QR Code Scams UK: How to Spot and Avoid Fake Payment Links

Criminals are hiding payment fraud inside QR codes — here's how to tell if one is genuine.

Published 2026-04-21 · Beat the Scam Editorial Team · 6 min read

What is this scam?

A QR code scam happens when a criminal creates a fake QR code or replaces a legitimate one with their own malicious version. When you scan it, the code directs you to a fake website designed to look like a real payment service, bank, or popular app. The fake site then tricks you into entering your login details, card information, or personal data — or it charges you money directly. QR codes are particularly effective for scammers because most people assume they're safe and don't check where they lead. These codes appear in many places: restaurant bills, payment requests in text messages, emails claiming to be from your bank, parking machines, or even printed posters stuck over legitimate codes in public spaces. The scammer profits when you hand over your details, approve a payment, or authorize a transfer.

Warning signs to look for

• The QR code appears in an unexpected message (unsolicited text, email, or social media) asking you to pay or verify your account
• You're asked to scan a code to 'confirm', 'update', or 'unlock' something rather than use the usual official app or website
• The code looks worn, damaged, or has been pasted over another code — a common sign it has been replaced
• Scanning the code takes you to a website with a slightly wrong URL (e.g., 'app1e.com' instead of 'apple.com') or poor design quality
• The page that loads asks for passwords, PIN codes, card details, or one-time codes — genuine businesses rarely ask this via QR codes
• You receive an urgent message claiming a payment failed or your account is locked, with a QR code as the 'solution'
• The code is in a location that seems unusual or temporary (a sticky label, hastily printed poster, or handwritten note)

How this scam works step by step

Step one: The scammer creates or generates a malicious QR code that links to a fake website. They then deploy it through multiple channels — texting you pretending to be your bank, emailing you as a payment reminder, or physically placing it over a real code (for example, on a parking meter or restaurant till). Step two: You receive the message with urgency ('Your payment failed', 'Confirm your account', 'Action required'). Curious or worried, you scan the code using your phone camera or a QR code reader app. Step three: The code takes you to a fake login page or payment form that looks almost identical to the real thing. The page might say it's from your bank, PayPal, Apple Pay, or a retail app. Step four: You enter your details — username and password, card number, CVV, bank login details, or one-time codes sent to your phone. The scammer now has your credentials or has already taken money. Step five: You may not realize the fraud until you notice unauthorized payments or receive a genuine alert from your real bank about suspicious activity.

How to verify if it is genuine

Before scanning any QR code, ask yourself: Did I expect this? Genuine businesses rarely send unsolicited QR codes for payments or urgent account updates. Instead, they use their official apps or direct you to their main website. If you receive a QR code from someone claiming to be your bank, don't scan it — call your bank directly using the number on the back of your card or your statements. Check the website after scanning: Look at the URL in your browser's address bar. Real websites use secure 'https://' and match the official domain exactly (no hyphens, numbers substituted for letters, or slight misspellings). If you're unsure, check our guide on /guides/is-this-website-a-scam/. For payment-related codes, always verify by contacting the company through their official website or phone number — not through any link or code they sent you. Never enter passwords, card details, or one-time codes after scanning a QR code in a message.

What to do if you have already interacted

Act immediately if you've scanned a suspicious QR code. If you only looked at a fake page but didn't enter details, you're likely safe — just close the browser. If you entered your password, go straight to the real website or app and change your password immediately from a trusted device. If you entered card details or authorized a payment, call your bank on the number on the back of your card right away. They can freeze your accounts and cancel any fraudulent transactions — you're protected by UK chargeback rules if you act fast. If you shared a one-time code or confirmed a payment, contact your bank before the scammer can use that code. Don't trust any follow-up messages claiming the problem is solved. Check your bank account and card statements regularly for unauthorized charges over the next 30 days. Consider placing a fraud alert with the three credit reference agencies (Experian, Equifax, Transunion) to protect against identity theft.

Reporting this scam in the UK

Report the scam to Action Fraud immediately — call 0300 123 2040 or use the online reporting tool at actionfraud.police.uk. Have the QR code image and the message it came in ready. If the code arrived via text, forward it to 7726 (spammers) to alert your mobile network. For phishing emails, forward the message to report@phishing.gov.uk, the National Cyber Security Centre's reporting service. Contact your bank's fraud team directly — they need to know which fake website you visited to block similar scams. Report the fake website itself to the Internet Watch Foundation using their online form at iwf.org.uk. If the code appeared in a physical location (restaurant, car park, notice board), alert the venue manager and your local council's trading standards team. Report suspicious QR code-based ads or posts to the platform where you found them (Facebook, Instagram, TikTok, etc.). Keep records of everything: screenshots, the original message, the time and date, and any confirmation numbers from your bank.

Frequently asked questions