How to Find Who’s Behind a QR-Code Scam
A QR-code scam, often called quishing, hides a malicious link inside a square of black-and-white dots that looks completely ordinary. You scan a code on a parking meter, a restaurant table, or a letter in the mail, and instead of the real site you land on a convincing clone that harvests your card number, your login, or your identity. The square of dots gives you nothing to look at, but the scam is not faceless. Behind it sits a registered look-alike domain, a hosting account, a payment processor that ran your card, and the real person who controls the account the money landed in. This guide explains how quishing actually works, what to preserve before the sticker or the site disappears, who to report to, and how the people behind the code get traced lawfully.
The Short Version
If you just scanned a bad QR code, move fast and in order: stop entering anything on the page, but first screenshot the code, the web address it opened, and any payment or login screen, because the clone site and the sticker both vanish quickly. Call your bank or card issuer to flag or reverse the charge and lock the card, since a card payment gives you a real shot at a chargeback. Then report the fraud to the FTC and the FBI Internet Crime Complaint Center, and tell the legitimate business whose code was faked, such as the city parking authority or the restaurant. The square of dots is anonymous, but the scam is not: it runs through a registered look-alike domain, a hosting account, a payment processor, and a real person who controls the destination account. Our investigation team works that human trail lawfully through public records, so your report and any civil claim carry more weight. And never trust a follow-up call or text claiming to refund your money for a fee, because that is the second scam.
Watch: Tracing a QR-Code Scam
What to do first, and the lawful path to finding who is behind it.
Watch Overview
What a QR-Code Scam Actually Is
Quishing hides the destination, so the trick is in where the code really sends you.
A QR code is just a machine-readable address. The square of dots encodes a web link, and your phone opens it the instant you scan, with no chance to read the destination the way you would skim a printed link. That blind spot is the entire scam. In a quishing attack, a criminal replaces or plants a code that points to a clone of a site you trust, then lets your own habits do the rest. You scanned a parking code, so you expect a parking-payment page. You scanned a menu, so you expect to order food. The page that loads looks right, the logo is right, and you type in your card or your password without a second thought. Everything you enter is captured in real time on a server the scammer controls.
The most common version is the sticker swap. Scammers print a durable, weather-resistant sticker carrying their own QR code and paste it directly over the genuine code on a parking meter or pay station, often a near-perfect copy of the city portal or a service like ParkMobile. Consumer reporting has documented these sticker scams on metered parking in Cherry Creek in Denver and across parts of Southern California, and they spread to anywhere people scan to pay. A close cousin shows up on restaurant table tents and menus, redirecting diners to a fake ordering or payment page. The third major variant arrives in your mailbox: a letter or an unsolicited package with a QR code and a reason to scan it, such as a supposed unpaid toll, a tax notice, or a teaser to find out who sent you a gift. Because the page never reveals itself until you have already scanned, the same lawful research used to investigate fraud of any kind starts with one question: where did that code really point, and who registered it?
How to Know You Were Hit
The pattern is consistent. If several of these fit, treat it as quishing.
A Sticker Over a Sticker
The code was a sticker with a raised edge pasted on top of a meter or sign. Genuine codes are usually printed straight onto the surface, not layered.
The Web Address Looks Off
The link that opened was a near-miss of the real one, with an extra word, a different ending, or a hyphen the official site never uses.
It Asked for Too Much
A parking or menu page that suddenly wanted your full card, billing address, login, or a one-time code is harvesting, not charging.
A Code Came in the Mail
A letter or unexpected package told you to scan a code to pay a toll or fee, return an item, or learn who sent a gift. Real agencies do not work this way.
Urgent Pressure to Scan
The code or its message pushed you to act immediately, before your meter expired or a fine grew. Urgency is the lever that stops you checking.
A Charge You Don’t Recognize
A small unfamiliar charge, or a flurry of attempts, appeared after you scanned. That is the harvested card being tested or run.
The First Steps After You Scan
Speed protects both your money and the evidence that identifies the people behind it.
The clone domain and the parking-meter sticker are both designed to be temporary. Hosts take down reported phishing pages, scammers rotate to fresh look-alike domains, and a city worker may peel the fake sticker off by the next morning. So the first job is to lock down your accounts and capture proof in the same hour. The FTC’s consumer guidance is blunt that scammers hide harmful links inside QR codes to steal card numbers and login credentials, which tells you exactly what to assume was taken and what to protect first. You can read that guidance directly at the FTC consumer site.
Stop and Screenshot
Do not enter anything else. Capture the full web address that opened, the payment or login screen, and the physical code or letter. If a sticker is on a meter, photograph it in place before it is removed.
Call Your Bank or Card Issuer
Report the charge, ask to dispute it, and have the card frozen and reissued. A card payment to a clone site has a real chance of a chargeback, so do this before anything else financial.
Secure Any Exposed Logins
If you entered a username and password, change them at once on the real site, turn on two-factor authentication, and watch for one-time codes you did not request.
Report and Warn the Real Business
File with the FTC and the FBI IC3, then alert the legitimate business whose code was faked, such as the city parking authority or restaurant, so they can pull the sticker and warn others.
What to Gather Before You File
A complete report is the one investigators can act on. Assemble this first.
The difference between a complaint that sits in a queue and one that leads somewhere is detail, and with quishing the most valuable detail is the link itself. Before you file, pull the digital trail and the money trail into one folder. On the digital side, save the exact web address the code opened, including everything after the first slash, plus a screenshot of the clone page, the page title, and any email or text the code arrived in. If you can do it safely without re-entering data, note the domain name on its own, because that look-alike domain is the single most useful identifier for tracing the registrant and the host. On the money side, collect the date and amount of any charge, the merchant or descriptor name that appeared on your statement, the last four digits of the card used, and your bank’s dispute or case number. On the physical side, photograph the meter, menu, letter, or package, note the exact location and time, and keep the sticker or mailing if you can remove it without destroying it. Keep one clean, dated folder, because you will reuse it for the FTC, the FBI, your bank, the affected business, and any attorney. The more precisely the look-alike domain, the payment descriptor, and the location are documented, the better the odds that analysts and our investigation team can connect your case to the same operation hitting others.
Where to Report Every Channel
File with each of these. Each one does something the others cannot.
| Where | What It Does | How to Reach |
|---|---|---|
| FTC | The federal intake for consumer fraud. Logs the quishing report for enforcement and gives you an identity-theft recovery plan if data was exposed. | reportfraud.ftc.gov |
| FBI IC3 | Central federal intake for internet crime. Feeds investigations that can link one clone domain to many victims. | ic3.gov |
| Your Bank or Card Issuer | Can dispute and reverse the charge, block the card, and document the money trail leaving your account. | Fraud department, in writing |
| The Faked Business | The real parking authority, restaurant, or toll agency can remove the sticker, flag the clone, and warn others. | Official contact on their real site |
| USPS Inspection Service | Handles QR codes that arrived by mail or in an unsolicited package, where mail-fraud authority applies. | Postal Inspection Service |
| State Attorney General | Adds your case to state-level fraud and consumer-protection actions. | Your state AG consumer division |
Do not skip a channel because you assume one report is too small to matter. Enforcement actions are built from many detailed complaints that let investigators tie a single look-alike domain or payment descriptor to a cluster of victims. Your report, with the exact clone address and the statement descriptor, may be the one that connects the dots. If you want help organizing it all, our guide on how to find a person who scammed you walks through assembling a case file that agencies and attorneys can use.
What Happens After You File
Set realistic expectations so you keep moving instead of waiting.
Filing a federal complaint does not trigger a phone call the next morning. The FTC and the FBI Internet Crime Complaint Center take in enormous volumes of reports and generally do not respond to each one individually; your complaint becomes data that analysts aggregate to connect domains, descriptors, victims, and suspects. Save every confirmation and case number you receive. Your bank’s chargeback process runs on its own clock, often a few weeks, and the strength of that claim depends heavily on how quickly you reported and how clearly you documented the fake page. In the meantime, treat your case as active. Keep your evidence folder current, watch your statements for repeat attempts, and be sharply skeptical of anyone who contacts you first claiming to be from your bank, a government agency, or a refund service that found your money. The cases that go furthest are the ones where the victim kept building the file and pursued the parallel track below: identifying the real people behind the look-alike domain and the account that took the money.
How the Domain and the People Get Traced
Two separate trails. Most safety guides cover neither.
The digital trail. A QR code may be anonymous, but the destination is not built from nothing. The clone lives on a registered domain, sits on a hosting account, and routes payments through a processor or merchant account. The look-alike domain has a registration record, a creation date, name servers, and frequently a contact email or a re-used registrant detail that ties it to other fraudulent sites built by the same crew. The same email, handle, or hosting fingerprint behind one parking clone often turns up behind a whole batch of them. Documenting the exact address, the domain, the page, and the payment descriptor is what turns a vague “I got scammed” into a record investigators can correlate. Our role on this side is supportive: organizing the domain, the link, and the timeline into a usable trail, the same way we approach tracing a contact in our guide on how to find someone by an email address when a registrant or contact email is in hand.
The human trail. This is the lane the prevention articles never touch, and it is where our investigation team fits. Behind the clone domain and the payment page are real people with real footprints: the person who registered the look-alike domain, the operator of the merchant account that ran your card, and above all the money mule whose bank account or processor balance received the funds. Those identifiers, even when names on a page are fake, can be researched lawfully through public records and skip-tracing techniques to surface a real name, address, and associates. That is the same work behind our guides on how to find someone who scammed you and how to identify a scammer by a phone number when the scam included a call-back or text. A named, located individual changes everything: it strengthens your FTC and IC3 reports, gives a prosecutor or an attorney something concrete, and opens the door to a civil claim that a screenshot of a fake page alone cannot support.
What Recovery Realistically Looks Like
Honest odds, and the legitimate paths that exist.
It would be dishonest to promise that your money comes straight back, and anyone who guarantees it is lying. The truth sits between hopeless and easy, and for quishing it tilts more hopeful than many scams, because most victims paid by card. The most direct path is a card chargeback or dispute: because you handed your card details to a clone rather than wiring untraceable funds, your issuer can often reverse the charge, especially when you reported promptly and documented the fake page. Move on that immediately, because dispute windows are not open forever.
A second path is a civil claim against an identified perpetrator, mule, or facilitator, which depends entirely on being able to name and locate a real person and any assets in their name. That is where lawful skip tracing does the heavy lifting, and where a confirmed mailing address becomes essential, the kind of result our guide on how to find someone’s address describes. A third avenue is supporting an active law-enforcement case: a clone domain and payment descriptor tied to your loss can become one node in a larger investigation that ends in enforcement against the operators. None of these is guaranteed, all of them improve with speed and documentation, and several can run at the same time.
If Someone You Know Keeps Scanning
Prevention is part of the response, especially for the people most at risk.
QR codes are everywhere now, which is exactly why they work as bait, and some people are more exposed than others. An older relative who pays for parking by phone, a small-business owner who lets customers scan a code at the counter, or anyone in the habit of scanning first and reading later is a natural target. If someone close to you was hit, lead with help, not blame, because shame is what keeps victims quiet and lets the same operation keep running. Walk through the simple habits that defeat quishing: check whether a code is a sticker layered over another surface, read the web address before entering anything, and never scan a code that arrived by mail or in a package you did not expect. Encourage paying at parking meters and stations by their printed app name or short code rather than a pasted QR, and steer them to the official warnings published by the FTC and the U.S. Postal Inspection Service so the message is not coming from you alone. For a small business, fixing this is also a duty of care, since a sticker slapped over the code at your own register turns your customers into victims and your storefront into the crime scene.
Don’t Get Hit Twice
The refund scam targets people who already lost money. Watch for these.
An Upfront Fee
Any service that wants payment before it returns a cent is a scam. Legitimate help is not pay-to-unlock.
A Guarantee
“We will get all of it back” is impossible to promise. Real outcomes depend on chargebacks, seizures, and the law.
A Call That Found You
An out-of-the-blue caller from your “bank” or “fraud department,” especially one who already knows you were scanned, is a major red flag.
A One-Time Code Request
No real bank or agency asks you to read back a verification code from a text. Handing it over hands over your account.
Remote Access to “Help”
No legitimate firm needs to install software or control your phone or computer to recover a charge.
Another Code to Scan
A “verification” or “refund” QR code sent to fix the first scam is just the original trick, repeated.
How People Locator Skip Tracing Helps
We trace the people behind the code, lawfully, so your case has teeth.
Scan Victims
Identify the person behind the loss
Attorneys
Locate an identified mule or operator
Families
Help a relative who was targeted
Small Businesses
Trace who faked a code at your storefront
Fraud Teams
Tie a clone domain to a real account-holder
Anyone Owed
Find a person before pursuing them
Quishing runs on the same rails as other online fraud, so the people behind it surface through the same lawful research that powers our full-spectrum skip tracing work. Send us what you have, even if it feels like nothing: the look-alike web address, a screenshot of the clone page, the payment descriptor from your statement, an email or phone number the code arrived with, or a name that appeared anywhere in the exchange. We work strictly for lawful, permissible purposes, we never promise a recovery we cannot control, and we tell you honestly what the records can and cannot show. For a legitimate matter, an initial locate typically comes back within 24 hours.
Our Commitment
We do not sell false hope or “guaranteed recovery.” We do the lawful research most services skip: tracing the real people behind the clone domains and payment accounts, so your reports and any civil action carry weight. Honest, permissible-purpose skip tracing since 2004.
Frequently Asked Questions
Can you really find who is behind an anonymous QR code?
Often, yes, because the code is anonymous but its destination is not. The link points to a registered look-alike domain on a hosting account, with payments routed through a processor and a real account-holder. Those identifiers can be researched lawfully through public records and skip tracing to surface the people involved, even when the names shown on the page are fake.
What should I do in the first hour after scanning a bad code?
Stop entering anything, then screenshot the web address, the fake page, and the physical code or letter before they disappear. Call your bank or card issuer to dispute the charge and freeze the card, change any password you entered, and report the fraud to the FTC and the FBI IC3. Then warn the real business whose code was faked.
Where exactly should I report a QR-code scam?
File with the Federal Trade Commission at reportfraud.ftc.gov and with the FBI Internet Crime Complaint Center at ic3.gov. Also notify your bank or card issuer, the legitimate business whose code was faked, and, if the code arrived by mail or in a package, the U.S. Postal Inspection Service. Each channel does something the others cannot.
How do I spot a fake QR code before I scan?
Check whether the code is a sticker with a raised edge pasted over another surface, since genuine codes are usually printed directly onto the meter, sign, or menu. Read the web address before you enter anything, and never scan a code that arrived by mail or in an unexpected package. A page asking for far more than the task needs is a warning sign.
Can I get my money back after a quishing scam?
Sometimes, and your odds are better than with many scams because most victims pay by card. The most direct path is a card chargeback or dispute, which works best when you reported quickly and saved the fake page. A civil claim against an identified person is also possible. Recovery is never guaranteed, but it is far from hopeless.
A QR code came in the mail. Is that always a scam?
Treat it as one until proven otherwise. Federal agencies have warned about letters and unsolicited packages with QR codes that claim an unpaid toll, a tax, a delivery problem, or a mystery gift. Do not scan it. If you think a message could be real, contact the agency or company through a phone number or website you already know is genuine.
What does People Locator Skip Tracing actually do on a case like this?
We work the human trail, not the takedown. Using lawful public-records research and skip tracing, we help identify and locate the real people behind the look-alike domain, the payment account, and any phone or email tied to the scam, producing a named, located individual that strengthens your report and any civil claim. We do not take custody of funds or promise recovery.
Is it too late if the scam happened weeks ago?
Not necessarily. Reporting is still worthwhile, identifying a perpetrator can support a civil claim or an active investigation, and some dispute windows remain open longer than people assume. Acting sooner is always better, but an older case is far from worthless, especially if you saved the link and the payment descriptor.
Related Guides
More ways our investigation team can help.
Scanned a Fake QR Code? Start Tracing.
We trace the real people behind the clone domains and payment accounts, lawfully, so your reports and any civil case carry weight. Contact us to get started.
Start Your Request →