Drivers in New York City who scan a QR code on a parking meter to pay may instead hand their payment details to a scammer. The New York City Department of Transportation confirmed that fraudulent QR code stickers have been placed over legitimate ParkNYC meter labels, redirecting unsuspecting users to fake payment portals. The warning adds to a growing pattern documented by federal agencies: criminals are physically pasting their own QR codes on top of real ones in public spaces, exploiting the trust people place in official signage and the speed of a single phone scan.
Why sticker-over-sticker QR fraud is spreading now
The core mechanic is simple. A scammer prints a QR code that routes to a convincing payment page, then sticks it directly over the genuine code on a parking meter, restaurant table tent, or transit kiosk. Because the fake sticker sits on municipal or commercial infrastructure, the person scanning it has no obvious reason to doubt its authenticity. That built-in trust is what separates physical QR overlays from a suspicious email link, where users have learned to check sender addresses and hover over URLs before clicking.
A field study titled “Gone Quishing” and hosted on arXiv tested exactly this dynamic. Researchers measured how people responded to malicious QR code prompts placed in real-world settings. High rates of study participants proceeded with sign-up using third-party credentials after scanning the codes, suggesting that the physical context of a posted QR code lowers the skepticism people normally apply online. The study offers early empirical support for a hypothesis that physical QR overlays convert at higher rates than purely digital phishing, though controlled A/B trials comparing overlay scans against email click-through rates in the same locations have not yet been published.
The practical consequence is direct. A driver in a rush to avoid a parking ticket is unlikely to peel back a sticker or inspect a URL preview before entering credit card information. The scam works because it meets people at a moment of urgency, in a setting where official signage is expected, and requires only the single action of pointing a phone camera.
Federal and city agencies documenting QR code overlay scams
New York City’s parking meter advisory is the most specific local action on record. The NYC DOT confirmed that QR stickers on ParkNYC meters are fraudulent and directed anyone who encounters one to report it through the ParkNYC app. The advisory makes clear that ParkNYC does not use QR codes affixed to meters for payment, so any such sticker is by definition a scam.
The Federal Trade Commission documented the same tactic at a national level, warning that scammers cover legitimate QR codes on parking meters with their own codes to steal personal and financial information. The FTC alert described the method as part of a broader pattern in which harmful links are hidden behind QR codes in both physical and digital contexts.
Although the FBI has also warned about QR-enabled fraud, its public service announcements have focused more on codes sent through unsolicited communications such as packages or messages, rather than the specific sticker-over-sticker technique on public infrastructure. That distinction matters for understanding how the same basic technology, a scannable square of pixels, can be weaponized in multiple ways depending on where and how it is presented to the victim.
Taken together, the NYC DOT and FTC advisories describe a single attack pattern adapted to different surfaces: meter stickers, restaurant signage, mailed notices, and any other physical object where a QR code would seem routine. Each agency independently confirmed that the scam is active and causing real losses, though none has published aggregate national figures on total incidents or dollar amounts stolen.
Gaps in the data and what to watch next
No federal agency has released a year-over-year count of QR overlay incidents or a national loss estimate. The NYC DOT advisory addresses a single city’s parking system. The FTC consumer alert describes the tactic but does not quantify how many meters have been compromised nationwide. Without centralized reporting, the true scale of the problem is not yet measurable from public records alone.
The academic evidence is also early-stage. The “Gone Quishing” field study demonstrated that people readily interact with malicious QR prompts, but the full methodological details, including sample size and participant recruitment, are available only through the preprint. No follow-up study has yet compared overlay scan rates against traditional phishing click-through rates in a controlled setting, which would be the clearest test of whether physical placement genuinely outperforms digital delivery.
For policymakers, that leaves several open questions. One is whether QR overlays are primarily a big-city phenomenon tied to dense networks of parking meters and curbside payment stations, or whether they are spreading into smaller municipalities and private lots where oversight is thinner. Another is whether particular design choices, such as the size and color of official meter labels, make it easier or harder for scammers to blend in with convincing fakes.
Law enforcement agencies also have to decide how to classify and track these cases. A single overlay on a meter might be logged as a local vandalism or fraud incident, while a coordinated campaign that targets dozens of blocks could fall under more serious statutes. Without consistent categorization, it becomes harder to recognize patterns that cross city or state lines, and harder still to justify dedicated investigative resources.
Technology vendors and payment processors, meanwhile, face their own data gaps. Many QR code payment systems are run through third-party apps or web portals, which may only see the compromised transaction after the user has already been redirected by a fraudulent sticker. Unless those providers build specific logging and anomaly-detection tools for QR-based sessions, they may not be able to distinguish a legitimate scan from one initiated at a tampered meter.
Practical steps for anyone scanning QR codes
For anyone who regularly pays for parking, transit, or services by scanning a posted code, the practical first step is to know what “normal” looks like in a given system. The NYC DOT advisory, for example, states that ParkNYC payments should be made through the official app, on the program’s website, or by using the meter’s keypad and screen-not by scanning a sticker on the device itself. If a QR code appears on a surface where the operator has said it does not belong, that is a red flag.
Beyond understanding local rules, there are several low-friction habits that reduce risk without requiring technical expertise:
- Check the URL before you tap through. Most smartphone cameras show a preview link when they detect a QR code. If the domain name looks unrelated to the city, company, or service you expect, back out instead of opening it.
- Look closely at the sticker. Misaligned labels, inconsistent fonts, or a sticker placed on top of another label can all indicate tampering. If something looks layered or off-center, consider using an alternative payment method.
- Favor official apps over ad hoc codes. When a city or business offers a dedicated app or clearly branded website, launching it directly is safer than relying on whatever a posted code might link to.
- Avoid entering sensitive data after a cold scan. Treat QR codes like links in unsolicited emails: do not type passwords, card numbers, or Social Security numbers into a site you reached solely by scanning a public code.
- Report suspicious codes. Many operators, including ParkNYC, ask users to report fraudulent stickers so they can be removed. Taking a moment to file a report can prevent additional victims.
None of these steps can guarantee safety, and they do not replace the need for better infrastructure design and clearer public guidance. But they do shift the odds in favor of the person holding the phone, rather than the person who quietly placed a sticker over a meter label at three in the morning.
QR codes are not inherently unsafe; they are simply a fast way to move someone from the physical world to a digital one. The recent wave of overlay scams shows how much damage can be done in that split second of transition, when trust in a metal pole or a printed sign is silently transferred to an unknown website. As cities, regulators, and researchers gather more data, the challenge will be to preserve the convenience of a quick scan without leaving every curbside meter and café tabletop open to the same low-tech, high-yield trick.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
