ScamVerify
Menu
Phone and menu laid out on wooden restaurant table
Scam TypesMarch 18, 2026- Fannie

Restaurant Menu QR Code Scams: When Dining Out Gets Dangerous

TLDR

The COVID-19 pandemic made QR code menus standard at restaurants worldwide. An estimated 70% of restaurants adopted QR menus during the pandemic, and many kept them permanently. Scammers are exploiting this shift by placing fake QR code stickers over legitimate menu codes, redirecting diners to phishing sites that steal credentials, payment information, and personal data. The FBI has warned about physical QR code scams in public spaces, including restaurants. ScamVerify™ can check any QR code against 74,032 URLhaus malicious domains and 60,758 ThreatFox indicators at the QR scanner.

How Restaurant QR Menus Became a Target

Before 2020, QR codes were a niche technology in the United States. Restaurants used printed menus. The pandemic changed everything overnight. Health guidelines discouraged shared physical objects, and restaurants rushed to adopt contactless QR code menus. Services like Toast, Square, and dozens of QR menu startups made it easy for any restaurant to create a scannable menu.

By 2022, QR code menus were everywhere. By 2026, they remain standard at a majority of restaurants, cafes, bars, and food trucks. Americans became trained to scan a QR code every time they sat down to eat.

This is exactly the behavior scammers exploit. When scanning a QR code at a restaurant feels as natural as opening a physical menu, people stop questioning where the code leads.

How the Restaurant QR Scam Works

The Sticker Overlay Attack

The most common method is straightforward:

  1. Scammer enters a restaurant during normal business hours
  2. Scammer places a small QR code sticker on top of the restaurant's legitimate menu QR code (on the table, table tent, or counter placard)
  3. The sticker's QR code links to a malicious site
  4. Diners scan the fake code, thinking they are viewing the menu
  5. The malicious site may request login credentials, display a fake "order ahead" payment form, or install tracking scripts

The replacement takes seconds. A scammer sitting at a table can swap a QR code sticker while appearing to browse their phone. Restaurant staff rarely inspect QR codes during service.

The Fake Wi-Fi QR Code

A variation of the attack uses a QR code labeled "Free Wi-Fi" placed on tables or near the entrance:

  1. QR code claims to connect diners to the restaurant's Wi-Fi network
  2. Scanning leads to a captive portal page that requests an email address, phone number, and sometimes credit card "for verification"
  3. The captured data is used for identity theft or sold

The Fake Payment QR Code

In restaurants that accept QR code payments (particularly common at counter-service and food truck locations):

  1. Scammer places a fake payment QR code near the register or on the table
  2. QR code links to a convincing payment page
  3. Diner enters credit card information to "pay" for their meal
  4. Payment goes to the scammer, not the restaurant
  5. Diner may still owe the restaurant for the meal

Why Restaurant QR Scams Are Effective

FactorWhy It Helps Scammers
Trust environmentDiners trust QR codes placed in restaurants they chose to visit
Habitual behaviorPost-COVID conditioning means scanning is automatic, not deliberate
Low scrutinyPeople scan to see a menu, not to access sensitive accounts, so guard is down
Social pressureOther diners are scanning, the server expects a scan, nobody wants to be the person asking for a "paper menu"
Crowded conditionsDim lighting, busy tables, and conversations distract from URL inspection
Time pressureDiners want to order quickly, not analyze URLs

The trust factor is the most significant. When you choose to enter a restaurant, you implicitly trust its environment. A QR code on the table benefits from that trust, even though anyone could have placed it there.

Real Warning Signs at Restaurants

What a Legitimate Restaurant QR Code Looks Like

  • Printed on the table surface, laminated placard, or professionally produced table tent
  • Consistent across all tables (same size, same placement, same material)
  • Often includes the restaurant's name or logo alongside the QR code
  • May reference a known service (Toast, Square, the restaurant's website domain)

What a Fake QR Code Looks Like

  • A sticker placed on top of a printed surface (you can feel the edge)
  • Slightly different from QR codes on other tables (different size or placement)
  • No branding or context (just a bare QR code with no restaurant name)
  • Placed at an odd angle or in an unusual spot on the table

How to Protect Yourself When Dining Out

Before Scanning

  1. Inspect the QR code physically. Feel the edges. Is it a sticker on top of another surface? Is it printed on the same material as the table tent or placard?
  2. Compare to other tables. Glance at the QR codes on neighboring tables. Do they look the same?
  3. Ask the staff. If something looks off, ask your server, "Is this your QR code for the menu?" Staff know what their materials look like.

While Scanning

  1. Read the URL preview on your phone before tapping. The URL should be the restaurant's domain, a known menu service (like Toast or Square), or a recognizable QR menu platform.
  2. Check for redirect chains. If the URL looks legitimate but the page that loads is unrelated, close the browser immediately.
  3. Use the ScamVerify QR scanner. Upload a photo of the QR code for a full threat database check before visiting the link.

Alternative Options

  1. Ask for a paper or digital menu. Many restaurants still have physical menus available on request.
  2. Search for the restaurant's menu online. Open your browser and search "[restaurant name] menu" instead of scanning the QR code.
  3. Use the restaurant's official app. Many chain restaurants have their own apps with menus built in.

What Restaurants Should Do

Restaurant owners can take several steps to protect their customers:

Physical security:

  • Use tamper-evident QR code displays (clear plastic covers, engraved codes, or codes printed directly on permanent surfaces)
  • Train staff to check QR codes during table setup and throughout service
  • Include the restaurant's name and website URL in visible text next to the QR code so diners can verify the destination

Digital security:

  • Use a custom short domain for menu QR codes so diners can easily verify the URL
  • Monitor for unauthorized changes to QR-linked content
  • Keep paper menus available for customers who prefer them

Customer communication:

  • Post a sign noting the official menu URL so diners can verify what the QR code should resolve to
  • Train servers to address QR code concerns without making customers feel awkward

Beyond Menus: Other Restaurant QR Threats

Restaurant QR scams extend beyond fake menus:

Attack VectorLocationGoal
Fake menu QRTable, table tentCredential theft, tracking
Fake Wi-Fi QREntrance, tableEmail/phone collection
Fake payment QRCounter, table tentCredit card theft
Fake review QRReceipt, table tentCredential harvesting via fake Google/Yelp login
Fake loyalty QRCounter, windowPersonal data collection

Each of these exploits the trust diners place in the restaurant environment. The common thread is physical placement in a context that feels legitimate.

Scan a QR code

Upload a photo of any QR code to check where it leads before you scan it.

Scan QR Code

FAQ

How common are restaurant QR code scams?

Exact numbers are difficult to track because many victims do not realize they were scammed at a restaurant specifically. The FBI has issued general warnings about physical QR code scams in public spaces, which explicitly include restaurants. Security researchers have documented cases at restaurants in multiple cities. As QR menus remain standard at the majority of American restaurants, the attack surface is enormous.

Should I stop scanning QR codes at restaurants?

Not necessarily. Most restaurant QR codes are legitimate. The key is to develop the habit of glancing at the URL preview before tapping, checking for sticker overlays, and comparing QR codes to neighboring tables. If anything looks off, ask for a paper menu or search for the menu online instead. Verification takes seconds and becomes automatic with practice.

What should I do if I find a fake QR code at a restaurant?

Alert the restaurant staff immediately so they can remove it and check other tables. Take a photo of the fake QR code for your records. If you scanned it and entered any information, follow the standard steps: contact your bank if you entered payment details, change passwords if you entered credentials, and consider filing a report with local police.

Can restaurant staff tell if their QR codes have been tampered with?

Trained staff can spot tampering by checking for sticker overlays, comparing codes across tables, and verifying that the codes resolve to the expected URL. However, most restaurant workers are not trained in QR code security. This is a gap that restaurant owners should address through staff training and tamper-evident displays.

Photo by Heather Ford on Unsplash

Related Articles

Single parking meter against colorful wall
Scam Alerts

Parking Meter QR Code Scams: How Fake Stickers Steal Your Card

March 20, 2026 - Fannie

Wall covered with grid of QR codes
Scam Types

QR Code Scams Explained: How Quishing Attacks Work in 2026

March 19, 2026 - Leo

Person scanning phone near another person with receipt
How-To Guides

How to Check if a QR Code is Safe Before You Scan

March 21, 2026 - Fannie

Check any phone number, website, text, email, document, or QR code for free.

Instant AI analysis backed by millions of federal records and real-time threat data.

Check Now