Medium riskText Message Scams

QR Code Scam

This scam uses a malicious QR code, often a sticker over a real one or sent by text, that leads to a fake payment or login page or prompts a harmful app install.

Quick verdict

Risk level
Medium risk
Scam type
Quishing (QR phishing) scam
Main red flag
A QR code that leads to an unexpected payment, login, or app-install page you did not anticipate.
What to do first
Do not enter details or pay. Check the web address the code opens before doing anything, and close it if it looks wrong.

What this scam usually looks like

This scam uses a malicious QR code, often a sticker over a real one or sent by text, that leads to a fake payment or login page or prompts a harmful app install.

Example message pattern

Example pattern — not a real report
Example pattern: 'Scan to pay for parking' on a sticker placed over the real code on a meter, opening a page that asks for your full card details and address: [suspicious link]'

This is a fictional, anonymised example used to illustrate the pattern. It is not a verified real message, and any names are used only to show how the scam typically reads.

Red flags to watch for

  • A QR code sticker that looks added on top of an original code
  • A scanned code that opens an unfamiliar web address or a misspelt domain
  • A page asking for card, login, or personal details after scanning
  • A code in an unexpected text or email urging you to scan and act fast
  • A prompt to install an app or grant permissions straight after scanning

What to do

  • Check the web address shown in the preview before opening or entering anything
  • Use official apps or type the known website address instead of scanning unknown codes
  • Look closely at meters, posters, and flyers for stickers placed over real codes
  • Close the page if it asks for payment or login details you did not expect

If you already clicked or replied

  • Do not enter card, login, or personal details on the page
  • If you entered card details, contact your bank to flag or freeze the card
  • If you installed an app, remove it and review your device's permissions
  • Change passwords for any account where you entered login details

What not to do

  • Do not scan QR codes from unexpected texts, emails, or random stickers
  • Do not enter payment or login details on a page reached only through a scanned code
  • Do not install apps or approve permissions prompted right after scanning

Similar scams

High risk Text Message

Fake Toll Road Text Scam

This scam texts you about a small unpaid toll and threatens late fees, linking to a fake page that collects your card and personal details.
High risk Bank & Payment

Fake Bank Alert Text Scam

This scam sends a text claiming suspicious activity on your account, then steers you to a fake login page or a 'fraud agent' who pressures you to move money.
High risk Delivery

Fake Delivery Text Scam

This scam impersonates a courier with a missed-delivery text and a link to a fake page that asks for a fee or your personal and card details.

Frequently asked questions

What is 'quishing'?
Quishing is phishing that uses a QR code instead of a clickable link. The code takes you to a fake page or app designed to capture your details or money, while looking ordinary.
Where do scammers place malicious QR codes?
Common spots include stickers over real codes on parking meters, fake flyers and posters, and codes inside unexpected texts or emails. The aim is to reach you where scanning feels normal.
How can I scan a QR code more safely?
Preview the web address before opening it, and avoid entering payment or login details on pages reached this way. When possible, use an official app or type the known address yourself.
What if I already entered my details?
Contact your bank if you shared card details, and change the password for any account you logged into. Acting quickly limits what a scammer can do with the information.

Last reviewed: June 2026

Disclaimer: This page provides educational information only to help you recognise common scam patterns. It is not legal, financial, cybersecurity, or law enforcement advice, and it does not confirm whether any specific message, company, or person is genuine or fraudulent. When in doubt, contact the official organisation directly and report concerns to your local authorities.