What to do if you scanned a scam QR code
You scanned a code stuck to a parking meter, or printed on a flyer, or sitting inside an email that looked routine. You typed in your card number, or a login, and a beat later something felt wrong. Maybe the web address was a letter off. Maybe the payment never showed up in the real parking app. Now you are here, wondering how bad it is and what to do next.
Take a breath. Falling for one of these does not make you careless. Scammers print a fake QR sticker, press it over the real one, and point it at a page that looks exactly like the service you expected. The whole trick is that the code sits right where a legitimate one should be. Investigators call it quishing, and it has been spreading fast this year on parking meters, restaurant tables, and fake account-verification emails.
Work out what you actually gave away
What you do next depends on what you typed. Scanning the code by itself rarely hurts you. The harm comes from what you entered on the page it opened. Walk back through the screens. Did you put in a card number, a bank login, a one-time passcode, or a password you also use somewhere else? Each one points to a different first move.
If you entered card or bank details
Call your bank or card issuer now and tell them the number is compromised. Ask them to freeze or replace the card and to watch for charges you did not make. If you thought you were paying through a service like PayByPhone or ParkMobile, contact the real company too, because the fake site often copies their name with a single swapped letter. One recent batch of fake meter stickers sent drivers to a site spelled “poybyphone” instead of PayByPhone. Keep an eye on your statements for a few weeks, since stolen card data sometimes sits unused before someone tests it.
If you entered a password or login
Change that password right away, and change it anywhere else you reused it. Switch on two-factor authentication for the real account if it is not already on. If the page asked you for a verification code that your bank or an app had just texted you, assume the scammer was trying to walk into your account in real time. Treat that account as exposed until you have reset it and checked the recent activity.
Report it, and warn the next person
Before anything fades, screenshot the fake page and the full address bar. Our note on preserving evidence early covers what to capture. Then file a report at reportfraud.ftc.gov, and if money actually moved, add one at IC3.gov. Tell the parking authority or the business whose code was faked, because they can pull the sticker before someone else scans it. None of this guarantees your money comes back. A fast report gives a bank or payment processor the chance to act while the trail is warm.
How to check a code before the next scan
Most phone cameras show you the link before they open it. Read the whole address, not just the first few letters. A real parking vendor will not send you to a site spelled one letter wrong, and a real meter usually lets you pay by card at the machine or by typing the meter number into the official app you downloaded yourself. When a page rushes you, or asks for more than the task needs, that is the tell.
When it turns out bigger than a stolen card
Sometimes a scanned code is the doorway to something larger, like accounts opened in your name or a run of fraud you cannot trace on your own. If the loss is serious, or you think your identity has been taken, our Investigation Help page covers the smaller cases we sometimes take on. For losses that need court-grade attribution, we route to Rexxfield.
The few minutes after you realize are where you have the most control. Lock the card, reset the login, report it, and you have already done the part that matters most.
— Gus