QRsafer LogoQRsafer
QR Code Scams at Car Dealerships: What Buyers and Service Customers Need to Know
← Back to blog

QR Code Scams at Car Dealerships: What Buyers and Service Customers Need to Know

Car transactions involve your Social Security number, bank account details, and tens of thousands of dollars — which is exactly why scammers target dealership QR codes. Here's what to check before you scan.

2026-04-29 · QRsafer Team

You're at a dealership looking at a new car. A placard on the windshield has a QR code: "Scan for financing options." Or you're in the service waiting room and a poster offers a discount on your next oil change — scan to claim it. Or a mailer arrives at home with your name on it: "Exclusive pre-approval offer — scan to apply."

Each of these is a real attack vector. Car transactions are uniquely high-value targets for scammers because they involve Social Security numbers, bank account details, income information, and sums in the tens of thousands of dollars — all collected in a context where sharing sensitive financial information feels expected.

Here are the three variants to know.

Variant 1: Fake financing and payment QR codes on dealership-branded mailers

This is the highest-stakes variant, and the one most likely to result in identity theft rather than just card fraud.

Attackers mail dealership-branded promotional materials — timed to coincide with real model-year changeovers, end-of-quarter sales events, or interest-rate promotions — containing a QR code to "pre-qualify" or "apply for special financing." The mailer uses the dealership's real name and logo, often scraped from public sources, and the QR code leads to a phishing page that convincingly mimics the dealer's finance partner (Capital One Auto Finance, Ally Financial, TD Auto Finance, and similar).

The page asks for your name, address, date of birth, income, Social Security number, and bank account details. To someone in the process of buying a car, this feels entirely normal — that's what a loan application looks like. But the page is controlled by the attacker, and the data goes to them.

The tell: Legitimate dealerships do not send unsolicited mailers with QR codes requesting SSN-level information. If you receive such a mailer, call the dealership directly using a number from their official website to verify the promotion before scanning anything.

Variant 2: Tampered service-department QR codes

The second variant targets existing customers — people who already trust the dealership and are visiting for routine service.

Service waiting rooms are papered with QR codes: check-in portals, customer satisfaction surveys, loaner car requests, amenity menus, Wi-Fi access, and promotional discounts. An attacker can place a sticker QR code over any of these — particularly Wi-Fi signs or customer portal check-in codes — redirecting you to a credential-harvesting page designed to look like the dealership's online service portal.

If you enter your login credentials on that page, the attacker can access your account on the dealer's official platform — which often stores your vehicle details, service history, financing information, and in some cases a payment method saved on file.

QR codes can also appear on physical repair orders. A sticker placed over the legitimate barcode on a service invoice could redirect you to a fake payment portal when you scan to pay your bill.

The tell: If a QR code in a service area leads to a login page and the domain in the address bar doesn't clearly match the dealership's official website, close the browser, ask a service advisor for the correct URL, and navigate there directly.

Variant 3: Fake "dealer invoice" QR codes in business email compromise attacks

The third variant targets buyers who have recently inquired about a vehicle — particularly in high-value transactions.

In business email compromise (BEC) attacks, an attacker who has intercepted or spoofed correspondence between a buyer and a dealership sends a follow-up email that looks like it comes from the dealer's finance or sales department. The email includes a QR code linking to a "final invoice" or "wire transfer confirmation" page, asking the buyer to verify payment details or complete a deposit.

The page mimics the dealer's invoicing system. If the buyer enters banking details or initiates a wire transfer through the fake portal, the funds go to the attacker — and wire transfers are very difficult to reverse.

This variant is less common for average car buyers but is a meaningful risk for high-value purchases, fleet transactions, and commercial vehicle sales.

The tell: Any unexpected email requesting payment or financial verification via a QR code should be verified by calling the dealership directly using a number from their official website — not a number provided in the email.

What to do if you entered financial information on a suspicious page

If you entered your Social Security number or banking details:

  1. Place a free credit freeze with all three bureaus immediately — Equifax, Experian, and TransUnion. This prevents new accounts from being opened in your name.
  2. Contact your bank and flag the account for potential fraud.
  3. File a report with the FTC at reportfraud.ftc.gov and with IC3 at ic3.gov.

If you entered a login and password for a dealer portal:

  1. Reset your password on the dealer's official website immediately.
  2. Enable two-factor authentication if available.
  3. Contact the dealership to review your account for unauthorized activity.

If you initiated a wire transfer or payment:

  1. Contact your bank immediately — the window to reverse a wire transfer is narrow but exists.
  2. File a police report; banks often require this to process a fraud claim.

What to remember at car dealerships

  • Car transactions are high-stakes. A few seconds of scrutiny before scanning any QR code is worth it when SSNs and bank details are involved.
  • Always verify the domain in your browser's address bar after scanning. It should clearly match the dealership's official website or their known finance partner.
  • If a QR code leads to a form requesting your Social Security number, navigate to the dealer's official site directly — don't use the QR code for that step.
  • The same fake-invoice attack that targets dealership buyers also targets small businesses. See our guide on fake invoice QR code scams.
  • If a QR code directs you to a bank or financial institution page, verify it through the guidance on bank QR code scams before entering any credentials.

See also

Download QRsafer for iOS or Android and scan any dealership QR code before your browser opens it. Given what's at stake in a car transaction, two seconds of checking is straightforward due diligence.

FAQ

Can a QR code on a dealership mailer be fake?

Yes. Attackers print dealership-branded mailers — often timed to coincide with model-year sales events or financing promotions — containing QR codes that lead to phishing pages mimicking the dealer's finance partner. The pages ask for your name, income, Social Security number, and bank account information under the guise of pre-qualifying for a loan. Legitimate dealers pre-qualify you in person or through their official website; they do not send unsolicited mailers with QR codes asking for SSN-level data. If you receive such a mailer, navigate to the dealership's website directly by typing the URL yourself and confirm the promotion is real before entering any personal information.

What should I do if I entered my SSN or banking details on a page I accessed through a dealership QR code?

Act immediately. First, place a credit freeze with all three major bureaus — Equifax, Experian, and TransUnion — to prevent new accounts from being opened in your name. You can do this for free at each bureau's website. Second, contact your bank and flag the account for potential fraud. Third, file a report with the FTC at reportfraud.ftc.gov and with the Internet Crime Complaint Center (IC3) at ic3.gov. Keep screenshots of the page and the QR code source if possible. The combination of SSN and bank account details is highly valuable to attackers and is often used for identity theft, fraudulent loan applications, and account takeover — so speed matters.

Do real car dealerships use QR codes?

Yes, but in specific, low-risk ways. Dealerships may use QR codes on showroom placards to link to a vehicle's window sticker or CarFax report, in service waiting areas to link to their online check-in portal or amenity menu, and in digital marketing emails to link to a promotion landing page on their official domain. What they do not do is ask you to scan a QR code and then enter your Social Security number, full bank account details, or login credentials to a financing portal — that information is always collected in person with a formal credit application. If a QR code leads to a form requesting that level of data, treat it as suspicious.

Does QRsafer help against car dealership QR code scams?

Yes. Before scanning any QR code at a dealership — on a showroom placard, a service-bay poster, a financing mailer, or an email — scan it with QRsafer first. QRsafer checks the destination URL against threat intelligence databases and flags links to known phishing pages and credential-harvesting portals as Risky or Dangerous before your browser opens them. Given how much financial and personal data is at stake in a car transaction, two seconds of scanning with QRsafer is a straightforward way to verify the destination before you share anything.