Beware the Fake QR Codes: Portugal's GNR Warns of "Quishing" Scams at Restaurants and Parking Meters

The Portugal National Guard (GNR) has issued a public warning about a sophisticated fraud technique targeting everyday mobile phone users, urging residents to exercise extreme caution when scanning QR codes in public spaces—from parking tickets to restaurant menus.

The alert, published on the force's social media channels on Tuesday, March 24, highlights a scam method known as "quishing"—a portmanteau of "QR" and "phishing"—which exploits the ubiquity of quick-response codes to redirect unsuspecting victims to malicious websites or trigger unauthorized payments. The GNR has released a detailed video explainer on their official social media channels demonstrating how this scam works. Residents are encouraged to view this content for practical guidance on identifying fraudulent codes.

Why This Matters

• Financial exposure: Fraudulent QR codes can route payments directly to criminal accounts or install malware that harvests banking credentials.

• Widespread vulnerability: Any publicly displayed QR code—whether on a parking fine, restaurant table, or advertisement poster—can be tampered with.

• Detection difficulty: Even vigilant users struggle to identify fake codes, as they often appear identical to legitimate ones at first glance.

How the Scam Works

According to the GNR's warning, the attack vector is deceptively simple. Criminals print counterfeit QR codes and physically place them over authentic ones in high-traffic locations. Because the technology has become so normalized—appearing on everything from parking meters to restaurant menus and café tables—most people scan without hesitation.

The security bulletin describes two primary attack pathways. In the first scenario, the fraudulent code redirects the victim to a payment gateway controlled by the scammer, where any transaction flows directly into the criminal's account. The second, more insidious variant installs malware onto the victim's smartphone, creating a persistent backdoor for stealing banking app credentials, personal identification numbers, and saved passwords.

The GNR emphasized that this threat isn't confined to digital spaces or email inboxes. "This can happen to you in any everyday situation," the force stated, pointing to parking violation notices and restaurant menus as particularly vulnerable touchpoints. Motorists who receive what appears to be a legitimate fine may scan the code expecting to pay the municipality, only to fund organized fraud networks instead.

Common Attack Surfaces

The GNR specifically identified restaurant and bar QR-based digital menus as high-risk targets. These codes, often printed on laminated cards or stickers affixed to tables, can be swapped out in seconds when staff aren't looking.

Parking enforcement presents another critical vulnerability highlighted in the warning. Municipal fines typically include QR codes for expedited payment, but the physical tickets left on windshields are unsupervised for extended periods, giving criminals ample opportunity to overlay fake codes.

What This Means for Residents

The core defense mechanism requires a behavioral shift: treat every QR code with skepticism, especially those encountered in uncontrolled public settings. The GNR outlined specific precautionary measures residents should adopt immediately.

First, visually inspect the code before scanning. Look for signs of tampering—edges that don't align perfectly, paper that appears recently glued, or texture inconsistencies suggesting a sticker has been placed over an original. If the code seems to have been applied hastily or looks newer than its surroundings, avoid it entirely.

Second, always verify the destination URL before proceeding. Most modern smartphones display a preview of the web address after scanning but before loading the page. Check that the domain matches the expected entity—a municipal government site for parking fines, the restaurant's official domain for menus, or a recognized payment processor for transactions. Be wary of shortened URLs or domains with misspellings designed to mimic legitimate sites.

Third, never enter sensitive information on unfamiliar sites. If a QR code leads to a payment page you don't recognize, or requests more personal data than the transaction reasonably requires, exit immediately and contact the purported organization through verified channels to confirm authenticity.

For parking fines specifically, residents can cross-reference notice numbers with official municipal portals before making payments. Most Portugal cities allow fine lookup by vehicle registration on their transportation department websites, providing an independent verification layer.

Additional Precautions

As a general security practice, security experts note that the QR format itself offers no built-in authentication mechanism. Unlike credit cards with chip encryption or websites with HTTPS certificates, a QR code provides no cryptographic proof of legitimacy. It's simply an encoded string of text that can point anywhere its creator chooses.

If you suspect you've encountered a fraudulent QR code, report it to local authorities or contact your bank immediately if you believe you've fallen victim to the scam. Additionally, consider running mobile security software to detect any potentially installed malware.

The security bulletin forms part of the GNR's broader awareness effort as digital payment methods proliferate across Portugal. While QR codes offer genuine convenience and efficiency, their security depends entirely on user vigilance—a responsibility the force emphasized cannot be outsourced to technology alone.