QRsafer LogoQRsafer
QR Code Scams at Church: How to Protect Your Donation and Your Data
← Back to blog

QR Code Scams at Church: How to Protect Your Donation and Your Data

Faith communities are high-trust targets — and scammers know it. Fake donation QR codes on pew cards, tampered event-registration links, and fraudulent bulletin screens are real threats. Here's how to verify any church QR code before you give.

2026-04-16 · QRsafer Team

Faith communities are built on trust — and that's exactly why scammers target them.

A QR code scam at church doesn't require sophisticated technology. All an attacker needs is a printed sticker, a few minutes, and a congregation whose guard is down because they're somewhere they've always felt safe. The result can be stolen donations, compromised payment details, and real harm to members who were simply trying to give.

This guide covers how these scams work, how to verify any church QR code, and what church administrators can do to protect their communities.

1. Fake donation QR codes on pew cards and bulletin inserts

Many churches now include a QR code on the weekly bulletin or on laminated cards in the pew rack so members can give digitally. Attackers exploit this by slipping counterfeit inserts into the stack or placing stickers over the printed code.

The destination page is usually a pixel-perfect clone of the church's real giving page — same name, same logo, sometimes even the same amount-selection buttons. The only difference is that the payment goes to an attacker's account.

Because members expect to see a giving QR code in the pew, they rarely look twice.

What to do: Before scanning any giving code from a physical card or bulletin, check the URL your phone's camera preview displays. It should match the domain you know your church uses for donations — typically a platform like Tithely, Pushpay, Breeze, or the church's own website. If the domain looks unfamiliar or includes a string of random characters, show it to a staff member before proceeding.

2. Fraudulent event-registration codes

Church lobbies and community boards often display flyers for upcoming events, mission trips, or small-group sign-ups — each with a QR code to register or pay a deposit. Attackers add similar-looking flyers to the same display, or slip them into the bulletin rack.

The scam usually targets events with a payment component: mission trip deposits, conference tickets, or retreat fees. Once you've entered your card details on the fake registration page, the attacker has your payment information and no event booking exists.

What to do: For any event that involves a payment, confirm the registration link directly with the event organizer or church office before scanning. A staff member can tell you in 30 seconds whether the flyer is legitimate.

3. Tampered screens and projected codes

Some churches project giving QR codes on the auditorium screen during the offering, or display them on a lobby TV. This vector is less common but possible: an attacker who gains brief access to a display device or its source can substitute their own code.

The tell is the URL. A projected giving code should resolve to a domain your church actually uses. If a member scans the screen code and reaches an unfamiliar page, they should alert the AV team immediately — other members may be scanning at the same moment.

How to verify a church QR code with staff

The simplest protection is a 30-second confirmation:

  1. Show the code to a staff member, usher, or treasurer and ask, "Is this our official giving code?"
  2. Ask what URL the giving page is at — then compare what your phone's browser shows after scanning.
  3. If you're donating online later from home, go directly to the church's website rather than scanning a physical code.

Guidance for church administrators

If you manage communications or technology for a faith community, a few low-cost steps reduce your members' exposure significantly:

  • Print the URL next to every QR code so members can verify the destination without needing a staff member nearby.
  • Inspect physical codes before each service — run your finger across them to feel for sticker layers.
  • Use a branded short link (e.g., give.yourcongregation.org) so the expected domain is familiar and easy to verify.
  • Brief members periodically on what your official giving URL looks like — a single announcement once a quarter costs nothing.
  • Notify your congregation immediately if you discover a tampered code, and explain how to check accounts.

How QRsafer helps

Before tapping through any church QR code, open QRsafer and scan it instead of your camera app. QRsafer checks the destination URL against threat intelligence databases and returns a Safe, Risky, or Dangerous verdict before anything loads in your browser.

A cloned giving page on a freshly registered domain shows up as Risky or Dangerous — before you've entered a single digit of your card number.

For a broader look at how charity-related QR scams work beyond faith communities, see our guide to fake charity QR code scams. And if you've already scanned something that seemed off, here's what happens when you scan a fake QR code and what to do next.

Quick checklist for churchgoers

  • Bulletin or pew card code: Check the URL before tapping — confirm it matches your church's giving platform
  • Event flyer code: Ask a staff member to verify before any payment
  • Screen/projected code: Check the URL; report anything unfamiliar to the AV team immediately
  • Any code: Scan with QRsafer first for a Safe / Risky / Dangerous verdict in seconds

Scammers count on the fact that church feels like home. A two-second check costs nothing — and protects both your donation and your data.

See also

Download QRsafer for iOS or Android and bring it to every service.

FAQ

Do QR code scams actually happen at churches?

Yes, and they're underreported because victims often feel embarrassed or don't realize what happened until later. Faith communities are attractive targets precisely because trust is high and members are less likely to scrutinize a QR code they see during a service or on an official-looking bulletin. Documented cases include fake donation codes placed on pew cards, fraudulent event-registration flyers, and cloned church giving pages.

How can I tell if a church donation QR code is real?

Ask a church staff member or treasurer to confirm the URL the code resolves to before giving. Legitimate church giving pages are typically hosted on platforms like Tithely, Pushpay, Breeze, or the church's own domain. A URL with random characters, an unfamiliar domain, or a mismatched nonprofit name is a red flag. You can also scan the code with QRsafer before tapping through — it shows you the destination URL and flags suspicious pages before anything loads.

What should I do if I already donated through a church QR code and now I'm worried?

First, check the URL in your browser history — compare it to the church's official giving page. If they don't match, contact your bank or card issuer immediately to dispute the transaction and request a new card number. Then notify the church office so they can warn other members. See our full guide on what to do after scanning a suspicious QR code for step-by-step instructions.

How can our church protect its QR codes from being tampered with?

Use a URL shortener or branded domain for all giving links so they're easy for members to verify. Add your church logo and domain name in text next to every QR code so members know what URL to expect. Check physical pew cards and bulletin boards before each service for stickers placed over original codes. For digital displays, use a code managed by your own giving platform — and change it periodically. Brief your congregation regularly on what your official giving URL looks like.