What is the most common type of QR code scam?

Location scams — where a fraudulent QR code sticker is placed over a legitimate one at a parking meter, gas pump, EV charger, or restaurant table — are the most widely reported category in the United States. They are effective because the code looks identical to a real one and the victim has no reason to be suspicious in a familiar environment.

Can a QR code scam steal money directly?

Yes. Payment platform scams use QR codes that appear to be for Venmo, Zelle, Cash App, or PayPal but route funds to a fraudster's account instead. The victim believes they are paying the right person; the money lands somewhere else. Because many of these transfers are instant and irreversible, recovery is often impossible without bank intervention.

How do government impersonation QR code scams work?

Scammers send physical letters, text messages, or emails that look like official IRS, Social Security Administration, DMV, or Medicare communications. A QR code in the message links to a convincing fake government website that collects Social Security numbers, bank account details, or payment to resolve a fabricated fine or verify a benefit. The real IRS and SSA never initiate contact via QR code.

What does every QR code scam have in common?

Every type of QR code scam uses the same core mechanism: a QR code that hides a dangerous URL from the person scanning it. The category — whether it's a parking meter, a Venmo payment, or a fake IRS letter — only changes the context. The attack itself is always the same: a code that looks normal but leads somewhere harmful. Checking the destination URL before tapping is the single step that stops every category.

The Most Common Types of QR Code Scams (2026 Guide)

QR code scams come in more varieties than most people realize. But underneath every variant — fake parking meters, phony government letters, fraudulent payment codes, phishing emails — there is one shared mechanism: a QR code that hides a dangerous URL from the person scanning it. Understanding the six main categories makes it easier to recognize a scam the moment it appears, regardless of where or how it shows up.

1. Location scams (physical sticker tampering)

The most common category involves QR codes in public spaces that have been tampered with. A scammer prints a fraudulent QR code on an adhesive sticker and places it over an existing legitimate code — on a parking meter, gas pump, EV charging station, restaurant table tent, ATM, or laundromat payment kiosk. The tampered code redirects the scanner to a fake payment page that collects card details.

What makes this category particularly dangerous is the context: the victim is in a familiar, routine situation — paying for parking, ordering a meal, charging their car — and has no reason to question a code that looks exactly like the ones they've scanned dozens of times before. Physical inspection (looking for raised sticker edges, misaligned code patterns, or a URL that doesn't match the business) is the only defense before scanning.

2. Payment platform scams

Payment platform scams target peer-to-peer payment tools — Venmo, Cash App, Zelle, PayPal, and Google Pay. The attack takes two forms. In the first, a scammer swaps their own payment QR code for a vendor's legitimate one at the point of sale; the buyer pays but the money goes to the wrong account. In the second, a scammer in an online transaction sends a fake "payment confirmation" QR code to a seller, claiming it proves payment was sent, when no transfer has occurred.

Both variants exploit the trust built into familiar payment brands. Because many platform transfers are instant and irreversible, victims who notice the problem after the transaction often have little recourse. Verifying the recipient name on the payment screen — before confirming — is the one check that catches this scam every time.

3. Government impersonation scams

Government impersonation is one of the highest-stakes QR code scam categories because victims hand over some of the most sensitive information imaginable. A text message, physical mailer, or email mimics official communications from the IRS, Social Security Administration, Medicare, DMV, or a local court. A QR code in the message links to a convincing fake agency website that collects Social Security numbers, driver's license numbers, banking details, or payment for a fabricated fine.

The core persuasion tool is authority combined with urgency: "your benefits will be suspended," "a warrant has been issued," "you owe back taxes." None of these agencies contact members of the public via unsolicited QR codes. Any QR code in a communication that claims to be from a government agency and demands immediate payment or personal data is a scam.

4. Phishing and credential theft

This category covers QR codes deployed in emails, text messages, and social media to steal login credentials. The code opens a convincing replica of a familiar login page — a bank, an email provider, a workplace tool like Zoom or Microsoft Teams, or a major platform like Google or Apple — and captures the username and password the victim types in.

Credential phishing via QR code (sometimes called "quishing") is growing faster than any other attack type because QR codes bypass traditional email security filters that block clickable hyperlinks. The victim sees a plain image, not a link — and their security tools often see nothing at all. For a complete breakdown of how this works, see QR code phishing and quishing explained.

5. Fake promotion and gift card scams

Fake promotion scams use the lure of free value — a gift card, a coupon, a prize — to get victims to scan a code. The QR code appears on a social media post, a physical flyer in a parking lot, a mailer, or a product insert. It leads to a page that requests payment or personal information to "claim" a reward that does not exist. Steam gift cards and fake coupons are among the most commonly used lures.

The defining red flag for this category: any prize or reward that requires payment, card details, or a login before you can collect it is a scam. Legitimate sweepstakes, coupons, and loyalty rewards never require you to provide financial information to claim something that was supposedly already yours.

6. Delivery and shipping scams

The final category mimics shipping notifications from USPS, FedEx, UPS, and Amazon. A text or email arrives claiming a package is held, requires a redelivery fee, or needs address confirmation — and includes a QR code to resolve the issue. The code leads to a fake carrier website that collects card details for a small "fee" that in reality enrolls the victim in a recurring charge or transmits card data directly to the scammer.

This variant is particularly effective because package delivery notifications are so routine and so numerous that most people respond on autopilot. The tell: real carriers contact customers through tracking numbers tied to their official apps and websites, and they do not charge delivery fees via external QR code links.

The common thread — and the one defense

Every category above works by exploiting the same design feature: a QR code does not show you where it goes until your phone has already decoded it, and by then most people tap through without verifying the URL. The six categories represent different contexts and emotional hooks — urgency, authority, familiarity, desire — but the mechanism is always identical.

The single defense that applies to every category is previewing the destination URL before any page loads. If the URL doesn't match the expected brand, you know to close the browser before any harm is done.

QRsafer decodes any QR code and shows you the full destination URL — along with a safety check against known phishing and malware domains — before your browser opens the page. To see what types of QR code scams are being reported right now, visit the QRsafer threat map.

Download QRsafer for iOS or Android to put a URL preview between you and every QR code you encounter.