5 Ways to Defend Against Fake QR Codes
Where Fake QR Codes Hide
QR code phishing (quishing) has surged since 2023. The method is simple: stick a fake QR code over a real one. Parking meters, restaurant tables, public facility signs, and mailed flyers are common targets. Scanning leads to convincing phishing sites that steal credit card or login credentials. The FBI issued a formal warning in 2022, and incidents have been reported across the UK, US, and Japan.
Defense 1: Always Check the URL After Scanning
Both iPhone and Android preview the URL before opening the browser. Check three things: is the domain correct (paypa1.com vs paypal.com), does it start with HTTPS, and is the URL suspiciously long? If anything feels off, close the browser without tapping.
Defense 2: Spot Sticker Overlays
Most physical fake QR codes are stickers placed over originals. Look for unnatural edges, different print quality, or peeling corners. In public places (parking meters, bus stops, tourist signs), physically touch the QR code to check for overlays. When possible, use the official app instead of scanning.
Defense 3: Never Enter Payment Info via QR Code Links
If a QR-scanned page asks for credit card numbers, bank details, or passwords, suspect fraud. Legitimate payment services process transactions within their dedicated apps. For payments like parking fees, access the service's official site directly rather than through a QR code.
Defenses 4 and 5: Security Apps and Reporting
Install security apps (Trend Micro, Norton, Kaspersky) that check scanned URLs against known phishing databases in real time. Report suspicious QR codes to facility managers and cybercrime authorities. Your report could prevent the next victim.