untrappable

Quishing: the QR code scam on meters, menus, and mail

Editorially reviewed · Last updated July 16, 2026

Yes — this is a scam. A QR code is just a link you can't read — quishing puts a fake payment page behind a sticker, a menu, or a letter.

meterpay-parking.info/session/8842
Pay for parking

Zone 8842 — your vehicle is not registered for this zone. Enter your card details to start your parking session and avoid a citation. meterpay-parking.info/pay

Pay $2.50 now

Do not close this window · Error # 0x80072F8F

The Browser pop-up, as received

Other versions you might get: A sticker over a restaurant menu's real code, a QR in a mailed letter about an “unpaid toll” or “undelivered package,” a code on a fake parking ticket under your wiper, or one in an email pretending to be a document. The paper changes; the fake page behind it doesn't.

What to do right now

  1. Stop before you type. After any scan, read the address bar. If the domain isn't the organization's known site, close the page.
  2. Pay another way: use the official app (the real ParkMobile, the city's own portal) or type the address printed on the meter's permanent signage — not the sticker.
  3. If you entered card details: call your bank, freeze or replace the card, and dispute the charge and anything that follows.
  4. Look at the physical code: a sticker sitting on top of another code, or misaligned with the sign, is evidence — photograph it and tell the venue or city.
  5. Report it at reportfraud.ftc.gov.

How to make sure it never bites you

Scanning a code does no harm by itself — the danger starts on the page it opens, so the address-bar check protects you every time. If your card went in, treat it like any card phish: bank first, dispute everything. See what to do if you were scammed.

Untrappable · Public service advisory

Stop the next one at the source

You got this because your details are on lists that get bought, sold, and leaked. You can't unspill that, but you can make it useless to a scammer. Start with the free steps — they do most of the work.

Optional — if you'd rather it was handled for you

If you'd rather have it watched for you, an identity-protection service monitors your accounts, SSN, and the dark web, warns you the moment something new appears, and helps you recover if someone gets through.

See identity protection

Affiliate link — we may earn a commission at no extra cost to you. It never changes our verdicts. Why we can still be trusted.

Keep this · forward it to someone who needs it

Frequently asked

Can scanning a QR code hack my phone?
Scanning alone almost never harms a modern phone — a QR code is just a link. The danger is where it goes: a fake payment or login page, or a prompt to download something. The moment of risk is after the scan, so read the address bar and never enter card or login details on a page a code opened unless the domain is one you know.
How do I know if a parking meter QR code is fake?
Check the physical code first: scammers paste stickers over the real one, so look for a label sitting on top of another, misaligned with the meter's printed signage. Then check the page it opens — the city or vendor's real domain, not a look-alike. Safest of all: skip the code and pay in the official app or at the address printed on the permanent sign.
I entered my card on a page a QR code opened — what now?
Call your bank, freeze or replace the card, and dispute the charge plus anything that follows — quishing pages often queue larger charges after the small “fee.” If you typed a login anywhere, change that password too. Photograph the QR sticker if you can (it helps the venue and investigators), and report at reportfraud.ftc.gov.
Are QR codes in emails and letters safe to scan?
Treat them as suspect. Legitimate businesses rarely need you to scan a code from an email — that trick usually exists to slip past spam filters that would catch a phishing link. A mailed letter with a QR demanding toll, package, or fine payment is the paper version of a smishing text. Go to the organization's site by typing it yourself instead.

Sources

A public service

Help protect someone else

Scams spread because people stay quiet about them. If this could have fooled you, it can fool someone you know — a parent, a friend, the family group chat. Passing it on is the easiest good thing you'll do today. It's safe to forward, and stands on its own as a record for a bank or the police.