QR Codes, Fake Sites, And Clone Shops

In 2020, almost nobody used QR codes outside of niche contexts. By 2024 they were everywhere — restaurants, parking meters, bus stops, posters, business cards, even billboards. And of course, scammers caught up.

QR-code phishing — "quishing" — surged 587% in 2025. This chapter covers what those attacks actually look like, how to spot them, and the closely related world of clone shopping sites and fake delivery notices.

Why QR Codes Are A Scammer's Dream

A QR code is just an image that encodes a URL. When you scan it, your phone opens that URL.

The problem: you can't read a QR code with your eyes. You can read a printed URL and notice if it looks suspicious. You can't do that with a QR code — it's just a square of pixels until your phone decodes it. By then, the URL is already opening.

This makes QR codes a perfect Trojan horse:

• They're cheap to print and easy to slap onto any surface;
• People scan them habitually, often without checking the destination;
• They hide the URL until after the scan;
• They look "official" to most people, since legitimate businesses use them too.

Scammers print fake QR stickers and place them over real ones — or in places where people expect to find them.

Three Scenarios You'll Actually Run Into

Scenario 1 — The parking meter sticker.

You park your car downtown. The meter has a "Scan to pay" QR code. You scan it. A payment page opens, looking professional. You enter your card. The transaction processes.

What actually happened: a scammer placed a fake QR sticker over the real one, sometime in the last few hours. Your payment went to their account, your card details to their database. Some meters take a real payment too, so you don't even notice — you'll find out next month when your card shows fraud.

This is a major problem in 2025-2026. Several cities (Austin, San Francisco, parts of London) have seen widespread fake QR sticker campaigns on parking meters. Some city councils have started welding the legitimate QR codes onto the meters to prevent stickering.

Scenario 2 — The restaurant table.

You're at a cafe. A QR code on the table says "View our menu" or "Special offers — scan to claim". You scan. Often this is legitimate. But sometimes:

• The page asks you to "sign in with Google or Apple" to view the menu (real restaurants don't need this);
• The page asks for your phone number to "join the loyalty program" (often a SMS-phishing setup);
• The page just looks like a normal menu but quietly drops a tracker that follows you around the web;
• The QR code leads to a real-looking fake of the restaurant's own loyalty system, where you enter saved card info.

Scenario 3 — The gas pump or EV charging station.

Same pattern as the parking meter, even higher stakes because gas stations process transactions of $50-100 routinely, and people are in a hurry. Scammers stick QR codes on or near pumps, often with text like "Scan for discount" or "Pay via app". Higher value, more victims.

QR Defense — Four Habits

1. Preview the URL before the scan opens it.

Every modern phone camera (iOS 11+ and Android 10+ via default Google Lens) shows the QR's destination URL before opening it. There's a small banner at the top of the camera view: "Open: park-now-secure.tk/pay". Read it. Does the domain match the business? If not, don't tap.

Examples:

• ✓ Real Starbucks QR for menu: app.starbucks.com/menu;
• ✗ Fake: starbucks-rewards.io/menu, coffee-deals-app.tk, anything with random words.

2. Prefer the official app or the company's own card reader.

For paying for parking, gas, charging, transit, or restaurant bills:

• Use the company's official app (downloaded from the App Store / Play Store yourself, not from a QR);
• Insert your card into the company's own physical reader;
• Use Apple Pay / Google Pay tap-to-pay where available — that's never compromised by a sticker.

3. Never enter login credentials on a page opened from a QR.

Real businesses do not need you to "sign in with Google" to view a menu. If a QR-opened page asks for any login, close the page immediately.

4. Peel back the sticker.

If the QR code is on a sticker, check the edges. If you can lift it, you'll often see the original QR underneath — that's the giveaway. Report it to the business or city.

Clone Shopping Sites — The Social-Media-Powered Cousin

A related scam, increasingly common in 2025-2026: fake online stores advertised through paid ads on Instagram, TikTok, Facebook, and Google.

The pattern:

• You see an ad — "Nike Outlet — 70% off, Black Friday early access!" or "Patagonia Warehouse Sale — final day!";
• You click;
• A pixel-perfect clone of the brand's site loads;
• You buy, you enter your card, you confirm;
• Either: nothing ever arrives, or weeks later a counterfeit product arrives from a Chinese drop-shipper, and your card is now in a database for resale.

Why this works: modern AI-built clone sites are nearly indistinguishable from the originals. The logo, fonts, layouts, even live chat — all copied. Social media ad platforms accept ads from anyone with a card, and removal usually takes days after reports.

The 2026 numbers: retail-fraud losses to clone shopping sites passed $2 billion globally in 2025, doubling year over year.

Defenses For Clone Shopping

1. Type the brand's name into your browser directly — never click ads.

The single best habit: when you want to shop at Nike, type nike.com into your address bar. When you want Patagonia, type patagonia.com. Stop clicking ads, even if the ad looks legitimate. Real brands rank #1 in Google for their own name — typing is essentially as fast as clicking, and infinitely safer.

2. Search "[brand name] official site".

If you're not sure of the exact URL, search "Nike official site" in Google. The first organic (non-ad) result is almost always the real brand. Skip the ads at the top of the page.

3. Treat "too good to be true" deals as fake.

Real brands don't run 70%-off site-wide sales advertised through random Instagram ads. They run sales on their own site, promoted through their own email lists and social media accounts. If the deal sounds extraordinary, the site is almost certainly fake.

4. Check the domain age.

If you're not sure: go to whois.com and look up the domain. A "Nike outlet" site registered 3 weeks ago is not real. Real brand sites are decades old.

5. Check the payment page for the basics.

Even before the QR or click checks, on the actual checkout:

• Is the URL exactly the brand's real domain?
• Does the page look professional, with real customer service contact info?
• Does it accept Apple Pay, PayPal, or other trusted intermediaries? Or only direct card entry?
• Is there a clear physical address and phone number in the footer?

Related Scams To Recognize

Fake delivery notices. A text from "USPS" or "DHL" — "Your package couldn't be delivered, please confirm your address: [link]". The link goes to a clone of the carrier's site, harvests your details, often asks for a small "redelivery fee" to capture your card. Real carriers don't ask for fees via text. Track packages by going to the carrier's site yourself and entering the tracking number you got from the merchant.

Fake "your bank" texts. "BANK ALERT: Did you make a transaction of $480 at Walmart? Reply Y or N." Reply with anything and a "fraud agent" calls you back, asks for credentials to "verify the dispute," and drains the account. Real banks don't have you "verify" yourself by handing over passwords or 2FA codes.

Tech support scams. A popup says "Your computer has a virus, call Microsoft at 1-800-XYZ." You call. "Microsoft" walks you through installing remote access software so they can "fix" your computer. They install ransomware or steal everything. Microsoft doesn't call you. There is no "Microsoft tech support" you'd reach through a popup.