Apple Pay QR Code Scam: What It Is and What to Do

How the Apple Pay QR code scam works

Apple Pay is built on NFC (Near Field Communication) — the short-range radio chip in your iPhone and Apple Watch. To pay, you hold your device near a contactless terminal and authenticate with Face ID or Touch ID. No QR code is involved at any point in a legitimate Apple Pay transaction.

Scammers exploit the gap between how Apple Pay works and how most people think it works. Two variants are most common.

1. The "scan to pay with Apple Pay" sticker at a small vendor

At a food truck, market stall, or small shop, a QR code sticker sits near the register with signage that reads "Pay with Apple Pay" or shows the Apple Pay logo alongside a QR code. The branding looks legitimate. When you scan it, the code doesn't open Apple Pay on your phone — it opens a browser tab pointing to a third-party payment page, often a convincing lookalike for a payment processor. You enter your card number directly into a form on that page, and your details go to the scammer, not to the vendor.

The vendor may be completely unaware — the sticker was placed by a stranger who visited the location earlier. This mirrors the mechanics of the gas station QR code scam and EV charger QR code scam, where attackers place sticker codes over legitimate ones at unattended or semi-attended payment points.

2. The phishing QR code that steals your Apple ID

A second, more targeted variant arrives by email or text: a message claiming to be from Apple says there is a billing problem with your Apple Pay wallet and asks you to scan a QR code to verify your payment method. The code leads to a convincing Apple ID login page. When you enter your credentials, the attacker gains access to your Apple account — including Apple Pay, iCloud, and any stored cards or passwords.

Apple will never send you an unsolicited message asking you to scan a QR code to fix your account. If you received one, it was a phishing attempt. This variant is closely related to the Apple ID QR code scam.

Why it works

Apple Pay is trusted. When its logo appears next to a QR code, most people assume the payment will be just as secure as tapping their phone. But the logo is just an image — anyone can put it on a sticker. The QR code itself has nothing to do with Apple's infrastructure. Scanning it hands control to whoever created the code.

The scam is also effective because small businesses genuinely do use QR codes for payments, and customers are increasingly used to scanning before paying. Scammers count on that habitual behavior to bypass suspicion.

What to do right now

Take these steps in order. Speed matters.

1. Call your card issuer immediately. If you entered card details on the page you reached via the QR code, call the number on the back of your card right now. Report the number as potentially compromised and ask for a new card to be issued. Your issuer can also flag the account for suspicious transactions.
2. Secure your Apple ID. Go to appleid.apple.com and change your password. Review active sessions under Devices and sign out any unrecognized ones. Enable two-factor authentication if it isn't already on. If you entered your Apple ID credentials on the phishing page, do this before the attacker locks you out.
3. Check Apple Pay for unauthorized cards or transactions. Open Settings → [your name] → Payment & Shipping. Confirm the cards listed are yours and review recent Apple Pay activity in Wallet.
4. Report the page to Apple. Forward phishing emails to reportphishing@apple.com. If you have the URL of the fake payment page, you can also report it to Google Safe Browsing and to the Anti-Phishing Working Group at reportphishing@apwg.org.
5. File an FTC complaint. Report the scam at reportfraud.ftc.gov. This creates an official record that helps investigators track patterns.
6. Document everything. Screenshot the QR code, the page it led to, and any messages associated with it. You'll need these for your bank dispute and any law enforcement report.

How to protect yourself going forward

The clearest rule: if a QR code at a payment terminal claims to be Apple Pay, don't scan it. Use the actual NFC terminal to tap and pay, or pay with cash. Real Apple Pay never involves scanning a QR code.

• Check for sticker placement. Look closely at any QR code near a payment terminal. If it's a sticker that sits slightly above the surface, or if the edges don't align cleanly with the terminal, it may have been placed over a legitimate code.
• Check the URL before you enter anything. When a QR code opens a browser page, look at the domain in the address bar before typing a single character. A legitimate Apple payment flow resolves inside the Wallet app — it never opens a browser. If you see a browser URL, stop.
• Use QRsafer before you scan. QRsafer inspects the QR code's destination URL for phishing signals and gives you a Safe, Risky, or Dangerous verdict before you interact — so you know what you're opening before it opens.
• Apple never sends unsolicited QR codes. Any message from "Apple" asking you to scan a code to fix your Apple Pay or Apple ID is a phishing attempt. Go directly to appleid.apple.com if you're concerned about your account.

Frequently asked questions