QRsafer LogoQRsafer
QR Code Scams at Campgrounds and National Parks: What to Know Before You Scan
← Back to blog

QR Code Scams at Campgrounds and National Parks: What to Know Before You Scan

Campgrounds and national parks rely on QR codes for reservations, day-use passes, and trail maps — but remote, low-connectivity settings make it nearly impossible to verify a URL before you hand over your card. Here's what scammers are doing and how to stay safe.

2026-05-01 · QRsafer Team

You pull into the campground after a long drive, and a small kiosk at the entrance displays a QR code: scan to pay your site fee and proceed. You're tired, the kids are restless, and the process takes ten seconds. You scan, enter your card, and move on.

That transaction may have gone nowhere near the campground.

Campgrounds, national parks, and state recreation areas have increasingly shifted to QR-code-based payment and information systems — reservation kiosks, day-use pass displays, trail-map downloads, and fee-envelope stations have all adopted scan-to-pay or scan-to-access formats. The problem is structural: these kiosks are unattended, often unstaffed overnight, located in remote areas with limited cellular service, and visited by people whose focus is on getting to their site, not scrutinizing a URL. It's a near-perfect environment for the same sticker-QR-code attack that targets parking meters and other unattended payment terminals.

Here are the three variants operating at campgrounds and parks right now.

Variant 1: Fake reservation and site-fee payment QR codes

This is the most financially damaging variant, and it works because it targets people at the moment they expect to pay.

An attacker visits the campground entrance kiosk — typically a self-pay station or an electronic fee board — and places a printed sticker QR code over the legitimate one. The sticker is sized to cover the original exactly. At a campground entrance that processes dozens of transactions a day, and where staff may only visit the kiosk once or twice daily to collect fee envelopes, the tampered code can remain in place for days.

The destination is a page that mimics the campground's or park's payment interface: a plausible fee summary, a field for your card number, and a "confirm" button. After you submit, you receive no confirmation receipt, and the real park fee system has no record of payment. Campers sometimes discover the problem only when a ranger visits their site and informs them they haven't paid.

The tell: Legitimate Recreation.gov pages use only the recreation.gov domain. State park payment pages use an official government domain (look for .gov). If the URL in your browser shows anything else — particularly a domain with hyphens, extra words, or an unfamiliar payment processor — close the browser immediately and pay by fee envelope or call the park.

Variant 2: "Scan to display your day-use pass" QR codes

The second variant targets day visitors — hikers, picnickers, and beach-goers who need to display a paid day-use permit on their dashboard.

Attackers leave printed flyers on windshields in trailhead parking areas, or place sticker QR codes on pay-station signs. The message is urgent and plausible: "NEW — Display your day-use pass digitally. Scan to pay and display." The QR code leads to a fake fine-payment portal that mimics the park authority's website, collects a "permit fee," and promises a digital pass that never arrives.

Because day-use permits are a real and common requirement at popular national parks and recreation areas, visitors don't question the premise. The low transaction amount (typically $5–15) also means many victims assume the charge went through correctly and don't notice until they're turned away at the trailhead — or until an unexpected charge appears on their statement.

This variant is closely related to traffic-ticket payment scams, which use the same urgency-and-authority playbook to collect fake fines via QR code.

The tell: Legitimate day-use payment and display instructions appear on posted signage that matches the park service's official fonts and branding, and the URL will be a .gov domain. Any QR code left on your windshield by a stranger should be ignored — contact the park directly if you're unsure about permit requirements.

Variant 3: Fraudulent trail-map and nature-center QR codes

The third variant harvests personal information or installs tracking apps under the guise of free, useful content.

Fake QR codes on nature-center display boards, trailhead information posts, or campground bulletin boards offer a "downloadable trail map," a "campground guide," or a "wildlife spotting list." The QR code leads to a form requesting your name and email "to send the PDF," or to a link that downloads an app outside the official app stores. The email address is used for phishing follow-up campaigns; the fake app may request location and contact permissions beyond what a trail-map app would ever need.

Nature-center kiosks and trailhead bulletin boards are easy to add signage to — a printed card slipped into a display rack or taped to a post requires no technical access.

The tell: Official park trail maps are always available directly on the park's website, through the official Recreation.gov app, or as printed copies at the ranger station — free and without entering your email. Any QR code that leads to a form before giving you a map is a red flag.

What to do if you entered payment information on a suspicious page

If you entered card details: Contact your card issuer immediately and report the charge as potentially fraudulent. Request a new card number and monitor your statements for small test charges.

If you were charged but received no confirmation: Call the campground or park directly using the number on their official website (.gov or recreation.gov) to verify whether payment was received.

If you downloaded an app: Delete it immediately. Review the permissions it requested and revoke any access it was granted. Check for apps with similar names in your phone's installed apps list.

What to remember at campgrounds and national parks

  • Unattended kiosks in remote locations are among the easiest targets for sticker QR code attacks — assume any unfamiliar URL on an outdoor payment terminal deserves scrutiny.
  • Low or no cellular service means you may not be able to load a second tab to verify the URL — when in doubt, pay by fee envelope with cash or check and move on.
  • Summer camping season brings peak attacker activity alongside peak visitor traffic.
  • The same sticker-QR playbook that operates here also operates at parking meters and other unattended outdoor payment terminals — the setting changes, the attack doesn't.

See also

Download QRsafer for iOS or Android and scan any campground or park QR code before your browser opens it. It takes two seconds and tells you whether the destination is safe before you hand over your card or personal information.

FAQ

Can a QR code at a national park or campground be fake?

Yes. Sticker QR codes placed over legitimate payment codes on self-pay kiosks, entry-station fee boards, and trailhead signs are the most common vector. Campground and park kiosks are often unattended, unstaffed overnight, and located in areas where staff are occupied on the trail or at a distant ranger station — conditions that give attackers time to place a sticker and leave before anyone notices. When you scan the fake code and enter payment or card details, the funds go directly to the attacker. The real campground or park fee system receives nothing and has no record of your transaction.

How do I tell a legitimate Recreation.gov or state park payment page from a fake one?

Legitimate Recreation.gov pages always use the recreation.gov domain — nothing else. State park payment pages use the official state government domain (usually a .gov or state-specific .us address). Red flags include any domain with hyphens, extra words like 'pay' or 'portal,' or a generic payment processor you've never heard of. In a remote setting where you're on a slow or nonexistent data connection, load the URL on your own data if possible, and verify it matches what you see on the official park's website. When in doubt, pay at the physical fee envelope station with cash or check, or call the park directly.

What should I do if I already entered my card details on a suspicious campground payment page?

Contact your card issuer immediately and report the charge as potentially fraudulent. Ask them to cancel your current card number and issue a new one. Review your statement for any small test charges (scammers often make a $1–2 authorization before larger transactions). File a report with the FTC at ReportFraud.ftc.gov and, if the scam involved a fake federal park payment page, report it to Recreation.gov directly and to the park's ranger station.

Does QRsafer protect me when I'm at a campground or national park?

Yes. Before scanning any QR code at a campground kiosk, trailhead sign, or nature-center display — especially in a remote area where you can't easily verify a URL — scan it with QRsafer first. QRsafer checks the destination against threat intelligence databases and flags links to phishing pages and fake payment portals as Risky or Dangerous before your browser opens them. In a low-connectivity environment where you're less likely to pause and scrutinize the address bar, QRsafer adds a critical safety check before you hand over your card or personal details.