The four-tap trap: fake QR codes are this summer's fastest-growing travel scam

Quishing (QR-code phishing) rose 146% in the first quarter of 2026, with roughly 18.7 million incidents logged in March alone, according to threat-intelligence figures published in early June. QR codes now turn up in about 12% of all phishing attacks, up from under one percent in 2021. 

The losses are real and growing: in the UK, the national fraud center recorded more than 780 quishing reports and around £3.5 million stolen in a single year, with reports up roughly 14-fold over five years - growth investigators tie to organized crime. 

US regulators have raised the same flag, with the FTC warning consumers about scanned-code scams, and one estimate suggesting more than 26 million Americans have already been sent to a malicious site by a QR code. 

The reason it works is human, not technical: surveys suggest about three-quarters of people scan a code without checking where it leads, and most attacks aim squarely at phones, where a shortened link and a small screen hide the warning signs.

Where the traps are set

The classic move is a fake QR sticker laid over a real one in a busy, trusted spot. Parking meters were the early favourite - the FBI issued an advisory after tampered codes in Austin, San Antonio and Houston quietly redirected drivers to a fake payment page. 

The tactic has since spread to restaurant menus, airport signage, hotel lobbies, parcel labels and even printed letters. The travel-specific version doing the rounds now is the "four-tap scam": 

1. Scan the code
2. Open a convincing page
3. Enter payment details
4. Approve the charge - over before anything feels wrong. 

A parallel wave arrives by email, as fake booking confirmations are polished enough to fool a jet-lagged eye into "verifying" a card or reservation.

Why eSIM travelers are a prime target

Setting up a travel eSIM normally means scanning a QR code from your provider, so the act of scanning to get online feels completely routine, which is exactly what lets a fake one blend in. Two things are worth knowing: 

1. The first goes after your wallet: bogus "free airport WiFi" or "cheap data" codes, fake public-WiFi login pages that harvest your details, and lookalike eSIM websites pushing unrealistic unlimited plans or asking for payment in crypto. If you're not sure who to trust in the first place, it's worth understanding how the review sites you lean on actually pick their winners.
   
2. The second type goes after your phone number: scammers pose as your mobile operator, claim you must "upgrade" to an eSIM or update your KYC details, and try to get you to hand over an activation code or QR. With it, they can move your number onto their own device and intercept the one-time passcodes guarding your bank and email - a SIM swap. 

Police cyber units, including India's, have documented this exact script, where a single shared code handed criminals full control of a victim's banking.

How to spot a fake and stay safe

A few habits stop almost all of this:

• Only ever get an eSIM code from your provider's official app or website, never from a code posted in public or sent to you unprompted.
  
• Before tapping a scanned link, read the URL; if it's misspelled, unfamiliar, or pushing you to hurry, close it.
  
• Treat "free data for a scan" as bait. On any physical code, run a finger over it (a sticker laid on top of the original is one of the most common tells) and if it looks tampered with, report it to venue staff.
  
• And learn the wider playbook for the season: many of the same crews run online shopping and ticket scams around big events, so the instinct to slow down and verify pays off far beyond QR codes.

Protect your number, not just your card

The SIM-swap version is the one that can empty accounts, so guard the number itself. Set a PIN or passphrase on your mobile account so it can't be ported on a phone call. Switch your two-factor codes from SMS to an authenticator app, so a stolen number doesn't unlock your bank. And never read an activation or verification code aloud to someone who called you, a real carrier will never ask you to.

If you think you've been hit

Move fast, in this order:

• Contact your bank to freeze cards and flag the fraud
• Call your carrier if your signal suddenly dies, which can be the first sign of a SIM swap
• Change the passwords on your email and banking; and 
• File a report with the relevant fraud body or local police, plus your embassy if you're abroad. 

Speed matters more than anything here, most of the damage is done in the first hour.

The simplest defense of all

The best fix is to never need a QR code at the airport at all. Buy and install your eSIM from a trusted, tested provider before you leave home; it activates on arrival, so you step off the plane already online, with nothing to scan and no "free WiFi" to chase. 

If you're not sure which to pick, our best travel eSIMs compares the names we've actually tested on price, coverage and speed, and our guide on how to avoid roaming charges covers everything else.