The sticker-swap scam is the most physical attack in the QR world, and the most misunderstood. People assume a good QR platform can defend against it. It cannot, and any vendor claiming otherwise is overselling. The attack happens on paper, in the real world, before any software is involved. Being honest about that is the only way to actually protect people from it.
What is the QR sticker-swap scam?
The sticker-swap scam is when an attacker prints their own QR code and pastes it physically over a legitimate one. The fake code sits on a parking meter, an EV charger, a restaurant table, or a poster, covering the real code underneath. You scan what looks like the official code, but you are scanning the attacker’s sticker, which routes you to their phishing or payment page. Nothing was hacked. A piece of paper was placed over another piece of paper.
How is this different from other QR phishing?
It is different because the attacker controls their own code end to end, rather than tampering with yours. In many quishing attacks the malicious code is delivered by email or on a flyer the attacker made entirely. The sticker swap adds one twist: it borrows the location and trust of a legitimate code by physically covering it. The victim thinks they are scanning the real business’s code. The mechanics after the scan are ordinary phishing — a fake login, a fake payment form — but the delivery exploits a real-world surface you do not control.
Can anti-quishing or a redirect layer stop a sticker swap?
No — no redirect layer, including redireo’s anti-quishing, can stop a physical sticker overlay, and it is important to be blunt about that. Anti-quishing works by checking the destination of a code that routes through your system. A swapped sticker does not route through your system at all. It routes through the attacker’s own short link, on the attacker’s own domain, to the attacker’s own page. Your platform never sees the scan, so it has nothing to check, warn on, or block. The defense a redirect layer provides ends at the edge of the codes you actually control.
What does anti-quishing actually protect, then?
Anti-quishing protects the destination behind a code you own — not the printed surface in the world. That is a real and useful boundary, just a different one. Here is where the line falls:
| Threat | Routes through your platform? | Anti-quishing helps? |
|---|---|---|
| Attacker repoints your live code | Yes (your account) | Yes — reputation check on edit |
| Your redirect domain abused for phishing | Yes (your domain) | Yes — safe interstitial page |
| Malicious destination created in your account | Yes | Yes — check at create time |
| Sticker pasted over your printed code | No — attacker’s own system | No — physical, out of scope |
redireo runs a reputation check on every destination at create and edit time and shows a safe page when a target looks malicious. That stops a compromised account from quietly repointing a live code, and it stops your own redirect domain from being turned into a phishing vector. It does nothing about a sticker, because the sticker never touches your platform.
Why do some vendors imply they can stop it?
Some vendors blur the line because “we stop QR scams” sells better than “we check the destinations of codes you control.” The honest scope is narrower and less marketable, so the temptation is to imply the software reaches into the physical world. It does not. A platform that claims to stop sticker swaps is either misunderstanding the attack or misrepresenting it. When you evaluate anti-quishing features, ask exactly what routes through the vendor’s system — because that is the only thing they can possibly inspect.
How do you actually defend against sticker swaps?
You defend against sticker swaps mostly in the physical world, with a few habits and some operational hygiene. The real controls are:
- Inspect the code before scanning. Look for a sticker layered over another — a raised edge, a bubble, a mismatched finish, or a code that looks freshly applied to an old surface.
- Read the URL preview your phone shows before opening it, and distrust any page that immediately demands a login or payment.
- For code owners, use tamper-evident printing or laminated surfaces, and inspect high-value public codes (payment terminals, chargers, meters) on a schedule.
- Prefer codes printed directly onto the product or fixture rather than applied as a separate sticker, since a sticker over a print is easier to spot than a sticker over a sticker.
None of these live in software. They live on the object and in the scanner’s attention.
What is the one thing to remember?
Remember that the sticker swap is a paper attack with a phishing payload, and paper is not something a redirect can patch. Software can keep the codes you control pointed at safe destinations. It cannot police what someone glues over a printed code in the street. Treat anti-quishing as protection for your destinations, deploy physical controls for your printed surfaces, and teach people to read the URL before they act. Anyone selling you software as a cure for a sticker is selling the wrong thing.