QR Code Scam UK: How to Spot Fake Codes and Protect Yourself
A simple square of dots can cost you thousands — here's how to avoid QR code scams.
What is this scam?
A QR code scam works when criminals replace genuine QR codes with fake ones, or create new ones from scratch, that direct you to a phishing website or malicious app. Unlike other scams, you don't need to respond to a message or hand over information — scanning the code is often enough to put your phone or data at risk. Scammers hide these codes in everyday places: supermarket receipts, parking machines, bill payment notices, social media adverts, email invoices, and even stickers placed over legitimate codes at bus stops or train stations. Your phone's camera or QR scanner app automatically opens a web link, and in seconds you could be on a fake banking site entering your login details, or downloading malware that steals your passwords and contacts. The speed and invisibility of the threat — you can't see malicious code in a QR square — is why this scam is particularly dangerous. Many people scan without thinking, especially if the code appears in a trusted context like a utility bill or parking sign.
Warning signs to look for
['- The QR code is on a sticker placed over another code — scammers often tape their codes over genuine ones on parking machines, petrol pumps, or restaurant tables.', "- The QR code redirects you to a web address (URL) that doesn't match the business name — for example, a Tesco code that opens 'tesco-verify.co.uk' instead of tesco.com.", "- You're asked to log in to a familiar service (bank, PayPal, email) immediately after scanning, but the page looks slightly different or has odd spelling and layout.", "- The QR code arrived in an unsolicited email or text claiming urgent action is needed — 'Your account is locked. Scan to verify' is a common scam message.", "- The code is on an unexpected material or in an odd location — genuine businesses don't usually put QR codes on car windscreens, fuel pump screens at petrol stations you don't recognise, or random posters in alleyways.", '- After scanning, your phone warns you that the site is not secure (no padlock in the browser address bar) or your antivirus app flags the link as malicious.', "- You're redirected to a page asking for unusual information you wouldn't normally provide — a bank would never ask for your full PIN or password via QR code link."]
How this scam works step by step
The scam typically starts when a criminal creates a fake QR code or replaces a genuine one. They might print stickers and physically place them over real codes at supermarkets, parking machines, or utility bill notices. Alternatively, they'll embed malicious QR codes in phishing emails ('Confirm your delivery') or SMS messages ('Your parcel is ready — scan here'). When you scan the code with your phone's camera or a QR app, it automatically opens a link. This link might take you to a fake banking website, PayPal login page, or email sign-in that looks almost identical to the real thing. You enter your username, password, and sometimes additional details like your date of birth or card number. The scammer captures this information in real time. In other cases, the QR code downloads malware or spyware to your phone, which then harvests your contacts, location data, banking apps, and passwords. The entire attack happens in under a minute, and you may not realise anything is wrong until fraudulent transactions appear on your account days later. Some QR scams also redirect you to a fake subscription service that charges your card repeatedly before you notice.
How to verify if it is genuine
Before scanning any QR code, pause and ask yourself: Is this code in an expected place? If a QR code appears on a supermarket receipt, parking ticket, or restaurant table, it's usually legitimate — but check for stickers placed on top. If a code arrived via email or text message, don't scan it immediately. Instead, open your browser directly and type the official website address yourself (for example, go to your bank's real website by typing the URL manually, not by following a link). For a detailed walkthrough on checking whether a website is genuine, see our guide on /guides/is-this-website-a-scam/. Check the URL in your browser's address bar after scanning — it should match the business name exactly and start with 'https://' with a padlock icon. If you're suspicious, take a photo of the code and the surrounding area, then contact the business directly using a phone number from their official website to ask if the code is legitimate. Never scan a code and immediately log into a financial service. If a business genuinely needs you to scan a code, they'll tell you it's safe and the site will look exactly like their official app or website. Trust your instincts — if something feels rushed or unusual, skip the scan.
What to do if you have already interacted
Act quickly if you've scanned a suspicious QR code. First, check your phone for unusual activity: look for unfamiliar apps installed, your device running slowly, or unexpected data charges. If you entered login details (bank, email, PayPal), change your password immediately using a different device or computer, not your phone. Contact your bank and email provider directly using their official phone numbers (on your bank statement or their official website) to report the potential breach and ask them to monitor your account for fraud. Check your bank and credit card statements for unauthorised transactions — if you spot any, report them to your bank right away as you may be eligible for a refund. Consider placing a fraud alert with the credit reference agencies (Experian, Equifax, TransUnion) so lenders are warned before new accounts are opened in your name. If malware may have been downloaded, restart your phone in safe mode and consider factory resetting it (backup your data first). For ongoing protection, use two-factor authentication on all important accounts so scammers can't log in even if they have your password. Don't panic — most banks reimburse fraud quickly if reported promptly.
Reporting this scam in the UK
Report QR code scams to Action Fraud, the UK's national fraud reporting centre, by calling 0300 123 2040 or visiting actionfraud.police.uk. They'll record the details and may investigate if multiple people report the same scam. If the QR code arrived via email, forward it to the National Cyber Security Centre (NCSC) Suspicious Email Reporting Service at report@phishing.gov.uk — they track phishing attacks and may shut down fake websites. If you received a scam text with a QR code, forward it to 7726 (Spam) so your network provider can block it. Report the fraudulent website to the NCSC's reporting tool on their website, which helps them take it offline faster. If you lost money, report it to Action Fraud as above and your bank immediately. For consumer rights advice and help understanding your options, contact Citizens Advice consumer helpline on 0808 223 1133 (free and confidential). If the QR code was on a physical location (like a sticker at a supermarket or car park), report it to that location's management so they can remove it and warn other customers. Keep screenshots of the fake website, the QR code image, and any scam messages — these help investigators.
Frequently asked questions
Is QR code scanning always a scam, or can genuine businesses use QR codes?
Genuine businesses use QR codes all the time — restaurants, shops, banks, and councils use them for receipts, menus, payments, and service links. The scam isn't the QR code itself; it's when criminals create fake codes or replace real ones. Check that the code looks professional, isn't on a sticker placed over another code, and that the URL it opens matches the business name exactly before trusting it.
What should I do if I've already sent money after scanning a QR code?
Contact your bank immediately on the phone number on the back of your card (not any number from a scam message) and tell them you've been scammed. Many banks can recall payments within a few hours if the money hasn't been withdrawn yet. Report the scam to Action Fraud on 0300 123 2040 as well — providing a police crime reference number strengthens your claim for a refund. Don't delay; every minute counts.
Can scanning a QR code install malware on my iPhone or Android phone?
A QR code itself can't automatically install malware just by scanning it. However, it can direct you to a malicious website that tricks you into downloading an app or entering sensitive information. iPhones are generally more protected against malicious downloads, but Android phones are at higher risk if you allow unknown sources to install apps. Always check the source of any app you're asked to download — genuine banks and services only direct you to official app stores.
How do I report a QR code scam if it's on a physical sticker or sign?
First, take a photo of the QR code and its location, then report it to Action Fraud on 0300 123 2040 with the location details so authorities can investigate. Tell the business or location owner (the supermarket, car park, or venue) so they can remove the sticker immediately and warn other customers. If the fake code is on a utility bill or official-looking document, also report it to the NCSC at report@phishing.gov.uk so they can track the scam network.