ORDERING in a restaurant, renting a city bike or routinely paying as you enter a train station car park…these are just some of the day to day ways we scan a QR code in Spain.
Seen as a novel way of avoiding the spread of germs during COVID, they save paper and immediately link to payment options on your mobile phone.
But, Spain’s Policia Nacional have now issued a firm warning: scams that use fake stickers with QR codes in public spaces are rapidly on the rise.
Calling it ‘QRishing’, a classic new form of ‘phishing’ it is allowing conmen around the country – and often, based abroad – to take control of your phone.
The country’s National Institute of Cybersecurity (INCIBE), estimates the scam has grown hugely in recent years thanks to its low cost and how difficult it is to detect by the victim.
While failing to give numbers, the UK’s Action Fraud, claims the crime has increased by 340% since last year.
And the police body estimates that victims on average are losing £950 (1094 euros), with some cases reaching 45,000 euros when business accounts are compromised.
By mid September Action Fraud estimated there were already over 47,000 victims in the UK alone in 2025.
They included Maria Rodriguez, who was scammed when she parked in a garage in central London, while visiting for a business meeting.
She reached for her phone to scan the QR code at the payment machine, a routine that has become second nature in our increasingly digital world.
But this time was different. As her camera focused on the black-and-white squares, something felt wrong. The payment screen looked slightly off, and the URL seemed suspicious.
Despite running late she decided to contact a cybersecurity helpline – one of many in the UK – that quickly confirmed her suspicions: it was a dodgy one! Don’t use it to pay for parking!
She looked around, found an attendant and paid using her credit card. Crisis avoided.
There are similar companies in Spain that are quickly able to establish if something is wrong.
One of those is cybersecurity firm AnyTech365, based in Malaga.
Its Chief Operating Officer Georgi Medzhidiliev explains: “Scams are becoming increasingly sophisticated, and a prime example of that is the QR code fraud.
“Bad actors know that when people park, they’re often in a rush and not paying close attention. It only takes a second to scan a sticker placed over the original QR code, and that’s all they need to redirect us to a fake site and potentially drain our bank accounts.
“It’s a subtle trick, but highly effective, and it’s catching an increasing number of people off guard.”
How QR scams work
The scam is incredibly simple: The fraudsters place stickers with a fake QR code in dozens of places including parking meters, electric car charging stations, public bike docks and even petrol pumps.
Spain’s National Police reported a series of recent cases in Mallorca, Malaga and Madrid.
In Madrid, fake codes were detected at BiciMAD bike rent ports, while in Palma, they were placed on electric car charging stations.
In Malaga, the scammers tried to hoodwink drivers by putting false parking fines on their windshields, accompanied by a QR that led to a website for the General Directorate of Traffic (DGT).
Of course it was not the official site and once there, drivers were urged to pay the penalty immediately.
As the Olive Press reported in July, scammers even used Malaga City Hall’s coat of arms on the clever stickers.
Police have now warned in a series of TikToks and other social media posts that these QR codes are ‘practically identical to the originals’.
“It makes it very difficult for the user to suspect they are being scammed,” said a spokesman for the Policia Nacional.
“Before scanning, think twice. A QR can take you to the wrong place,”
In their official warning, Spanish cops make the key points:
- Check the QR code has not been manipulated. If it looks like an overlapping or misplaced sticker, be suspicious.
- Check the link before accessing. Mobile phones allow you to preview the URL. If the address does not match the official one, do NOT follow
- Analyze the web visually. A fraudulent page usually shows clear clues: low-quality images, spelling mistakes and messages that are aggressive to generate urgency
- Do not install unnecessary apps.
What makes these scams particularly insidious is how they mimic legitimate processes. Criminals design fake websites that look identical to official parking apps or payment portals.
Victims believe they’re downloading a legitimate parking app and creating a secure account, but they’re actually handing over their personal and financial information directly to scammers.
The fake sites often include convincing logos, professional layouts, and even fake security badges to appear trustworthy.
UK hotspots: car parks, restaurant menus, and retail checkouts are prime targets for QR scams.
The Anatomy of a Modern QR Code Scam
How criminals swap real QR codes with fakes on parking meters—spot the signs before you pay.
Cybersecurity experts are quick to point out how sophisticated the fraudsters are now becoming.
AnyTech’s Medzhidiliev, who has worked on cyber security for over a decade in Spain, said: “It’s the perfect storm of factors. After the pandemic normalised QR code use, criminals professionalised their game, and the average person has no way to distinguish between legitimate and malicious codes.”
Legit vs. fake QR: check the domain carefully—look-alikes trick you into sharing card details.
Criminals are using advanced encoding techniques to hide malicious URLs within codes that appear completely normal.
The only reliable way to verify a QR code’s safety is through expert analysis using specialised cybersecurity tools.
“You will have to call a cybersecurity expert,” explains Georgi, whose company has been one of the fastest growing tech companies in Spain over the last decade. “Time is critical in these situations and it takes us about five minutes to work it out, often quicker.
“The sooner someone calls for advice or help, the better we can protect them from further damage. We’ve seen cases where a quick phone call saved someone from losing their entire savings account.”
For emergency cybersecurity advice if you believe you’ve been scammed call AnyTech365 free of charge on 951 203 538 for Spain and (+44) 203 773 6780 for the UK.
Real outcomes: quick expert help has stopped losses and secured accounts for thousands in the UK.
Grab our exclusive FREE introductory offer and call AnyTech365 to leave it all to the experts!
CALL NOW!To claim your AnyTech365 TotalCare 3 months FREE
(+34) 951 203 538
(+44) 203 773 6780
Click here to read more Business & Finance News from The Olive Press.
