Are Restaurant Menu QR Codes Safe? What to Check Before You Scan

Restaurant menu QR codes are usually safe — but they are a well-known quishing target. The attack pattern is consistent: someone walks in, sticks a malicious QR code over the real one on the menu or table, and walks out. Every customer who scans for the next few hours hits a fake page. The FTC has issued consumer alerts on exactly this pattern (FTC Consumer Advice, 2023), and NBC News reporting on quishing in 2025 documented stickered-code fraud across restaurants, parking, and retail (NBC News, 2025). A 5-second visual check plus a URL preview defeats almost every real-world variation.

Why restaurants are a quishing target

Restaurants are good targets for opportunistic QR fraud because:

• The QR codes are physically reachable for hours at a time.
• Customers expect to scan and pay through the code, so a payment prompt does not feel suspicious.
• Restaurants are not security organizations — staff have no incentive or training to inspect every table.
• One sticker can compromise dozens of victims before anyone notices.

What restaurant QR scams typically do

Documented patterns in FTC and consumer-news reporting include (FTC Consumer Advice, 2023, NBC News, 2025):

• Fake ordering or payment pages mimicking the restaurant's own checkout. The customer pays, the restaurant never receives the order, and the card details go to the attacker. This is the same template used in the Austin and San Antonio parking-meter QR sticker scam, where a fraudulent “passportlab.xyz” payment page captured cards (FOX 7 Austin, 2022).
• Coupon, loyalty, or rewards sign-up pages that harvest name, phone number, email, and birthdate for downstream identity-fraud kits and credential stuffing.
• Fake review or feedback prompts that ask for a Google or social login, capturing those credentials directly.

How to scan a restaurant QR code safely

1. Inspect the code physically. Run a fingernail across the edge — a sticker has a raised edge a printed code does not. Check whether the code is glued to a separate card vs. printed on the menu itself.
2. Preview the URL with your camera before tapping. Both iOS Camera and Android Google Lens show the destination URL.
3. Check the domain. It should be the restaurant's own domain, or a recognizable hospitality platform: toasttab.com, square.site, bbot.menu, slicelife.com, popmenu.com, untappd.com (for bars), and so on. Generic free hosting (rf.gd, glitch.me, .pages.dev with random subdomains) is a red flag.
4. If anything looks off, run the code through Is This QR Safe? before opening. Or ask the server for a paper menu — restaurants always have one.
5. Pay through the page only if the domain checks out. If the page asks for a credit card on a domain you do not recognize, pay at the counter instead.

If you already entered card details on a fake menu

1. Call your card issuer immediately and freeze the card.
2. Dispute any pending charges.
3. Tell the restaurant — they likely do not know there is a sticker, and other customers are probably hitting the same page right now.
4. Watch the card statement for 30 days. Quishing crews often hold a captured card for a few days before testing it on small charges.

Frequently asked questions

Should I avoid restaurant QR menus entirely?

No, the vast majority of restaurant menu QR codes are legitimate. The risk is specifically tampered codes — usually a sticker placed over the real one. A 5-second visual check plus a URL preview defeats nearly all real-world tampering.

What does a tampered restaurant QR code look like?

It is almost always a sticker. Look for a code that sits proud of the surface, peeling corners, codes glued to a separate card, or a code that does not match the printing style of the rest of the menu. The same sticker-overlay technique was documented on parking pay stations in Austin and San Antonio in 2021–2022, where the fake codes pointed to a fraudulent passportlab.xyz payment site.

Is it safe to enter my credit card on a restaurant QR menu?

Only if you can verify the domain matches the restaurant or its known ordering provider (Toast, Square, Bbot, Slice, etc.). If the page asks for card details on a domain you do not recognize, do not enter them — pay at the counter instead.