You're at the ATM or in your bank's lobby — one of the places you trust most with your money. That trust is exactly what ATM QR code scams exploit. By placing fraudulent codes where you'd least question them, attackers turn your familiarity with the environment into a vulnerability.
The three main attack vectors each work a little differently, but they share the same goal: get you onto a fake banking page before you realize something is wrong.
The sticker on the ATM
The most brazen attack is also surprisingly common. A scammer walks up to an ATM and applies a small QR-code sticker to the machine's casing — near the card slot, on the screen surround, or on a strip of instructional text. The sticker might say "Scan here to access mobile banking" or "Security update required — scan to verify your account."
Scan it and you land on a convincing replica of your bank's online-banking login page. Whatever you type — username, password, sometimes even answers to security questions — goes straight to the attacker.
This attack is frequently combined with traditional skimming hardware. If someone has already compromised an ATM, adding a QR sticker costs nothing and captures a second channel of credentials from customers who notice the card-reader looks wrong and try "a different way in."
The rule: If a QR code is a sticker affixed anywhere on the physical ATM casing, don't scan it. Banks put QR codes only on their own ATM screens — never as physical labels applied to the machine. If you see a sticker, report it to the bank.
Fake pamphlets in the branch lobby
Bank lobbies hold racks of legitimate pamphlets — loan offers, credit card promotions, fraud-prevention guides. Attackers print high-quality counterfeits and slip them in.
The fake version typically carries urgent language: "Protect your account — new security verification required" or "Update your online banking credentials to avoid service interruption." A prominent QR code leads to a phishing login page. Because the pamphlet is sitting in the bank's own lobby, victims assume it's official.
Watch for pamphlets that look slightly different from the rest of the rack — different paper stock, slightly off branding, no specific product name. Legitimate bank pamphlets are produced in bulk with consistent branding; one-offs stand out on close inspection.
If you're ever uncertain about something you picked up in a branch, hand it to a teller and ask. That takes ten seconds and eliminates all doubt.
Fraudulent mailers from the "fraud department"
This variant arrives at your home. A letter arrives styled to match your bank's stationery, complete with a logo, a reference number, and urgent language about "suspicious activity on your account." A QR code is printed prominently: "Scan immediately to verify your identity and prevent your account from being locked."
The pressure and the official appearance push recipients to scan before thinking. The destination is a phishing page that harvests your online-banking credentials, and sometimes requests your card number and CVV "to verify your identity."
Real bank fraud departments do not ask you to verify credentials via a mailed QR code. When a bank detects suspicious activity, it calls you or sends a secure message inside the bank's own app. Any mailed letter asking you to scan a QR code to log in is a scam — even if the logo looks right.
If you receive a suspicious mailer, call the number on the back of your debit or credit card to confirm whether your bank actually sent it. Do not call any phone number printed in the letter.
How real banks actually use QR codes
Understanding legitimate usage makes fraud easier to spot:
- ATM screens: Some modern ATMs display a QR code on screen to initiate a cardless withdrawal through the bank's official app. The code appears on the ATM's own screen — never as a sticker.
- Marketing materials: Banks use QR codes in branch posters and official mailings to promote apps or products. These link to the App Store or Google Play, or to the bank's own domain. They never ask for credentials.
- Account statements: Some statements include QR codes linking to explanatory videos or the bank's website — not to any login page.
Any QR code that asks you to enter your banking username, password, or card number is a red flag, regardless of how legitimate the surroundings look.
How QRsafer helps at the ATM and in the lobby
QRsafer checks the destination URL of any QR code against live threat-intelligence sources before anything loads. A phishing domain imitating your bank — even one registered last week — shows up in the verdict before you type a single character.
Scan the code with QRsafer first and you'll see Safe, Risky, or Dangerous in seconds. A freshly registered lookalike domain (chase-secure-verify.com, wellsfargo-account-update.net) triggers a warning immediately.
If you entered credentials before reading this, our guide on what to do after scanning a suspicious QR code walks you through the immediate steps. For scams that specifically target your payment cards, the QR code credit card scam guide covers what to do if card details were submitted.
Quick reference
- ATM sticker QR codes: Never legitimate — report to the bank and use a different machine
- Lobby pamphlets with urgent login prompts: Verify with a teller before scanning anything
- Mailed letters demanding QR verification: Call the number on your card to confirm, never scan first
- Any QR code asking for banking credentials: Don't enter them — real banks never collect credentials this way
Your bank branch feels like one of the safest places you visit. That perception is the scammer's advantage. A two-second check with QRsafer before scanning anything outside an official ATM screen is all the protection you need.
See also
- What to Do If You Scanned a Suspicious QR Code
- Gas Station QR Code Scam
- Bank QR Code Scam
- QR Code Credit Card Scam
- QR Code Threat Map
Download QRsafer for iOS or Android and keep your banking credentials safe everywhere you go.