The code you can't read is reading you

Last summer, a driver in Austin pulled into a downtown parking spot.

She scanned the QR code on the meter. Entered her card details. Drove off.

Three days later, $2,400 was drained from her account.

The city later discovered 29 compromised parking meters with fake QR code stickers plastered right over the real ones.

Welcome to quishing. QR code phishing.

The invisible threat

Here's the problem: you can't read a QR code. It's a black box. You scan it, and your phone goes wherever the code tells it to go.

73% of Americans scan QR codes without any verification. We've been trained to trust those little squares.

Scammers know this.

26% of all malicious links are now delivered via QR code. And only 36% of these attacks are ever identified by the victim.

They're showing up on parking meters, fake shipping notices, restaurant tables, and emails pretending to be from Microsoft or your bank.

The preview rule

So here's what I call The preview rule:

Before you tap "Open," look at the URL your phone shows you. If it's misspelled, shortened, or doesn't match the company name exactly, don't tap.

Your one takeaway

Treat every QR code like a stranger handing you a USB stick. Check for stickers placed over legitimate codes. When in doubt, skip the scan and type the URL yourself.

The code can't hurt you if you don't scan it.

---

Forward this to anyone who pays for parking with their phone. They need to see it.