ATM QR Code Scam: What It Is and What to Do
You noticed a QR code sticker on an ATM, spotted a pamphlet in your bank's lobby, or received a mailer with a QR code from what looked like your bank — and now you're not sure if it was legitimate. Here's how ATM and bank QR code scams work and exactly what to do if you scanned one.
How ATM and bank QR code scams work
ATMs and bank lobbies feel like secure, trustworthy environments — which is precisely why scammers target them. A QR code in that context carries an implied authority that lowers your guard. Attackers exploit this in three distinct ways.
Sticker QR codes on ATM surfaces. This is the most direct variant. An attacker places a small QR code sticker on or near the ATM — sometimes on the screen surround, sometimes on a posted notice attached to the machine — that redirects to a convincing fake bank-login page. The page is designed to harvest your online banking username and password. In some cases this attack is layered with traditional card-skimming hardware already installed on the ATM, so your card data and credentials can be captured in the same visit. Once you enter your credentials, the attacker has everything needed to drain your account.
Fake bank-lobby pamphlets. Attackers print convincing bank-branded brochures — styled to match the real bank's materials — and leave them in lobby brochure racks, on waiting-area chairs, or near teller windows. These pamphlets contain a QR code directing you to a phishing page styled as your bank's "account security portal" or "new mobile app setup." Because you're already standing inside your bank branch, the material feels completely legitimate. The page asks for your online banking credentials, account number, or even your Social Security number under the guise of "verifying your identity."
Fraudulent mailers impersonating the bank's fraud department. This variant arrives by postal mail. The letter looks like official bank correspondence — logo, branch address, reference number — and claims your account has been flagged for suspicious activity. It tells you to "scan the QR code below to verify your identity and secure your account." The urgency and official appearance push victims to act quickly without scrutinizing the URL. The QR code leads to a fake bank-login page or a form requesting card details, account numbers, and personal information.
For broader context on how scammers impersonate financial institutions, see the bank QR code scam guide.
How real banks use (and don't use) QR codes
Real banks do occasionally use QR codes — on their official mobile apps to link to a feature, on printed marketing materials to direct you to their website, or at official events. But there are clear rules about how they use them:
- Bank QR codes in legitimate materials always point to the bank's own domain (e.g., chase.com, wellsfargo.com) — never a third-party URL or a domain with extra words or hyphens.
- Banks never ask you to scan a QR code to enter your online banking username and password. Login always happens through the bank's official app or website.
- Banks never initiate an urgent security alert via a mailed QR code. If your account is at risk, they call you directly or send a secure in-app message.
- QR codes printed directly into professional bank materials (glossy brochures, official statements) are part of the design — they don't look like afterthoughts or stickers.
If a QR code near an ATM or in bank materials fails any of these checks, treat it as suspicious.
What to do right now
Your response depends on what you did after scanning.
If you only scanned and closed the page without entering anything: Your risk is low. Don't return to the URL. Report the suspicious QR code to bank staff so they can inspect and remove it.
If you entered your online banking username and/or password:
- Call your bank's fraud line immediately using the number on the back of your debit or credit card — not a number found on the suspicious page. Ask them to monitor your account for unauthorized activity.
- Change your online banking password right now from a trusted device. Use a strong, unique password you don't use anywhere else.
- Enable two-factor authentication on your online banking account if it isn't already active. This prevents an attacker who has your password from accessing your account.
- Monitor your account closely over the next 48–72 hours for unauthorized transfers, new payees, or changes to your contact information.
If you entered card details or account numbers:
- Call your card issuer immediately to report the card as potentially compromised. Request a freeze and a replacement card.
- Watch for small test charges — scammers often run a $0–$1 authorization to verify a card is live before making larger purchases or selling the details.
- Place a fraud alert with one of the three major credit bureaus (Equifax, Experian, TransUnion). A fraud alert requires lenders to verify your identity before opening new credit in your name.
In all cases, report the incident to the bank branch directly so they can inspect the ATM or lobby materials, and file a complaint with the FTC at reportfraud.ftc.gov.
For a complete step-by-step recovery guide after any suspicious QR scan, see what to do if you scanned a suspicious QR code.
Frequently asked questions
Do real ATMs or banks ever use QR codes?
Legitimate ATMs almost never require a QR scan to complete a transaction — you use your card and PIN. Some banks do include QR codes on official marketing materials that link to their own website or app, but these are part of the printed design, not stickers, and always point to the bank's own domain. Any QR code that appears to have been added onto an ATM surface, or that leads to an unfamiliar URL, should be treated as a scam.
I scanned a QR code at an ATM and entered my banking login — what should I do?
Call your bank's fraud line immediately using the number on the back of your card. Change your online banking password right now from a trusted device and enable two-factor authentication. Monitor your account for unauthorized activity over the next 72 hours. Notify the bank branch so they can inspect the ATM, and file a report at reportfraud.ftc.gov.
How do I tell a fake ATM QR code sticker from a real one?
Look for physical signs of tampering: raised or uneven edges, a different paper or adhesive texture from the surrounding surface, or slight misalignment with the design. Before entering any credentials, check the URL — it must match your bank's exact domain with no extra hyphens or unfamiliar words. When in doubt, close the browser and contact your bank directly instead of using the QR code.
Check any QR code before it opens your browser
QRsafer previews the destination URL and gives you a Safe, Risky, or Dangerous verdict before your browser loads the page — so you see the domain before you're asked for a password or card number. Free on iOS and Android.