QR Code Scams in Australia — The Parking and Restaurant Scams to Watch For

QR code scams have increased significantly in Australia as QR codes have become ubiquitous in car parks, restaurants, public transport, and information boards. The problem is that QR codes are visually identical regardless of where they point — a legitimate QR code and a malicious one look exactly the same. Scanning a malicious QR code can take you to a phishing page, initiate a payment to a criminal account, or download malware to your phone.

Where QR Code Scams Are Appearing in Melbourne

Car park payment machines: Criminals place stickers with fake QR codes over legitimate ones on pay-and-display machines and at ticket pay stations. Scanning takes you to a fake payment page where card details are stolen. Parking operators have reported hundreds of incidents at Melbourne car parks. Restaurant table QR menus: Fake QR code stickers placed on restaurant and cafe tables take you to a fake ordering or payment page that harvests payment details instead of displaying a menu. Parking infringement notices: Fake notices left on cars include a QR code to "pay the fine online" — directing to a phishing page. Public information displays: QR codes on real estate brochures, transport information, and retail displays have been replaced with stickers pointing to malicious sites.

How to Identify a Fake QR Code

Physically inspect the QR code before scanning — if it appears to be a sticker applied over another printed code, or is sitting slightly raised from the surface, do not scan it. After scanning, check the URL that appears in your browser before proceeding to any action — look at the full address carefully and verify it matches the expected organisation's domain. Most phone cameras now show a preview of the URL before opening it. For parking payments, use the official app for that car park operator or the physical button on the machine rather than a QR code.

What to Do If You Have Scanned a Suspicious QR Code

If you have already scanned a suspicious QR code and entered payment details on a page that loaded, contact your bank immediately to cancel the card and report the fraud. If you only scanned and viewed the page but did not enter information, you are likely safe — but run a security scan on your phone. Report QR code scams to Scamwatch at scamwatch.gov.au and to the car park operator or business if their signage has been tampered with.

For Melbourne Businesses

If your business uses QR codes — for menus, payments, or customer information — check your QR code placements regularly for tampering. Consider using QR codes that are difficult to replicate exactly, printed on your branded materials rather than generic stickers. And inform customers at the point of scanning what URL they should expect to see, so they can identify if they have been redirected to a fraudulent page.

QR Codes for Payments — Specific Risks

QR codes used for payment purposes carry additional risk because scanning them may initiate a payment directly. Always verify the payment amount and recipient clearly on your phone screen before confirming any QR-initiated payment. If the displayed amount or recipient does not match what you expected, do not proceed — contact the business or service directly. For PayID and NPP payments initiated through QR codes, the recipient name is displayed before confirmation — verify this matches the expected business name.

Safe QR Code Practices

When scanning a QR code in public, follow these practices: physically inspect the code for signs of tampering before scanning; note the URL that appears in your browser preview before it fully loads; verify the URL matches the expected domain before entering any information or making any payment; and for any QR code payment, verify the transaction details completely before confirming. These habits add only a few seconds to each interaction but prevent the vast majority of QR code fraud. For businesses using QR codes, inform customers verbally what URL they should expect to see, and check your QR code placements regularly for tampering. IntrusionX provides security awareness training for Melbourne businesses — contact us for a consultation.