QRsafer LogoQRsafer
QR Code Scams at National Parks and Trailheads: What Every Hiker Should Know
← Back to blog

QR Code Scams at National Parks and Trailheads: What Every Hiker Should Know

National parks and trailheads use QR codes for parking payment, timed-entry permits, and trail maps — and scammers know exactly how to exploit remote kiosks and weak cell coverage to steal your card details. Here's what's happening and how to protect yourself.

2026-06-11 · QRsafer Team

You pull into the trailhead parking lot at 7 a.m. — first car there, perfect. A small metal post holds a sign with a QR code: "Pay parking fee here. Required before 9 a.m." You scan it, tap through a quick payment form, and head for the trail.

That parking fee may have gone straight to a scammer.

National parks, state parks, and popular trailheads have rapidly adopted QR-code-based systems for parking payment, timed-entry permits, and trail information — and attackers have followed. The environments are ideal for the same sticker-swap attack used at parking meters and beach parking lots: the kiosks are unattended, outdoor, located in areas where rangers are far away, and visited by people who are distracted, eager to start their hike, and operating with weak or no cellular service. There is no cashier to notice a tampered sticker. There is often no receipt. And you're about to disappear onto a trail for several hours.

Here are the three scam variants operating at national parks and trailheads right now.

Variant 1: Fake trailhead parking payment QR codes

This is the highest-frequency variant because trailhead parking is the first friction point every visitor encounters.

An attacker prints a fake QR code sticker and places it over the legitimate payment code on a trailhead fee post, a self-pay kiosk, or a posted sign. At a busy trailhead, dozens of cars may pay before anyone notices. The destination mimics the look of a legitimate park payment page — a plausible fee amount, a card-entry field, and a "get your receipt" button. After you submit, you receive no confirmation, and your vehicle has no valid payment on record.

Discovery usually comes when a ranger issues a citation for nonpayment — hours after you've started hiking and long after the transaction is irrecoverable.

The tell: Legitimate trailhead and parking payment pages for NPS sites use nps.gov or recreation.gov. State park parking pages use an official state government domain. Any page asking for card details at a URL outside those domains is a scam. When you preview the URL in QRsafer before tapping, a legitimate code will show the correct domain immediately.

Variant 2: Fake timed-entry permit and reservation QR codes

Many of the most popular national parks — Yosemite, Zion, Arches, Rocky Mountain, and others — now require timed-entry reservations during peak season. Scammers exploit the anxiety around limited permit availability to create fake reservation QR codes.

These codes appear on signage placed near park entrance gates or on flyers distributed in nearby gateway towns. They impersonate Recreation.gov or a state permit portal, collect a "reservation fee," and issue a confirmation that is worthless at the gate. The financial loss is compounded by the failed trip — visitors who paid for fake permits are turned away at the entrance having also driven hours to get there.

A related variant targets visitors who didn't book in advance: fake "last-minute permit" QR codes on social media posts or at campground bulletin boards claim to offer cancellation-pickup permits for a fee. Recreation.gov does have a legitimate cancellation-release system — but it doesn't charge a middleman fee and doesn't operate through QR codes shared on social media.

The tell: Recreation.gov reservations and timed-entry permits are managed exclusively at recreation.gov. Any QR code leading to a third-party site that charges a fee on top of the official permit price is collecting money for nothing. Real timed-entry availability is released at specific times on recreation.gov only.

Variant 3: Fake "download the trail map" or "get the park app" QR codes

The third variant collects personal information or installs malicious apps under the guise of useful content.

Adhesive labels or printed cards appear on trailhead information kiosks, nature-center bulletin boards, or entrance-station signage. They offer a "downloadable trail map," a "park guide," or a link to "the official NPS app." The QR code leads to either a form that requires your name and email address "to send the PDF" (the email is later used for phishing), or to a fake app-store page that prompts the installation of a credential-stealing app.

The National Park Service's official apps are available through the App Store and Google Play under the name "NPS." All official NPS trail maps are available on nps.gov without entering any personal information. Any QR code that asks for your contact details before showing you a map is harvesting data, not helping you navigate.

The tell: NPS app QR codes should point to the official App Store or Google Play listing for "NPS" (developer: U.S. Department of the Interior). If a scan takes you to an unfamiliar app download page or asks for your email to access a map, close it.

Why parks are a high-risk environment for QR scams

Three factors combine to make national park visitors unusually vulnerable:

Weak or absent cell service. In many parks, cellular coverage is spotty at trailheads and nonexistent in backcountry areas. When a payment page loads slowly — or asks you to disable mobile data and connect to a local Wi-Fi network — impatience overrides scrutiny. Scammers design their fake payment pages to load fast and look native to the environment.

Time pressure. You've driven two hours to get here. The permit window opens in thirty minutes. The trail fills up early. These conditions create urgency that discourages pausing to verify a URL.

Trust in authoritative signage. A printed sign on a government-looking post, especially in an official-seeming context, triggers compliance. Scammers invest in signs that look real — laminated, weatherproofed, and formatted to match NPS branding — precisely because they know visitors will trust them.

What to do if you entered payment information on a suspicious page

If you entered card details: Contact your card issuer right away, report the charge, and request a new card number. Check for small test charges that may have been made as a proof-of-concept before a larger transaction.

If you paid but your vehicle received a nonpayment citation: Photograph the fraudulent signage if it's still there, show it to the ranger, and explain that a fake QR code collected payment outside the official system. Most rangers have seen this; the citation can usually be voided with documentation.

If you downloaded an app: Delete it immediately, check recently installed apps for anything with unusual permissions, and revoke any access that was granted.

Key reminders before your next park visit

  • Legitimate NPS and Recreation.gov pages use nps.gov and recreation.gov — no exceptions.
  • A parking site that asks for your email address, account login, or anything beyond basic payment information is a red flag.
  • When in doubt: use a fee envelope with cash or check, or hold off and pay at the ranger station or visitor center.
  • The same sticker-swap attack used at parking meters and beach parking operates at parks — the setting changes, the mechanic doesn't.

See also

Download QRsafer for iOS or Android and scan any trailhead or park QR code before your browser opens it. It takes two seconds, works on a weak data signal, and tells you whether the destination URL is legitimate before you hand over your card.

FAQ

Can QR codes at national park trailheads actually be fake?

Yes. Sticker QR codes placed over legitimate trailhead parking kiosks, timed-entry permit kiosks, and self-pay fee stations are the most common attack vector. Unattended outdoor kiosks are easy to tamper with — a scammer can apply a sticker in under thirty seconds and be gone before any ranger notices. In remote areas where staff patrol infrequently, a tampered code can stay in place for days, quietly collecting payment details from every hiker who stops to pay.

How do I recognize a legitimate NPS or Recreation.gov URL versus a fake one?

Legitimate National Park Service pages always use nps.gov or recreation.gov — nothing else. State park payment pages use an official .gov or state .us domain. Red flags: any domain containing extra words (like 'parks-payment.com' or 'nps-permits.net'), hyphens between brand names, or an unfamiliar payment processor name you haven't heard of. If you see anything other than nps.gov, recreation.gov, or your state's official domain, close the browser and pay at a fee envelope station or contact the park directly.

What should I do if I entered card details on a suspicious page at a national park?

Call your card issuer immediately and report the charge as potentially fraudulent. Ask for a new card number. Check your statement for small test charges — scammers often run a $0.99 or $1 authorization before larger transactions. File a report with the FTC at ReportFraud.ftc.gov, and report the tampered kiosk to the park's ranger station or visitor center so it can be removed before more hikers are affected.

Does QRsafer work in areas with weak cell service at parks?

Yes. QRsafer checks the destination URL against threat-intelligence databases before your browser opens it — the check requires only a brief data connection, and results are cached so the app can flag known threats even on a slow or intermittent signal. In a remote environment where you can't easily load a second tab to verify a URL, scanning with QRsafer first gives you a safety verdict before you hand over your card or personal information.