A café owner in Melbourne found out their payment QR codes had been replaced with fake ones. Customers were scanning codes at tables, entering payment details on what looked like a legitimate payment page, and the money was going to scammers instead of the business.

The café lost a week of revenue before someone noticed. Customers lost money and payment card details. The trust damage took months to repair.

This is happening more frequently. QR code scams are surging in Australia, and they’re hitting businesses as much as consumers.

Why QR Codes Are a Security Problem

QR codes are convenient. Scan, go to a URL, done. That’s also the problem.

You can’t tell what a QR code links to by looking at it. It’s a black and white pattern that could point anywhere. Users have been trained to scan without thinking—menus, payments, event check-ins, marketing materials.

Attackers exploit this. They create malicious QR codes that look legitimate but point to phishing sites, malware downloads, or fraudulent payment pages. Most people scan first and check the URL later (if at all).

And because QR codes became ubiquitous during COVID for contactless everything, users now trust them implicitly. That trust is being weaponised.

The Common Attack Scenarios

Here’s how scammers are using QR codes to target businesses:

Payment hijacking. This is the big one for retail and hospitality. Attackers replace legitimate payment QR codes with fake ones. Customers scan, get redirected to a convincing clone of the payment site, enter details, and the money goes to criminals instead of the business.

Sometimes they print stickers with fake QR codes and stick them over real ones. Sometimes they hack into the business’s systems and change the QR codes directly.

Credential phishing. QR codes pointing to fake login pages for business software. An attacker leaves a QR code on a flyer in your office car park: “Scan to access staff portal.” It goes to a convincing fake login page. Staff enter credentials. Attacker now has access to your systems.

This is particularly effective because people will scan QR codes on physical materials without the same scepticism they’d apply to an email link.

Malware delivery. QR codes that download malicious apps or files. “Scan to download our new customer app” could install malware on phones. If those phones access business systems or data, you’ve got a breach.

Invoice fraud. Scammers send invoices with QR codes for payment. The code goes to a fraudulent payment page or bank details. Businesses pay thinking they’re settling a legitimate invoice.

Parking and meter scams. Fake QR codes on parking meters or ticketing machines. Users scan to pay for parking and give up payment details to scammers. If this happens at your business location (on machines you own or in your car park), customers blame you even though you didn’t place the stickers.

Real Examples from Australia

This isn’t theoretical. It’s happening now.

The ACCC’s Scamwatch has documented increasing reports of QR code scams. Losses are in the hundreds of thousands collectively, and that’s just reported cases.

Car parks in Sydney and Melbourne have had stickers with fake payment QR codes placed over legitimate ones. Customers pay for parking, money goes to scammers, they get fined for not paying because the actual parking company didn’t receive payment.

Restaurants and cafés have been targeted with fake payment codes. Sometimes it’s physical stickers, sometimes it’s compromised digital menus if they’re using tablet-based ordering systems.

Event venues have seen fake QR codes for ticketing. Attendees scan, pay for tickets that don’t exist, show up and can’t get in.

Even corporate environments have been hit with credential harvesting via QR codes in targeted phishing campaigns.

How to Protect Your Business

If your business uses QR codes (and many do), here’s what you need to do:

Regularly inspect physical QR codes. If you have payment codes, menu codes, or any QR codes displayed physically, check them daily. Look for stickers placed over original codes. Feel for edges of stuck-on materials. If a code is tampered with, replace it immediately.

Consider laminating QR codes or using tamper-evident materials that show if someone tries to place a sticker over them.

Use dynamic QR codes with monitoring. Instead of static codes that always link to the same URL, use dynamic QR codes where you can change the destination and track scans. If you see unusual scan patterns (sudden spike from unfamiliar locations), investigate.

Services like QR code generators with analytics can alert you to suspicious activity.

Secure your QR code generation and management systems. If you’re using software to create and manage QR codes (for payments, menus, marketing), make sure those systems are secured. MFA on accounts, strong passwords, regular access audits. If an attacker compromises your QR management system, they can change where your legitimate codes point.

Train staff to recognise QR code tampering. Front-line staff should know to look for signs of tampered codes and report them immediately. They should also know not to scan random QR codes they find, even if they look work-related.

Educate customers about verification. Display information near QR codes explaining how to verify they’re legitimate. “This code should take you to [your domain]. If it goes anywhere else, don’t proceed and notify staff.”

Some businesses are putting small text URLs below QR codes so users can manually verify the destination before entering payment details.

For payment codes, use additional verification. If you’re accepting payment via QR codes, consider systems that confirm the payment destination before processing. “You’re about to pay [Business Name]. Is this correct?” Some payment providers offer this.

Monitor for QR-based phishing targeting your staff. Security awareness training should include QR code risks. Don’t scan random codes. Verify before entering credentials or payment details. Be suspicious of urgent requests via QR code.

Consider using mobile device management or security software that scans URLs before opening them, even when accessed via QR code.

Report incidents immediately. If you discover fake QR codes or a scam targeting your business, report it to police and ACCC Scamwatch. Alert your customers if they might have been affected. Fast disclosure limits damage.

What Customers Should Do (And You Should Tell Them)

Part of protecting your business is helping your customers not get scammed, which protects your reputation too.

Encourage customers to:

• Check the URL before entering information. Most phones show the URL briefly before opening it. If it doesn’t match the expected domain, stop.
• Look for HTTPS and legitimate domains. Payment sites should be secure (https://) and on the company’s official domain. If a café’s website is cafename.com.au, a payment link to cafename-payments.xyz is suspicious.
• Verify physical codes haven’t been tampered with. Look for stickers, misalignment, or damage. If something looks off, ask staff before scanning.
• Use payment methods with fraud protection. Credit cards and PayPal offer more fraud protection than bank transfers or cryptocurrency. If a QR code asks for payment via bank transfer or crypto, that’s a red flag.
• Question urgent or unusual requests. “Scan this code immediately to avoid penalties” is a scam tactic. Legitimate businesses don’t operate like that.

The Regulatory and Technical Response

Awareness is growing. The Australian Competition and Consumer Commission has been issuing warnings about QR code scams. Payment providers are implementing better verification flows.

Some QR code readers now have built-in security features that warn about suspicious URLs. Mobile OS updates are adding URL previews and warnings.

But ultimately, the responsibility falls on businesses and users to be cautious. There’s no perfect technical solution because QR codes are inherently just links, and links can be malicious.

The Bottom Line

QR codes are useful and they’re not going away. But they’re also a security risk that businesses need to manage actively.

If you display QR codes, assume someone will try to tamper with or clone them. Inspect regularly. Use tamper-evident materials. Monitor for unusual activity.

If your staff use QR codes, train them to be cautious. Verify before scanning. Never enter credentials or payment details without confirming the URL is legitimate.

If your customers interact with your QR codes, help them stay safe. Clear communication about what they should expect, how to verify legitimacy, and what to do if something seems wrong.

The convenience of QR codes made them popular. That same convenience makes them attractive to scammers. You can use them safely, but you can’t use them carelessly.

Inspect, verify, monitor, educate. Treat QR codes as potential attack vectors and manage them accordingly. Because right now, attackers certainly are.