RASIMENE
Blog
Investigation·April 24, 2026·8 min read

The restaurant QR code isn't always what you think.

A sticker placed over the original, and the daily menu becomes a fake payment page. We spent a month observing the phenomenon in Lyon, Paris and Bordeaux. What we learned — and how to stop falling for it.

ME
Mohamed ESSID
Founder — Trasimène

The sticker technique

The method is disarmingly simple. A criminal walks into a restaurant, spots the QR code stands on the tables or at the entrance, and sticks a freshly printed cover sticker on top — with their own QR code. The whole operation takes less than thirty seconds per table.

The fake page that opens is a near-perfect replica of an ordering or payment page: the right logos, the right brand colours, sometimes even the restaurant's name. The customer, convinced they're browsing today's menu, enters their bank card details on a fraudulent website.

In 2025 and early 2026, documented cases were observed in Lyon (Presqu'île, Confluence), Paris (11th and 18th arrondissements) and Bordeaux (Saint-Pierre district). The technique is growing rapidly: according to France's Pharos cybercrime platform, QR code phishing reports rose 340% between 2024 and 2026.

Restaurants that switch to digital menus without physical protection (engraved QR codes, locked holders) are prime targets. Small establishments that self-print their stands on ordinary paper are the most vulnerable.

How to spot it

Before scanning, physically inspect the QR code. Fake stickers are often slightly misaligned, with edges that overlap or a print quality different from the rest of the restaurant's materials.

Use a QR reader that displays the full URL before opening the link. The native iOS Camera app and built-in Android readers generally show the URL — take a moment to read it. Attackers use typosquatting: 'carte-restaurant-lyon.com' instead of the venue's official website.

Be especially wary if the page that opens requests bank card details just to view a menu. No legitimate restaurant gates menu access behind a payment.

If in doubt, ask a staff member directly to show you the menu card or the QR code displayed in their admin interface — not the one on the table stand.

What Trasimène does

Trasimène includes real-time QR code protection. Every URL extracted from a QR code is checked against multiple phishing databases (Google Safe Browsing, Trasimène's proprietary feeds) before the page loads.

If the URL is recognised as suspicious or belongs to a recently registered domain with typical phishing characteristics, the page is blocked and an alert appears — with the option to report the QR code directly from the app.

This protection runs entirely in the background, with no manual action required. You scan as normal; Trasimène checks in silence.

If in doubt, ask the restaurant to show you the QR code on their admin interface or an official document — not the table stand.

Vigilance is still the first line of defence. A quick look before scanning, reading the URL before you type, asking a question when in doubt — these simple habits are enough to defeat the vast majority of QR code attacks. And with the right security app, there's no reason not to automate them.

Trasimène — Mobile security

Protect yourself against QR phishing

Download Trasimène →
Back to blog