That QR code on the lamppost might be a trap
QR scams are showing up on campuses everywhere: fake flyers, fake parking stickers, fake menus. Here's how the trick works and how to scan safely.
QR codes won. They’re on club flyers, cafe tables, event posters, and payment kiosks, and we all scan them without a second thought. Scammers noticed, and “quishing” (QR phishing) is now one of the fastest-growing scams targeting students in Japan and everywhere else.
The trick is painfully simple: a QR code is just a link you can’t read. You can glance at tuj-events.example.com and feel something’s off, but a QR code gives your eyes nothing to check. Scammers exploit that blindness in three common ways.
The three flavors of QR scam
The sticker overlay. A scammer prints their own QR code on sticker paper and slaps it on top of a real one: on a parking meter, a rental-bike panel, or a restaurant’s table tent. The poster is legitimate; the code no longer is. Before scanning codes in public, run a thumb over it. A code that’s a sticker sitting on top of another code is a giant red flag.
The too-good flyer. “Free concert tickets for students. Scan to claim.” “Part-time job, ¥4,000/hour, flexible shifts.” The flyer exists only to get you to scan, and the code leads to a page that harvests your student login or payment details. The prize never existed. If a flyer’s entire pitch is scan me, be suspicious in proportion to how good the offer sounds.
The fake payment page. You scan to pay for something real, and land on a pixel-perfect copy of PayPay or a credit-card form. The page even shows the right amount. The only thing wrong is where your card number goes. Payment QR codes deserve your slowest, most careful look at the URL before you type anything.
How to scan like a security researcher
None of this means abandoning QR codes. It means adding about four seconds of friction:
- Read the preview. Your camera app shows the destination URL before opening it. Actually read it. Weird domain, shortened link (
bit.ly/...), or a jumble of characters? Don’t open it. - Never log in or pay from a scanned link. If a QR code lands you on a login or payment page, stop. Open the app or type the official site yourself. This single habit defeats nearly every QR scam at once.
- Check for stickers on anything that handles money. Meters, kiosks, shared bikes, donation boxes.
- Treat “scan to get free stuff” as an ad for a scam until someone you trust confirms otherwise.
Spotted one on campus?
Photograph it (don’t scan it), note the context (where and when) and email campus security and us. Last term, a member’s report got a batch of fake “club fair” flyers pulled down within a day. Community-driven protection isn’t a slogan; it’s literally this.
