FraudScope // Threat Library // QR code scam

Scam type // QR codes

QR code payment scams

A QR code on a parking meter, a fake invoice, or a sticker over the real one can send you to a counterfeit payment page that captures your card. Scanning hides the destination, which is exactly the point. Here is how QR scams work.

Explore FraudScope Download on App Store

On-device iPhone · iOS 18+ Available now

What it is

A link you cannot read

A QR code is just a link you cannot see with your eyes. Scammers exploit that by placing malicious codes on parking meters, restaurant tables, invoices, and flyers, or by pasting a sticker over a legitimate code.

Scanning it can open a convincing fake payment or login page. Because the destination is hidden until you scan, QR scams, sometimes called quishing, slip past the instinct to check a link before clicking.

The playbook

How the scam works

Place the code

A malicious QR appears on a meter, invoice, package, or as a sticker over the real one.

Offer convenience

"Scan to pay" or "scan to verify" feels faster than typing an address.

Land on a fake page

The code opens a counterfeit payment or login screen that looks legitimate.

Capture your details

Your card or credentials are harvested, and the real bill goes unpaid.

In their words

What it looks like

// THE MESSAGE

PARKING PAYMENT REQUIRED. Scan the QR code to pay your session fee. Failure to pay within 10 minutes will result in a citation. [QR code sticker on the meter]

FraudScope reads it as

QR code scam (quishing). When you scan, FraudScope can inspect the link the code points to and flag a lookalike or brand-new domain. Its guidance: pay through the official parking app or website you already trust, not a code on a sticker.

Red flags

Warning signs to watch for

A QR code sticker that looks added on top of an existing one.
A code that asks for payment or login on a page you did not expect.
The web address after scanning does not match the official business.
Urgency, like a short window to "pay or be fined."
Unsolicited QR codes in emails, letters, or on random flyers.

How FraudScope helps

Check the code’s destination

When a QR code leads somewhere suspicious, paste the link into FraudScope. With URL Deep Inspection (a Pro feature) it reveals the true destination, the domain’s age, and its certificate before you ever enter a card.

Analysis runs entirely on your iPhone and makes no network requests. The only time FraudScope touches the internet is if you tap Inspect URL to check where a link really goes, and it tells you before it does.

URL Deep Inspection (Pro)Intent reconstructionOn-device

Questions

Frequently asked

How can a QR code be dangerous?

A QR code simply encodes a web address you cannot read by eye. A malicious one can send you to a fake payment or login page, so the danger is the hidden destination. Always confirm where a code leads before entering any details.

How do I pay safely instead of scanning a code?

Use the official app or website of the business or parking service directly, typed or opened yourself. Avoid QR codes on stickers, unsolicited mail, or anything that looks added on top of an existing label.

Does FraudScope send my messages anywhere?

No. Analysis runs entirely on your iPhone with no network connection. The only time it contacts the internet is if you choose to inspect a link’s destination, and it tells you before it does.

Will FraudScope catch every scam?

No tool can. FraudScope is strongest with the full content of a message and weaker with a bare screenshot that has no link or sender. It is a powerful second opinion, not a guarantee. When in doubt, slow down and check with someone you trust.

Read the scam before it reads you

FraudScope explains what a suspicious message is really trying to do, entirely on your iPhone. Now available on the App Store.