.

What quishing is, and why it works

A QR code is just a web link in a form your eyes cannot read. You point a camera at it and trust wherever it goes. That is the entire weakness. You cannot see the destination before you commit to it, and a QR code is a physical thing — anyone can print one and stick it over a genuine code.

It also slips past email security. A QR code in an email is an image, so the link-scanners that would normally flag a malicious URL never see it. The attacker gets a clean path to your screen.

Where malicious QR codes turn up

Car parks — by far the biggest target. Fraudsters stick fake QR codes over the real ones on parking ticket machines and pay-by-phone signs. An investigation by The Bureau of Investigative Journalism found that around a third of UK councils which responded had reported car-park quishing, along with more than a dozen hospitals. You scan the sticker, “pay”, the criminals take the money — and you still get a parking ticket, because you never paid the real operator. Victims are frequently also signed up to a bogus recurring subscription that keeps taking money.

Other common places:

How a quishing attack actually works

  1. The code opens a lookalike website — a copycat parking-payment page, or a fake login screen for a bank or service.
  2. You enter card details, or log in.
  3. The data is harvested. With parking scams in particular, you are often enrolled in a continuous-payment authority that charges your card again and again.
  4. In some cases the link instead pushes you to install a malicious app.

Red flags — when not to scan

How to scan a QR code safely

What to do if you have scanned a malicious QR code and paid

  1. Call your bank’s fraud line using the number on the back of your card, and cancel the card.
  2. Specifically ask the bank to cancel any continuous-payment authority or recurring payment set up — quishing scams routinely enrol victims in repeat charges, and this is easy to miss.
  3. Report it to Report Fraud at reportfraud.police.uk or on 0300 123 2040.
  4. Report the fake code to the car-park operator, council or venue so the sticker can be removed before it catches anyone else.
  5. Watch your statements for recurring charges over the following months, and change any password you entered on the fake page.

Frequently asked questions

Is it dangerous just to scan a QR code, or only if I enter details?

Scanning a code and landing on a page is low-risk on an up-to-date phone. The danger is what you do next — entering card details, logging in, or installing an app. If a scanned code opens an unexpected or off-brand page, close it without entering anything.

How can a sticker in a car park take my money — isn't the machine official?

The machine is official; the QR sticker on it may not be. Fraudsters print fake codes and stick them over the real ones. Your camera cannot tell the difference — only the destination URL can, which is why you should check it before paying.

I scanned a parking QR code and paid — why did I still get a fine?

Because the money went to the criminals, not the parking operator, so as far as the operator is concerned you never paid. This is a common outcome of car-park quishing. Contact your bank, report it, and appeal the fine with evidence of the scam.

Can I get money back after a quishing scam?

Often, if you act fast. Call your bank's fraud line, cancel the card, and specifically ask them to cancel any recurring payment or continuous-payment authority the scam set up. Report it to Report Fraud.

How do I see where a QR code leads before opening it?

Most modern phone cameras preview the destination URL on screen when you point them at a code, before anything opens. Read that URL. If it is not the official operator's domain, do not proceed.

Are QR codes on restaurant menus and posters safe?

Usually, but not always — stickers can be placed over genuine codes anywhere. Check the code is printed rather than a sticker, preview the URL before opening, and never enter payment or login details on a page reached only through a public QR code.

Reviewed by ScamSupport research, 21 May 2026. Sources: National Cyber Security Centre QR-code guidance; The Bureau of Investigative Journalism, 'Quishing' investigation, 2025; Report Fraud (reportfraud.police.uk).

Protect Your Online Security with VPN

When accessing sensitive accounts online, use NordVPN to encrypt your connection and protect against interception.

Affiliate disclosure: as a NordVPN partner, ScamSupport may earn a commission if you sign up via this link — this doesn't change our recommendation or the price you pay. Full affiliate policy →

Get NordVPN Protection

Paste a suspicious message to scan

The Scam Message Scanner runs entirely in your browser. Your message is never sent to SignalTools or anywhere else. Paste the suspicious email or SMS below, including any sender details and links, then tap Scan message.

Scanner methodology validated across 351 cases spanning 7 UK scam categories — macro precision 98.5%, recall 98.5%, F1 98.5%. Methodology brief. Output is informational only: always verify the sender independently before clicking links, sharing details, or making payments.

Related scam guides

Use the Scam Message Scanner →