As QR codes have become ubiquitous in Hong Kong restaurants, car parks, and retail, scammers have followed — placing fraudulent QR codes that redirect to phishing sites or initiate unauthorised payments.
QR code phishing — sometimes called "quishing" — exploits the widespread trust and adoption of QR codes in Hong Kong's daily life. Since COVID-19 normalised QR code scanning for restaurant menus, venue check-ins, and contactless payments, the technology has become deeply embedded in how people transact and access information. Scammers exploit this familiarity by placing fraudulent QR codes over legitimate ones, or creating entirely fake QR code displays in locations where scanning is expected.
The most common QR code scam in Hong Kong involves physical replacement: a fraudulent QR code sticker is placed over a restaurant's legitimate menu QR code, a car park's payment QR code, or a business's cashless payment display. When scanned, the fraudulent code redirects to a phishing site or initiates an unexpected payment. The victim, expecting to access a menu or pay a parking fee, instead lands on a credential-harvesting site or makes a payment to a fraudulent recipient. Because scanning QR codes has become automatic and unquestioned, these attacks often succeed even against security-aware users.
Digital QR code scams appear in emails, messaging apps, and social media. Unlike physical replacement attacks, these fraudulent QR codes are designed to bypass email security filters — since QR codes are images rather than text links, they are not analysed by the same URL-scanning tools that would detect a malicious hyperlink. Scanning a QR code from an email or WhatsApp message carries the same risks as clicking a phishing link, but without the URL preview that might trigger caution.
Restaurants and cafes are among the highest-risk locations for QR code tampering in Hong Kong. The widespread adoption of QR code menus following COVID-19 means most diners now automatically scan a table QR code without examining it critically. Scammers target restaurants in high-footfall areas — Causeway Bay, Mong Kok, Central, and Tsim Sha Tsui — placing fraudulent QR code stickers on table-top menu displays or near the entrance where payment codes are often displayed.
Car parks and parking meters are another significant risk location. Many Hong Kong car parks now accept QR code-based payment. Fraudulent QR codes placed at payment machines redirect payment flows to attacker-controlled accounts. Unlike restaurant menu QR codes where the fraud is discovered when credentials are subsequently misused, car park payment fraud may be immediately apparent when the vehicle exit barrier does not open — by which point the payment has already been redirected.
Public notice boards, charity collection points, and government information displays have also been targeted. Scammers are creative about any location where a QR code might plausibly appear and where scanning is expected. Even business cards, printed promotional materials, and customer loyalty cards can be compromised or counterfeit. The common thread is any situation where a QR code is used to facilitate an action that involves money or credentials.
The most important safe scanning habit is to preview the URL before acting on it. When you scan a QR code, most smartphone camera apps and QR code scanners show a preview of the URL before opening it. Take a second to read this URL and verify it matches the expected destination — a restaurant menu QR code should direct to the restaurant's own domain or a known menu platform, not a generic short URL or an unfamiliar domain. If the URL looks unexpected, do not proceed.
Physically inspect QR codes before scanning, particularly in payment contexts. A QR code sticker placed over another surface has visible edges or adhesive lines around it — this is a sign of tampering. Legitimate QR codes displayed by businesses are typically printed directly on the surface (table, menu, payment terminal) rather than applied as separate stickers. If a QR code at a payment terminal appears to be a sticker, report it to staff and use an alternative payment method.
For payment transactions, verify the recipient before confirming. When a scanned QR code initiates a FPS (Faster Payment System) or mobile payment, the payment screen should show the recipient's registered name or business name before you confirm. If the recipient name is an individual rather than the expected business, or if the amount differs from what you expected, cancel the transaction and report the fraudulent QR code to the venue and to the HKPF.
If you scanned a QR code and landed on a suspicious website, close the browser immediately without entering any information. On Android, run a security scan to check for any malware that may have been silently delivered. On iPhone, close Safari and clear your browsing history and website data (Settings → Safari → Clear History and Website Data). Monitor your accounts for any unusual activity over the following days.
If you entered credentials on a fraudulent site after scanning a QR code, follow the same response as for any phishing credential disclosure: change the affected password immediately through the official app or website, contact your bank if financial credentials were involved, and enable two-factor authentication if not already active. If you entered payment information or authorised a payment to a fraudulent recipient via FPS, contact your bank immediately and report to the Anti-Deception Coordination Centre at 18222 — there is a narrow window in which fraudulent transfers can sometimes be intercepted.
Report the fraudulent QR code to help others. Notify the venue where you found it so they can remove it and replace it with a legitimate code. Report to HKPF Cyber Security and Technology Crime Bureau at 182 388. For payment fraud, also report to the ADCC at 18222. Report to HKCERT at hkcert.org/report. If you found the fraudulent QR code in a chain restaurant or large retailer, contact their head office as well — they likely have security teams that can investigate and alert their other locations.
