QR Code Scams for Travelers: How to Spot Tampered Menus, Parking Meters, and Fake WiFi Networks

You are at a restaurant in a foreign city. The waiter points to a QR code sticker on the table. You scan it, the menu loads, you order, and you enter your card details to pay. Simple. Efficient.

Except that QR code was a sticker someone placed over the real one thirty minutes before you sat down. The menu you saw was a phishing site. Your card details went straight to a scammer.

QR code scams — called "quishing" (QR + phishing) — are one of the fastest-growing threats for travelers. They work because QR codes are designed to be scanned without thinking. That speed and trust is exactly what scammers exploit.

Here is how these scams actually work, where they are hiding, and the simple habits that keep you safe.

How QR Code Tampering Works

The method is almost absurdly simple. Scammers print their own QR codes on sticker paper, walk through tourist-heavy areas, and paste them over legitimate codes. The sticker looks real — same size, same general appearance — but the encoded URL points to a fake site.

The physical sticker replacement is the most common method because it requires no hacking, no system access, and no technical skill. Just a printer, sticker paper, and thirty seconds of unsupervised access.

The fake destination page usually mimics a legitimate service: a restaurant payment portal, a parking authority site, a transit ticketing page, or a WiFi login screen. The design is convincing because scammers clone the real site's branding. The only difference is the URL — and most people do not check the URL before tapping.

A single successful scan can net a scammer thousands of dollars. A stolen credit card number sells for $20-50 on dark web markets. Entered login credentials sell for more because they unlock entire accounts. This is not a sophisticated attack. It is a volume game: blanket the tourist zones with fake stickers and wait for the percentages to work.

Where QR Code Scams Hit Travelers Hardest

Restaurant Menu QR Codes

This is the most common entry point. Scammers target restaurants that use QR code menus — particularly busy tourist-area spots where staff are stretched thin. A fake sticker over the table's QR code redirects to either:

• A phishing page that harvests payment card details when you try to pay
• A malware dropper disguised as a "menu app" or PDF viewer

The scam works best at peak hours when diners are hungry and waitstaff are too busy to notice a sticker swap. Some scammers work in teams: one distracts the host while another slaps stickers on tables. The whole operation takes under a minute.

In 2025, police in Barcelona arrested a group that had placed over 200 fake QR code stickers on restaurant tables across the Gothic Quarter and Barceloneta neighborhoods. They had collected more than 400 credit card numbers before being caught.

The fix: Check whether the QR code is a sticker or printed directly on the table tent or menu card. If it is a sticker, ask a staff member to confirm the correct code. If the menu page asks for payment before showing you food options, close it immediately.

Parking Meter QR Codes

City parking meters and pay-by-phone kiosks are a prime target. Scammers place fake QR stickers over the meter's legitimate payment code. You scan, enter your license plate and card details on what looks like the official parking app page, and drive off thinking you paid.

Two days later, your card is compromised. The parking ticket you thought you paid is still unpaid — and now accruing fines.

This scam is especially common in tourist-heavy parking zones near airports, beaches, and attractions where visitors are unfamiliar with the local parking system. The fake site often charges a "convenience fee" that pads the scammer's take. Some scammers use the entered license plate number to contest real tickets, adding identity fraud to the mix.

The fix: Use the parking authority's official mobile app instead of scanning the QR code. Download it from your phone's app store before you travel. If you must scan, only scan codes printed directly on the meter housing — not stickers.

Transit Hub QR Codes

Train stations, bus terminals, and airport transit areas are QR scam hotspots. Scammers place fake codes on ticket machines, information boards, and even on the windows of ticket offices.

Common variants include:

• Fake ticket purchase QR codes — scan to "buy" a ticket, enter payment details, get nothing
• Fake schedule QR codes — scan to "view the timetable," which downloads malware instead
• Fake platform information codes — redirect to phishing pages that ask for personal details
• Fake discount passes — scan to "get 50% off" a transit pass, which is just a credential harvester with a countdown timer

Transit scams exploit the stress of navigating unfamiliar systems. Travelers in a hurry are more likely to scan first and think later. The countdown timer on fake discount pages is particularly effective — it creates false urgency that short-circuits caution.

The fix: Use the transit authority's official app for tickets and schedules. Ignore QR codes posted on public surfaces in transit areas. If a code claims to offer a discount or faster service that requires entering payment details, it is a trap. Real transit discounts do not require you to re-enter your credit card through a QR code.

Fake WiFi QR Codes at Airports and Cafes

Free WiFi is a lifeline for travelers, and scammers know it. They place QR codes on tables, walls, and airport seating areas that promise free high-speed internet.

Scanning the code leads to a registration page that asks for your email, phone number, or — in the aggressive variant — your credit card for "identity verification." Some of these pages install tracking scripts. Others attempt man-in-the-middle attacks on your traffic after you connect.

In 2025, Australian Federal Police warned travelers about a coordinated WiFi QR code operation at Melbourne, Sydney, and Brisbane airports. Scammers had placed laminated cards with QR codes on seating and charging stations. The fake registration page collected email addresses, phone numbers, and — for users who clicked past the first page — passport details.

The fix: Ask staff for the official WiFi network name and password. Do not scan QR codes to connect. Use a VPN on any public network. Real free WiFi at airports and cafes does not require a credit card for identity verification.

The Wiggle Test: Your Best Defense

The single most effective way to spot a tampered QR code takes three seconds.

Run your fingernail along the edge of the QR code. If it is a sticker placed over another surface, you will feel the edge. A legitimate code printed directly on the menu, meter, or kiosk will be smooth and flush.

Look for these additional signs:

• Misalignment: The sticker is slightly crooked or not aligned with the printed surface
• Adhesive residue: Sticky patches around the edges where a previous sticker was removed
• Multiple layers: You can see the corner of another QR code peeking out from underneath
• Odd placement: A QR code in an unusual spot — taped to a wall, stuck on a window, placed over another printed element
• Poor print quality: Blurry or pixelated codes compared to the crisp printed ones around them
• New-looking code on worn surface: A glossy, fresh QR code sticker on a faded, weather-beaten meter or sign is suspicious

Safe Scanning Checklist

Before you scan any QR code while traveling, run through this checklist:

1. Inspect the code physically. Is it printed on the surface or stuck on as a sticker? If it is a sticker, do the wiggle test.
2. Check the URL before tapping. Your phone's camera shows a preview of the destination URL. Read it. Does it match the business name? Is the domain spelled correctly? Look for subtle misspellings: pay-parklng.com instead of pay-parking.com.
3. Never enter credentials on a QR-accessed page. If a page asks for login details, payment information, or personal data after scanning a QR code, close it. Legitimate services do not require you to authenticate through a QR code redirect.
4. Use official apps instead. If a parking meter, transit system, or restaurant has an official app, use that instead of scanning the QR code.
5. Ask staff. When in doubt, ask an employee to confirm the correct QR code or provide an alternative — a physical menu, a paper ticket, the WiFi password written down.
6. Trust your gut. If a QR code is in an unexpected place, offers something too good to be true, or the page it leads to looks slightly off, stop. The inconvenience of asking is cheaper than a stolen credit card.

What to Do If You Scanned a Malicious Code

If you realize you scanned a fake QR code and entered information on a suspicious page, act immediately:

1. Contact your bank or card issuer. Report the transaction and request a card freeze or replacement. Do this before disputing individual charges. Most banks have 24/7 fraud lines — call now, not tomorrow.
2. Change any passwords you entered on the site. If you reused those passwords elsewhere, change them everywhere. Use a password manager to generate unique passwords per site.
3. Monitor your accounts for 7-14 days. Some scammers wait before using stolen card details. Enable transaction alerts on your banking app.
4. Report the scam. File a report with the FTC at ReportFraud.ftc.gov and notify local authorities where you encountered the fake code. This helps get the scam codes removed before the next traveler scans them.
5. Run a security scan on your phone. If the site prompted a download, run your device's security scanner to check for malware. On iPhone, no scan is needed for App Store-only downloads. On Android, use Play Protect or a trusted security app.

Why QR Code Scams Are Growing

QR codes became ubiquitous during the pandemic and never left. Restaurants kept digital menus. Parking authorities kept pay-by-phone systems. Transit systems kept QR ticketing. The infrastructure is now permanent, and scammers have had years to study and exploit it.

The barrier to entry is near zero. A stack of 100 printed QR stickers costs less than $20 online. A convincing phishing page can be cloned in minutes using browser developer tools. The return on a single successful scan — a stolen credit card — can be worth hundreds to thousands of dollars.

For the traveler, the QR code has become invisible infrastructure. You see it, you scan it, you move on. That reflex is exactly what scammers count on.

The Bottom Line

QR codes are convenient. They are also the easiest scam vector in modern travel because they bypass every security habit most travelers have built. You would not hand your credit card to a stranger on the street, but you will scan a sticker from one without a second thought.

The fix is not to stop using QR codes. It is to add one step before you scan: look at the code, touch the edge, check the URL. Three seconds that cost you nothing and block the most common scam in the game.

FAQ

Can scanning a QR code infect my phone with malware?

No. The scan itself is harmless — your camera is just reading a pattern of black and white squares. The danger is what happens after: visiting a fake website, downloading a file, or typing credentials into a phishing form. Always check the URL preview your phone shows before tapping to open it.

How can I tell if a QR code sticker has been tampered with?

The wiggle test is your first line of defense. Run a fingernail along the edge — a tampered sticker will have a detectable lip or lift slightly. Also look for crooked placement, adhesive smudges, or a fresh sticker on a weathered sign. If in doubt, ask an employee to confirm the real QR code.

What should I do if I entered payment information on a suspicious QR code page?

Call your bank or credit card company immediately and request a card freeze and replacement. Then change the password for any account whose credentials you entered. Monitor your statements for at least two weeks. Report the incident to the FTC at ReportFraud.ftc.gov.

What is quishing and why is it targeting travelers?

Quishing is QR code phishing — criminals paste fake QR stickers over real ones to redirect you to credential-harvesting websites. Travelers are the primary target because they scan unfamiliar QR codes constantly (menus, parking, transit, WiFi) in environments where they cannot easily verify what is legitimate.

Is it safe to scan a QR code at a restaurant?

Yes, with one check. Confirm the QR code is printed on the menu card or table tent, not a loose sticker on top. If the menu asks for payment information before showing food options, close the page — real restaurant menus show prices and dishes first, payment last.

Can fake WiFi QR codes steal my data?

Yes. Fake WiFi QR codes in airports, cafes, and hotel lobbies lead to phishing pages that collect your email, phone number, or credit card. Some install tracking cookies. Some attempt to intercept your traffic after you connect. Never enter payment details on a public WiFi login page — ask staff for the real network name and password.

Stay Protected on Your Travels

Subscribe to our weekly travel safety alerts for real-time scam warnings, destination-specific tips, and expert advice delivered directly to your inbox. Join thousands of savvy travelers who stay one step ahead of scammers.

→ Subscribe to Travel Safety Alerts

Related Reading

• AI Travel Scams 2026 — Voice clones, deepfake listings, and synthetic booking fraud
• 25 Scam Red Flags Every Traveler Should Know — The complete warning signs reference
• Travel Scams to Avoid — Comprehensive guide to the most common travel scams worldwide
• Fake Google Ads Booking Scams — How scammers hijack search results to steal bookings