QRsafer LogoQRsafer
How Scammers Create and Place Fake QR Codes
← Back to blog

How Scammers Create and Place Fake QR Codes

Fake QR codes take less than a minute to make and are impossible to tell apart from real ones by looking at them. Here's exactly how scammers generate, print, and deploy fraudulent QR codes — and the five physical red flags that reveal a tampered code.

2026-06-12 · QRsafer Team

If you've ever wondered why QR code scams are so hard to spot, the answer starts with something unsettling: creating a fake QR code takes about thirty seconds and costs nothing. Understanding exactly how scammers do it — and how they get those codes in front of you — is the fastest way to start recognizing them.

Part 1: How fake QR codes are generated

A QR code is just a visual representation of a URL. Any free QR code generator — and there are dozens — lets you type in any web address and instantly receive a scannable image. The tools ask no questions, require no account, and charge nothing. A scammer enters the address of their phishing page, downloads the resulting image, and the code is ready to deploy.

There is no visual difference between a QR code pointing to bankofamerica.com and one pointing to b4nkofamerica-secure-login.com. Both are compact black-and-white patterns. Neither reveals its destination until you scan it. This is the fundamental design feature that scammers exploit: QR codes are opaque by nature.

Part 2: How scammers deploy fake QR codes

Once a scammer has a fake code, they use three main methods to get it in front of victims.

The sticker swap. The most common physical attack. A scammer prints the fake QR code on a standard adhesive label and presses it over an existing legitimate code — on a parking meter, EV charging station, restaurant table tent, gym equipment placard, ATM, or any other public surface. The swap takes seconds and goes unnoticed by staff and passersby. Anyone who scans the sticker gets redirected to the scammer's page. This technique is documented at gas stations, hotel lobbies, bike-share docks, and vending machines — essentially any unattended device with a QR code.

Fresh placement. Rather than covering an existing code, the scammer creates an entirely new sign, flyer, or placard that mimics a legitimate business and installs it in a public space. Fake parking signs, fake restaurant table cards, fake Wi-Fi signs in hotel lobbies — all are fabricated from scratch and designed to look like official venue materials.

Digital placement. Scammers embed QR codes in phishing emails, SMS messages, social media posts, and fake PDF invoices. The advantage here is reach: a single campaign can deliver a QR code to millions of inboxes simultaneously, bypassing the many email security filters that block traditional clickable hyperlinks. This tactic — sometimes called "quishing" — is growing faster than any other QR-based attack vector.

Part 3: Why QR codes work so well for scammers

Typed URLs have a natural defense: people skim them before clicking. A domain like paypa1.com or amazon-support-billing.net raises an immediate red flag. QR codes eliminate that visual review step entirely.

When you point your phone at a QR code, several things work in the scammer's favor:

  • The code is unreadable to humans. Nobody can look at a QR pattern and recognize the encoded URL the way they can glance at a link.
  • The URL appears only after scanning. By the time your phone shows you where the code goes, most people have already committed mentally to "tapping through."
  • Mobile browsers truncate long URLs. A phishing URL like secure-verify.bankofamerica-login-protection.com/account often gets shortened to secure-verify.bankofamer... in the address bar — which looks legitimate at a glance.
  • The scan-then-tap expectation suppresses skepticism. The flow of "scan → page loads" is so automatic that the intermediate URL check rarely happens unless something feels obviously wrong.

Five physical red flags of a tampered QR code

For codes posted in public spaces, a quick visual inspection can reveal a swap before you scan:

  1. Raised or peeling edges — a genuine printed sign has a flat surface; an adhesive label placed on top will have a slightly raised border.
  2. Misalignment — if the QR code pattern is tilted relative to the surrounding text or design, it may have been placed by hand over the original.
  3. Different paper stock or print quality — a sticker printed on a home inkjet will look slightly different from a professionally printed sign.
  4. The code doesn't match the surrounding branding — logos, fonts, or colors that look slightly off are a sign the code was not produced by the same party.
  5. A second QR code visible underneath — peel back one corner of any code that looks suspicious and check whether another code is underneath.

How QRsafer interrupts the attack

The sticker-swap and digital-placement attacks both rely on one thing: that you won't check where the QR code actually goes before your browser loads the page. QRsafer removes that gap. It decodes the QR code, resolves any redirect chains, and checks the final destination against threat intelligence before displaying a URL preview for you to evaluate. If the destination is a known phishing domain, a newly registered site with a suspicious pattern, or a URL that redirects through multiple hops to an unexpected location, you see a warning — before any page loads, before any form appears, before any credential prompt fires.

For a deeper look at how to assess a QR code before scanning, see how to spot a malicious QR code before you scan and what quishing is and how it works. To see the types of scam QR codes currently being reported in real time, visit the QRsafer threat map.

Download QRsafer for iOS or Android to preview any QR code destination before it loads.

FAQ

How do scammers make fake QR codes?

Anyone can generate a QR code in seconds using free tools like QR Code Generator, GoQR, or even Google's built-in QR feature. A scammer enters the URL of their phishing page, the tool produces a black-and-white QR image, and they print it or embed it digitally. There is no technical skill involved and no approval process — the codes are trivially easy to create.

Can you tell a fake QR code from a real one just by looking?

No. Two QR codes pointing to completely different URLs look visually identical to the human eye. A scammer's fake code and a restaurant's legitimate menu code are indistinguishable without scanning them through a tool that previews the destination URL before you tap.

What is a QR code sticker swap?

A sticker swap is when a scammer prints a fake QR code on an adhesive label and places it on top of a legitimate QR code — at a parking meter, EV charger, restaurant table, ATM, or any other public surface. Anyone who scans the top sticker is redirected to the scammer's phishing page instead of the intended destination. The swap is invisible unless you look for raised edges or misalignment on the sticker.

How does QRsafer stop fake QR code scams?

QRsafer decodes the QR code and checks the destination URL against threat intelligence databases before your browser loads anything. If the URL leads to a phishing site, a newly registered domain, or a redirect chain that ends somewhere suspicious, you'll see a warning before any page opens — at the exact moment the scam relies on you not pausing to verify.