Restaurant QR codes replaced paper menus in 2020 and never left. Walk into any sit-down restaurant, coffee shop, or food hall today and you'll find them on table cards, countertops, and printed receipts. That ubiquity made them a target.
Here's how the attacks work, what to look for before you scan, and what to do if something feels off.
How the attack works
The most common restaurant QR code scam is a sticker swap. A scammer walks in, peels up the legitimate code, and places their own over it. The replacement points to a phishing page, fake payment screen, or a malware download — not the menu.
The setup costs almost nothing. A sheet of printed QR stickers and ten minutes in a busy restaurant can put dozens of customers at risk. Most people never look closely before scanning.
Three specific variations show up most often:
Menu swap attacks. The table card, menu stand, or receipt QR is replaced with a sticker pointing to a fake restaurant site, a credential prompt, or an app download dressed up as a "menu viewer."
Fake Wi-Fi QR codes. A code posted near the entrance or bar claims to connect you to free Wi-Fi. Instead, it joins your device to an attacker-controlled network built to intercept session cookies, login credentials, and unencrypted traffic.
Payment QR fraud. At food trucks, market stalls, and casual restaurants where QR payments are common, attackers swap the merchant's Venmo, PayPal, or Zelle QR with one routing to their own account. You pay. The restaurant never receives it.
Four checks before you scan
1. Inspect the physical code
Look at the code before raising your camera. Is there a sticker on top of a sticker? Check the edges — raised corners, mismatched print quality, or paper that doesn't match the surrounding table materials are signs of replacement. Restaurant-provided codes are typically printed on premium card stock or embedded in laminated menus, not applied as cheap label paper.
2. Preview the URL before tapping
Your phone camera shows the destination link before you open it. Read it. A legitimate restaurant menu points to a recognizable domain — the restaurant's own site, or a known platform like square.site, menudrive.com, or toast.tab. A URL full of random characters, a link shortener, or a domain that doesn't match the restaurant's name warrants a pause.
3. Ask staff when something seems off
A legitimate business knows what its QR codes look like. If the code seems newly placed, the domain looks unfamiliar, or the sticker appears layered — ask your server. That conversation takes five seconds and can prevent a fraud report later.
4. Never enter credentials or send payment from a QR-initiated page
Even if the page looks exactly like Venmo, Cash App, or your bank, do not enter credentials or send money from a QR-scanned web page. Open the payment app directly on your phone and send from within the app. No legitimate restaurant requires you to log in through a browser link reached by scanning.
What QRsafer does at the table
QRsafer checks the destination URL against multiple threat intelligence sources before your phone ever loads the page. Scan the restaurant QR with QRsafer and it returns a verdict — Safe, Risky, or Dangerous — in seconds.
If a replacement QR routes through a known phishing domain, a flagged redirect chain, or a freshly registered lookalike, QRsafer surfaces that before you tap through. Your camera's URL preview tells you where the link claims to go. QRsafer checks what that URL actually does.
The free tier covers most everyday restaurant threats using Google Web Risk. Premium runs every scan through five engines simultaneously — useful when attackers use fresh infrastructure that a single source hasn't catalogued yet.
Dining out as a family? The QRsafer Family plan gives up to five members full premium protection under one subscription, so nobody at the table is left scanning blind.
If you already scanned something suspicious
Close the page immediately and don't enter anything. If you typed credentials before realizing something was wrong, change that password now from a trusted device. If you sent a payment to the wrong QR, contact your bank or payment app immediately and report the transaction as unauthorized.
For a full step-by-step response plan, see what to do if you scanned a suspicious QR code. And if you want to sharpen your eye for spotting bad codes, how to spot a malicious QR code before you scan covers the visual and contextual signals that matter most.
The bottom line
Restaurant QR codes are a fixture of modern dining. So is the scam targeting them. A few seconds of verification — checking the physical code, reading the URL preview, letting QRsafer run its check — is the difference between a smooth meal and an hour on the phone with your bank.
Download QRsafer for iOS or Android and scan safer from your next table.
Frequently asked questions
Can you tell if a restaurant QR code is fake just by looking at it?
Sometimes. Raised sticker edges, mismatched print quality, or a code applied over another are visible tells. But many replacement codes look completely clean. The physical check is your first filter — previewing the destination URL and using QRsafer to verify the link before opening adds protection that visual inspection alone cannot provide.
What if I scanned a suspicious QR but closed the page without entering anything?
If you didn't enter credentials and the page didn't prompt you to install an app, your risk is low. Close the browser, clear recent tabs, and don't return to that URL. Report the suspicious code to the restaurant so they can inspect and replace it.
Are payment QR code scams at restaurants common?
Increasingly so — especially at food trucks, farmers markets, and casual venues where QR codes replace card terminals. Attackers swap the merchant's payment QR with one pointing to their own account. Always verify payment destinations through the official payment app, not by following a QR-scanned link to a web page.
Does QRsafer work on QR codes in print ads, on receipts, or on product packaging?
Yes. If you can point your camera at a QR code, QRsafer can scan it — whether it's on a table card, a printed flyer, product packaging, or any other physical surface.
Is the free version of QRsafer enough protection in a restaurant setting?
The free tier uses Google Web Risk and covers the large majority of known phishing and malware domains you'd encounter in everyday dining scenarios. Premium adds four additional engines, which catches newer or less-indexed threats. For most casual use, free is a solid baseline — and adding QRsafer to any scan is always better than scanning with the built-in camera alone.
See also
- How to Spot a Malicious QR Code Before You Scan
- What to Do If You Scanned a Suspicious QR Code
- Coffee Shop QR Code Scams
- Food Truck QR Code Scams
- Fake Parking Meter QR Code Scam
- QR Code Threat Map
Download QRsafer for iOS or Android and scan any QR code before your bill arrives.