TL;DR - Scammers print professional-looking QR stickers and paste them straight over the real ones on parking meters, restaurant tables, and EV chargers. Your phone opens a page that looks exactly like the official payment site, and it quietly takes your card. The technique is called quishing (QR + phishing) and it is one of the fastest-growing scams going. What you need to do: treat any QR code you did not generate yourself as untrusted, check the web address that pops up before you tap it, never enter card details on a page you reached only by scanning a sticker, and when in doubt pay through the official app or website you find yourself.
By The Numbers
| What | Number | Source |
|---|---|---|
| Growth in QR-code phishing in a single quarter (Q1 2026) | +146% | Microsoft threat research |
| QR-phishing emails seen, August vs November 2025 | ~47,000 → ~249,000 | Microsoft threat research |
| Phishing threats Microsoft analysed to find the surge | 8.3 billion in 3 months | Microsoft threat research |
| Time it takes to stick a fake QR sticker over a real one | ~30 seconds | - |
| Cost of the equipment to do it | ~$0 (a printer) | - |
| Time the 5-second check below takes | 5 seconds | - |
The sticker you will never notice
A QR code is just a link wearing a costume. You cannot read it with your eyes, so you have no way of knowing where it goes until your phone tells you, and by then most people have already tapped through. That is the entire weakness the scam exploits.
Here is how it plays out in a car park. A scammer prints a sticker with their own QR code on it, in the same style as the council's, and presses it neatly over the real one on the pay station. You roll up late for an appointment, scan it the way you have a hundred times, and land on a page that looks like the parking app. It asks for your rego, your card, maybe your phone number. You pay. The "session" never reaches the council, your card details are now sitting on a scammer's server, and you find out a week later when something odd shows up on your statement.
Authorities in the UK warned in early 2026 that parking-meter quishing had become common enough that scanning any QR code on a meter should be treated with suspicion. It is the same playbook on restaurant tables, on EV chargers, on parcel-delivery notices, and on posters stuck up in public. Anywhere a real QR code lives, a fake one can be pasted on top.
Why this is exploding right now
This is not a niche, theoretical risk. Microsoft's threat researchers, sifting through 8.3 billion phishing threats over three months, found QR-code phishing jumped 146% in the first quarter of 2026. The volume of QR-phishing emails they tracked went from around 47,000 in August 2025 to over 249,000 by November. The technique works, so the criminals are pouring into it.
It works for a simple reason. We were all trained during the pandemic to scan QR codes without thinking. Menus, check-ins, payments. Scanning became a reflex, and reflexes are exactly what scams are built to ride. The fake code does not need to fool you for long. It just needs you to act before you look, the same psychology behind the fake toll-road texts flooding Australian phones.
The 5-second check I do now
I changed how I treat any QR code I did not create myself, and it is a small habit shift, not a lifestyle change.
- Before you tap, read the preview. When you point your camera at a QR code, your phone shows the web address before opening it. Stop on that for one second. Does the domain actually match who you think you are dealing with? A council parking site will not live at
secure-pay-portal-au.com. If the address looks off, generic, or has nothing to do with the place you are standing in, do not tap. - Check the sticker physically. A fake QR is usually a sticker laid over the original. If you can see an edge, a bubble, a second code underneath, or a sticker that looks newer than everything around it, that is your tell. Peel-resistant councils laminate or engrave their codes; a paper sticker on top is a red flag.
- Never enter card details on a page you only reached by scanning. This is the one that actually saves you. Even if the page looks perfect, your card does not belong on a site you got to from a sticker. Real payment flows let you pay through the official app or a site you can find yourself.
- When in doubt, go the long way. Open the official parking app, or search for the operator yourself, and pay there. It costs you two minutes. The scam needs you to skip those two minutes.
That is it. The whole defence is putting a one-second look between the scan and the tap.
What to do if you already scanned one
If you entered card details into a page you now suspect was fake, do not panic, act in order. Call your bank and have the card frozen or cancelled (the number is on the back of the card or in your banking app). Watch the account for transactions you do not recognise and dispute them. If you entered other details like your address or phone number, be extra wary of follow-up calls "from the bank", because scammers who already have your details are far more convincing. Report it to Scamwatch so the pattern gets tracked, and read the ACSC's guidance for the current advice.
The one habit that matters
If you forget everything else, keep this: a QR code is a link you cannot see, so never let it skip the step where you check the link. You already do this with dodgy emails. Do it with stickers too.
Forward this to the person in your life who scans first and thinks later. You know who they are.
Stay safe out there,
Mathew Clark Founder, SecureInSeconds Currently: squinting at every parking meter like it owes me money
FAQ
Are QR codes safe to scan? A QR code itself is harmless, it is just a link. The risk is where the link goes. Scanning is safe as long as you check the web address before you tap it open and never enter payment or login details on a page you reached only by scanning a code in public.
How do I know if a QR code is fake? Two checks: physically, look for a sticker placed over the original (edges, bubbles, a code underneath); digitally, read the web address your phone previews before opening it and confirm it matches the real organisation. A mismatch on either is enough to walk away.
What is quishing? Quishing is phishing that uses a QR code as the bait instead of a link in an email or text. The code sends you to a fake page designed to capture your card details or login.
I scanned a fake QR and paid. What now? Freeze or cancel the card immediately through your banking app or by calling your bank, watch for and dispute unknown transactions, be suspicious of any follow-up "bank" calls, and report it to Scamwatch.
