• In today’s hyper-connected world, where scanning a square code with your phone feels as natural as tapping a contactless card, it’s easy to forget just how much trust we place in technology. Whether you’re ordering food at a restaurant, paying for parking, or logging in to access online services, QR codes have made life more convenient. But they’ve also introduced a dangerous new threat.
•  This article is for readers across the globe who use QR codes in daily life and for businesses who depend on them to engage with customers. It’s not just about what’s happening. It’s about what you can do to stay ahead of it.

The FBI has recently renewed its warning to consumers about a growing cyber scam that uses one of the most common tech tools in use today: the QR code. These black-and-white squares have rapidly become a fixture in our lives, used on restaurant tables, parking kiosks, event tickets, and even for accessing official health services. This convenience is now being misused by scammers. Fraudsters have been known to replace genuine QR codes with fake ones, redirecting users to phishing sites designed to steal personal information or payment credentials. In some cases, the malicious code can also trigger downloads of malware onto mobile devices.

In one of the more concerning developments, scammers are now using QR codes on packages that arrive at your door, even when you didn’t order anything. These unsolicited deliveries often include a QR code with no explanation. The aim is to exploit curiosity. The FBI has warned that scanning the code could lead you to a fake website or install malicious software onto your device. This is a new twist on the so-called “brushing scam”, where fraudsters send unordered goods and then use your identity to post fake reviews. In this variation, scammers add QR codes to packages to facilitate financial fraud.

This problem is not limited to one country. Incidents have been reported across the United States, the United Kingdom, Germany, and parts of Asia. According to the US Federal Trade Commission, consumers lost $8.8 billion to scams in 2022, and scam losses have continued to rise, though specific 2025 figures are not yet available. While this figure covers all types of scams, phishing remains one of the top categories. QR code-based phishing is part of that larger pattern, although the FTC has not broken out QR-specific losses.

Singaporean authorities have issued warnings about QR scams that use surveys or fake promotions to trick consumers into providing sensitive information. While not attributed to organised crime groups, these incidents reflect the growing use of QR codes in fraudulent activity. In Germany, there have been reports of phishing scams involving QR codes aimed at German-speaking users, although no public consumer advisory specifically mentions parking meters or ATM placements.

The New York Department of Transportation recently alerted drivers about QR stickers being placed on parking meters. These fraudulent codes are linked to third-party websites that request credit card information, often disguised as official payment portals. Cases like this show how easily fake codes can be inserted into everyday environments.

Recognising the Signs as a Consumer

It can be difficult to spot a fake QR code at a glance. That’s what makes these scams so effective. Criminals often print or stick their own QR codes over legitimate ones. These altered codes can redirect users to deceptive websites that look professional and authentic, making it easier to collect login credentials or payment information. Some users may not realise they’ve been compromised until fraudulent charges appear on their accounts.

Unlike many phishing emails that contain poor grammar or suspicious links, fake QR pages can appear polished and trustworthy. This makes awareness a key part of any defence strategy. Before scanning, check where the QR code is placed. Is it attached directly to official signage or packaging? Or does it look out of place, possibly pasted over another code? When you scan the code, review the URL that appears before opening the page. Many smartphones now preview this link—use that to your advantage. Any unusual domain names, strange spellings, or unfamiliar addresses should be treated with caution.

As for QR codes on packages you didn’t order, the advice is simple: don’t scan them. These codes may lead to fake surveys, fraudulent login forms, or malware downloads. Ignore them entirely and report the package if necessary.

When in doubt, access services through official websites or apps rather than scanned links. Especially for transactions involving money, use verified apps from banks or payment providers.

The Brand Reputation Dilemma

While individual awareness is important, brands also play a critical role in protecting consumers from QR scams. If a customer is scammed through what appears to be a brand’s QR code, they may not distinguish between a fraudulent attack and a failure of corporate security. The result is the same: lost trust.

To prevent this, businesses should use visually distinct QR codes that include logos or unique design elements. These are more difficult to spoof, making it easier for consumers to identify authentic codes. Companies should also maintain control over the printing and placement of QR codes. That means working with trusted suppliers and conducting regular audits of public-facing materials.

Tracking usage data is another helpful step. Analytics can reveal unexpected patterns, such as an unusually high number of scans from a single location. These anomalies may signal that a fake QR code has been deployed.

Brands should also inform their customers about how and where they use QR codes. For example, they might include safety instructions on product packaging or use in-app notifications to educate users. Major companies like PayPal and Starbucks have issued public reminders about QR code safety and have built extra layers of verification into their apps.

Futureproofing Your QR Strategy

As QR codes continue to expand into retail, finance, travel, and public services, brands must view them as part of their digital security posture. Conducting periodic audits to locate all active QR deployments can help identify any codes that are outdated, duplicated, or at risk of misuse.

Global brands with operations across multiple markets should align their QR code strategies with regional regulations and local consumer behaviours. Collaborating with cybersecurity experts or local law enforcement can also be beneficial when new threats emerge.

While the QR code scam trend is growing, the exact financial impact is still difficult to quantify. A report from Juniper Research projected that QR code payments would reach $3 trillion by 2025, with biometric verification noted as a method to enhance mobile payment security. A more recent projection from July 2025 estimates that global contactless transactions will grow from $7.7 trillion in 2025 to $18.1 trillion by 2030. Although this reflects the entire contactless ecosystem, it underscores the value of digital transaction platforms and the risk they carry.

Consumers are relying on QR codes more than ever, and that means brands must take greater care in managing how those codes are created, distributed, and explained.

Staying Vigilant in a Rapidly Evolving Landscape

Cybercrime tactics are evolving, and scammers are quick to adopt new tools and Mars habits. By staying informed and cautious, individuals can avoid falling victim to QR code-based phishing attempts. And by taking QR security seriously, brands can avoid reputational damage while building trust with the public.

QR codes will continue to play a major role in how people interact with services and access information. Used carefully and responsibly, they can remain a convenient bridge between the digital and physical worlds.