QR-Code Phishing in Restaurants — Where It Is Spreading

A standard QR menu in a tourist restaurant is a sticker on the table or a card. The sticker links to the restaurant's online menu — a webpage hosted on Toast, Square, OpenMenu, or the restaurant's own site.

The attacker's version: a sticker that looks identical, placed over the legitimate one. The QR encodes a URL to an attacker-controlled site that:

• Mimics the restaurant's branding closely
• Presents the menu (sometimes accurately, sometimes a generic copy)
• At order time, asks for payment information ostensibly to "secure your reservation" or "pre-pay your meal"
• Or: asks for login to "your loyalty account" with email/password

Since the legitimate restaurant collects payment in person, any QR-menu page asking for online payment is the tell. The traveler typically does not realize until the credit card statement shows fraudulent charges.

Cross-platform forum and news reports as of 2025–2026 document concentration in:

• **Italian tourist-zone restaurants** — particularly Rome, Florence, Venice, and Naples; Polizia Postale specifically warned about this in 2024
• **Spanish tourist restaurants** — Barcelona, Madrid, Seville
• **Greek tourist islands** — Mykonos, Santorini, Crete during peak season
• **Mexican tourist resorts** — Cancún, Playa del Carmen, Cozumel
• **Caribbean cruise port restaurants** — particularly in walking distance of cruise terminals

The pattern is concentrated in tourist-facing establishments with high turnover and limited staff oversight of physical menu materials. It has not been widely documented in fine-dining establishments or in non-tourist-zone restaurants.

Five signs that the QR you are about to scan may be a counterfeit overlay:

1. **The sticker is on top of another sticker.** The legitimate QR is sometimes printed directly on a card or laminated; a sticker placed on top of that is suspicious. 2. **The destination URL preview is unfamiliar.** Modern phone OS (iOS 14+, Android 12+) shows the URL before opening. Legitimate restaurant menu URLs typically include the restaurant name or brand. URLs like `bit.ly/menu123`, `qrco.de/...`, or unrelated domains are flags. 3. **The page asks for payment information.** Legitimate QR menus only display the menu; they do not collect payment data. Restaurants charge at the table, with their own POS terminal. 4. **The page asks for login credentials.** Legitimate restaurant menus do not require accounts. Loyalty programs that do require accounts are linked separately, not from the menu QR. 5. **The page looks slightly off.** Generic photos, missing prices, or pricing in unexpected currencies are signs of a generic phishing template applied to your restaurant.

Three practices reduce QR-phishing exposure to near zero:

1. **Ask for a paper menu.** Most tourist restaurants still have them on request, even when QR is the default. The paper menu eliminates the attack vector entirely. 2. **Check the URL before tapping.** Modern phones show the URL before opening — read it. If the URL is not obviously the restaurant or a known menu provider, do not tap. 3. **Pay only at the restaurant POS or with your card via your bank's tap-to-pay.** No legitimate restaurant collects payment through a QR-menu page.

The QR phishing pattern is part of a broader category — tourist restaurants in high-volume zones have systematically weaker oversight of physical materials, staff turnover, and supply-chain integrity than non-tourist establishments. The practical implication: tourist-area restaurants concentrate risk across multiple categories that all reduce when you eat one or two streets away from major attractions. The QR scam is a symptom of the general pattern, not an exception to it.