QRsafer LogoQRsafer
QR Code Scams at Car Rental Companies: What Every Traveler Should Check
← Back to blog

QR Code Scams at Car Rental Companies: What Every Traveler Should Check

Car rental counters, key-return kiosks, and confirmation emails are all places attackers plant fake QR codes. Distracted, time-pressured travelers are the perfect target. Here's what each scam looks like and how to avoid it.

2026-04-21 · QRsafer Team

You land after a long flight, queue at the rental counter, and just want to get on the road. You're tired, you're watching the clock, and when the kiosk flashes a QR code you're told to scan, you scan it.

That split-second, distracted moment is exactly what car rental QR code scams are designed for.

Three distinct attacks circulate in rental environments, and each one exploits the same vulnerability: travelers who are too rushed and too trusting to scrutinize a QR code the way they would in a calmer setting. Here is how each one works.

Fake QR codes on kiosk screens and counter signage

Self-service kiosks are now standard at major rental companies. Attackers have noticed that kiosk screens and printed counter signs — "Scan here to complete your check-in" — are rarely monitored closely.

In documented cases, criminals have placed sticker QR codes over legitimate kiosk displays or counter cards. The replacement routes to a convincing phishing page styled to look like the rental company's payment portal. Victims enter a card number to "confirm" the reservation and hand their details directly to an attacker.

The real check-in process either continues or fails with a vague error — either way, the card data is already gone.

What to do: Look for raised edges or surface inconsistencies before scanning anything on a kiosk. If the URL that appears after scanning does not match the rental company's official domain exactly, close the browser and ask a staff member to complete the process on a verified terminal.

Fraudulent "upgrade your rental" QR codes in email or text

This attack arrives before you even reach the counter.

Scammers send emails or SMS messages mimicking Hertz, Enterprise, National, Budget, or Avis — complete with logos and booking reference numbers scraped from data breaches or phishing kits. The message offers a free upgrade, extra mileage, or a loyalty bonus, accessible by scanning an embedded QR code.

The code routes to a fake upgrade page that asks for card details to "hold" the upgrade or "verify your identity." The upgrade never materializes; the card gets charged or sold.

These messages are timed to arrive shortly after a real booking confirmation, which makes them feel credible. They capitalize on the same excitement and distraction that comes with travel planning.

What to do: Never scan a QR code in an unsolicited upgrade or loyalty email. Go directly to the rental company's app or website and check your reservation there. If an offer exists, it will appear in your account. This mirrors the same advice that applies to airport scams, where lookalike gate-change messages follow the same pattern.

Fake damage-report QR codes asking for card details

A third attack hits you at the end of the trip.

At key-return kiosks or in follow-up emails, fraudulent QR codes appear under messaging like "Complete your damage waiver" or "Verify your vehicle return." The linked page asks for card information to "finalize the transaction" or "authorize a hold for any unreported damage."

Legitimate rental companies finalize charges on the card already on file — they do not ask you to enter a new card number at key return. Any QR code that redirects to a page requesting fresh payment details at this stage is almost certainly fraudulent.

What to do: Review your actual rental agreement for the correct return process. If something feels off, call the company's main customer service line using the number on your confirmation — not a number provided by the suspicious page.

Why this works on travelers

Rental fraud succeeds for the same reasons credit card scam victims describe: the environment feels institutional and trustworthy, the time pressure is real, and the stakes of missing a step feel high. Attackers engineer that pressure deliberately — urgency kills scrutiny.

How QRsafer helps

Before you scan any QR code at a rental counter, kiosk, or in a travel email, run it through QRsafer. The app checks the destination URL against threat intelligence feeds and returns a Safe, Risky, or Dangerous verdict before your browser loads anything. A phishing domain registered last week shows up as dangerous before you have a chance to enter a single digit.

It takes two seconds. That is a reasonable trade-off when your card details and travel plans are on the line.

If you have already scanned something suspicious, the recovery guide covers every step.

Quick checklist for your next rental

  • Counter and kiosk QR codes: Check for sticker edges; verify the URL matches the company's official domain
  • Upgrade emails or texts: Go directly to the app or website — never scan an emailed QR to claim a deal
  • Key-return pages: Your card on file handles the final charge; new payment requests are a red flag
  • Any code: Scan with QRsafer first — same motion, safer result

See also

Download QRsafer for iOS or Android and keep it in your travel routine alongside your boarding pass.

FAQ

Do real car rental companies use QR codes?

Yes — for mobile check-in, loyalty enrollment, and sometimes key-return instructions. The difference is that legitimate rental QR codes always route to the company's own domain (hertz.com, enterprise.com, avis.com, etc.). If the URL after scanning shows an unfamiliar domain or asks for payment information outside the app you already use, treat it as a red flag.

What should I do if I entered my card number on a page I reached through a rental QR code?

Call your bank immediately and report potential fraud. Ask to freeze or replace the card. Your bank can usually begin a chargeback investigation for unauthorized charges. Also change any passwords you may have entered on that page.

How can I tell if a QR code on a rental kiosk is real or tampered?

Inspect the physical code before scanning. A sticker placed over an original code often shows raised edges, a surface that doesn't match the kiosk finish, or slight misalignment. If the URL shown after scanning doesn't match the rental company's official domain, close it and find a staff member.

Can scammers send fake QR codes in what looks like a real rental confirmation email?

Yes. Attackers craft look-alike emails mimicking Hertz, Enterprise, Avis, and other brands, embedding QR codes for fake 'upgrade' offers or account-verification steps. Real rental companies never ask you to scan a QR code to unlock a special offer that wasn't part of your original booking. Go directly to the company's app or website to verify any offer.