Stop Scanning QR Codes. The Parking Meter Sticker Hiding a Massive Cyber Threat.
QR code phishing surged 400% — and that innocent square on the meter might be a trap door to your bank account.
The Everyday Action That's Become a Trap
But in 2026, that innocent little square could drain your bank account. The FBI warned in a 2022 Public Service Announcement that cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information. Since then, the problem has exploded: QR code phishing attacks — known as "quishing" — have increased 400% between 2023 and 2025. Microsoft found that 25% of all email phishing attacks in late 2024 used QR codes as the primary lure.
- Any QR code in a public space — parking meters, EV chargers, bike-share kiosks, restaurant tables
- QR codes in emails asking you to 'scan with your phone' instead of clicking a link
- A QR code that redirects to a payment page you weren't expecting
- 73% of people scan without checking — scammers are counting on that habit
Stop treating QR codes as trustworthy by default. A QR code is just a link you can't read — and that invisibility is exactly why criminals love them.
Why QR Codes Are the Ultimate Disguise
When a scammer sends you a text link that says chase-bank-secure-alert.info, your brain might spot the fake domain. But a QR code completely hides the destination URL until you've already scanned it — bypassing your natural ability to spot danger.
The scale of this threat is massive. Today, 26% of all malicious links are delivered via QR codes. Over a recent 12-month period, security researchers detected more than 3 million unique malicious QR codes in circulation. Whether you're paying for parking or checking a work email, you're a target.
- QR codes hide the destination URL — you can't visually inspect them like a text link
- 26% of all malicious links now arrive via QR code
- 3 million+ unique malicious QR codes detected in a single year
- Corporate email filters can't scan QR codes the way they scan URLs
Think of every QR code as a link you can't see. You wouldn't click a blacked-out hyperlink in an email — apply the same skepticism to any QR code you encounter.
Two Attack Vectors: Physical Stickers and Digital Traps
The physical sticker overlay. Criminals print high-quality, weather-resistant QR code stickers and physically slap them over legitimate codes on public parking meters, EV charging stations, bike-share kiosks, and restaurant tables. When you scan what you think is the real code, you're redirected to a pixel-perfect fake payment page. Austin police found fraudulent QR stickers on 29 parking meters, directing users to a fake payment domain. The investigation began after San Antonio discovered over 100 tampered pay stations. Houston found similar stickers on its meters shortly after.
The digital QR code in emails and documents. Scammers embed QR codes in phishing emails instead of traditional links because QR codes bypass most email security filters that scan URLs. Cofense reported a 331% year-over-year increase in QR code phishing campaigns. QR code payloads in phishing emails jumped from just 0.8% in 2021 to 12.4% in 2023. In mid-2024, researchers detected half a million phishing emails containing QR codes embedded in PDFs alone. The FBI issued a fresh warning in July 2025 about unsolicited packages containing malicious QR codes — scammers are now mailing physical items with codes that initiate fraud.
- Physical QR sticker feels raised, has a different texture, or looks misaligned over the original
- Work email asks you to scan a QR code with your personal phone — a deliberate filter bypass
- The scanned URL domain is slightly misspelled (poybyphone vs. paybyphone)
- The 'payment portal' asks for full card details for a routine transaction
For physical codes: run your finger over the edge before scanning. If you feel a raised sticker or see misalignment, don't scan it. For email QR codes: if a work email asks you to scan something with your personal phone instead of clicking a link, it's almost certainly an attack.
Update: IRS Confirms QR Codes as a Top 2026 Threat — and What Happens After You Scan
And here's what makes 2026 quishing even more dangerous: what's waiting on the other side of that QR code has gotten dramatically better. A phishing-as-a-service platform called Starkiller, detailed by Abnormal Security and Infosecurity Magazine, uses a reverse proxy to load the actual login page of whatever brand it's impersonating — Google, Microsoft, your bank — inside a headless Chrome container. The victim interacts with the real website through an invisible middleman. That means even multi-factor authentication tokens are captured and relayed in real time, giving attackers instant access to your account.
The combination is devastating: a QR code you can't visually inspect, leading to a login page that IS the real page, capturing credentials AND MFA codes. The old defenses — "check the URL" and "use two-factor auth" — are both weakened simultaneously.
- IRS Dirty Dozen 2026 officially lists QR code phishing as a top tax scam
- Starkiller phishing kit proxies REAL login pages — the fake site IS the real site
- Multi-factor authentication (MFA) tokens are captured in real time via reverse proxy
- Sold as a subscription service (SaaS) — this is commercialized, scalable crime
MFA is still better than no MFA — but it's no longer a guarantee. For high-value accounts (email, banking), switch to hardware security keys (like YubiKey) which are resistant to reverse-proxy phishing. And never scan a QR code in an email claiming to be from the IRS — the IRS does not send QR codes.
The ScamSignal Defense Protocol
The Finger Test. Before scanning a physical QR code in public — especially on a parking meter or EV charger — run your finger over the edge. If you feel a raised edge, a different paper texture, or see misalignment, it's a malicious sticker placed over the real code. Walk away.
The Preview Pause. Never blindly tap to open a scanned link. When you point your smartphone camera at a QR code, modern operating systems pop up a preview of the URL. Stop and read it. If the domain looks slightly off, unusually long, or confusing, close your camera immediately.
Go direct to the source. Instead of scanning a parking meter code, download the city's official parking app (like ParkMobile) directly from your phone's verified app store and enter the zone number manually. Same principle applies to restaurant menus — ask for a physical one if the QR code looks suspect.
If you already scanned a bad code and entered payment info — call your bank immediately to freeze the card and monitor your statements for unauthorized charges.
Slow down, preview the URL, and never let a simple sticker steal your financial security. The two-second pause between scanning and tapping is your entire line of defense.
A QR code is just a link you can't read — and that's exactly why criminals have made it their weapon of choice. Quishing surged 400% because people trust what they can't inspect. Your defense is simple: finger-test physical codes for stickers, always preview the URL before tapping, and go direct to official apps instead of scanning. Two seconds of skepticism is worth more than a frozen bank account.
Get notified when we publish updates on this topic
We'll send you one email when new information is available. No spam.
Got a suspicious message?
Paste it into our free scanner and get an instant AI analysis — no account required.
QR Code Phishing (Quishing)
Malicious QR codes placed over legitimate ones on parking meters, restaurant menus, EV chargers, and in phishing emails. 26% of all malicious links are now delivered via QR code, and 73% of Americans scan codes without verification. Because QR codes hide the URL, they bypass the most basic scam detection: checking the link before clicking.
Fake Package Delivery Notification
Fraudulent texts or emails from fake USPS, FedEx, UPS, or Amazon accounts claiming a package can't be delivered, needs rescheduling, or requires a small redelivery fee. The #1 most-reported text scam narrative in 2024 per FTC Data Spotlight (April 2025). $470M reported lost in text-contact fraud, with $1,000 median loss per victim.
Toll Road Payment Scam (SunPass / E-ZPass)
Fake texts claiming you owe a small toll fee with a link to a spoofed payment site. The top new scam of 2025, up 900% in one year. The small dollar amount ($3-$12) is intentional — it feels believable and not worth questioning.
IRS Tax Refund Phishing
Fake IRS emails or texts about unclaimed tax refunds, stimulus payments, or tax credits directing victims to phishing sites that harvest Social Security numbers, banking details, and other PII. Tax-related scams cost an average of $8,199 per person in 2024.
6 Scams Hitting Your Phone Right Now in 2026
Real examples based on active fraud campaigns reported by the FBI, FTC, and international intelligence agencies. Here's what to watch for — and what ScamSignal catches that you might miss.
The 2026 Fraud Survival Guide
Three scams draining billions this year — and exactly how to shut them down.
Why You Should NEVER Pay That $4.15 Toll Text
The 'micro-scam' draining bank accounts — how a $4 text turns into a $1,000 loss.