Gas station QR code scams use a simple attack: place a printed sticker over the legitimate payment QR on the pump, then collect card details from every driver who scans it. The pump still works. The transaction still appears to go through. The page just isn't the real one.
If you already paid through a QR code at a pump and something felt off, jump to the steps below. If you want to understand what's happening and how to protect yourself, start here.
How the scam works at the pump
Gas pumps rely on QR codes for payment initiation, loyalty-account linking, and digital receipts. Attackers target the payment flow specifically.
The setup is fast. An attacker prints a QR code pointing to a fake payment page — styled to match the real processor's branding — and applies it as a sticker over the pump's original code. The swap takes under a minute at an unattended machine.
You scan. Your phone opens a page that looks like the correct payment portal: correct logo, correct colors, familiar field labels. You enter your card number, expiration date, and CVV. The page confirms your "transaction." Meanwhile, your card details were transmitted to an attacker's server the moment you hit submit.
The fake parking meter QR code scam runs the same playbook — pumps are just a higher-volume target because drivers are often rushing and the scan feels routine.
What a tampered pump code looks like
Fake stickers are easy to miss but not impossible to spot.
Physical signs to check before scanning:
- A slight ridge or raised edge where the sticker sits on top of the pump surface
- Paper stock that doesn't match the rest of the machine's printed materials
- Print quality that looks inkjet-produced rather than professionally manufactured
- A QR code that's slightly off-center or crooked relative to its label frame
None of these are definitive alone. The real tell is the URL your phone shows before you open it.
URL red flags:
- Random character strings in the domain (e.g.,
pay-pump-a7k29.com) - URL shorteners — no legitimate payment processor routes through bit.ly or tinyurl
- Domains that don't match the processor brand printed on the pump itself
- HTTP instead of HTTPS on any page that asks for payment info
Legitimate payment processors — Shell Pay, ExxonMobil Rewards+, GasBuddy Pay, and major card networks — use their own recognizable domains. If the URL doesn't match, don't proceed.
What to do if you already paid through a pump QR
Move fast. Stolen card data can be used within minutes.
- Call your card issuer now. Use the number on the back of your physical card — not a number from a search. Tell them you may have entered card information on a fraudulent site and ask for the card to be flagged and replaced.
- Check your statements in real time. Don't wait for your monthly cycle. Open your banking app now and scan for any charges you don't recognize — including small test transactions under a dollar.
- File a report with the FTC. Go to reportfraud.ftc.gov and document what happened. This creates a record for dispute resolution.
- Watch for follow-on phishing. If you also entered your email, expect targeted phishing messages in the days that follow.
For a complete recovery checklist, see what to do if you scanned a suspicious QR code.
Why pump scams are especially effective
Gas station attacks succeed because of context. You're standing outside, often in a hurry, with other drivers waiting. The scan feels like a 10-second detour, not a decision that warrants scrutiny.
Pumps are also unattended — no employee is present when the swap happens, and no one monitors the physical machine throughout a shift. A fake sticker can collect card data from dozens of drivers before a technician notices and removes it.
Understanding what happens if you scan a fake QR code makes the risk concrete: you're not downloading malware through the code itself. You're being routed to a page designed to harvest data you voluntarily type in. The defense is checking the URL before you type anything — or running the code through QRsafer before your browser opens it at all.
How QRsafer stops the scam before you pay
QRsafer checks the destination URL against multiple threat intelligence databases before your browser opens it. Scan any pump QR with QRsafer and it returns a Safe, Risky, or Dangerous verdict in seconds.
If the sticker code points to a known phishing domain or a freshly registered lookalike page, you'll see the Dangerous verdict before you enter a digit. The QR code credit card scam pattern — fake page, real-looking fields, instant data harvest — is one of the most common scenarios QRsafer is built to catch.
The free tier uses Google Web Risk and covers the majority of known fraud domains. Premium runs every scan through five security engines simultaneously, which matters when attackers spin up fresh infrastructure that a single database hasn't catalogued yet.
Quick checklist at the pump
- Inspect before scanning: Look for sticker edges, mismatched paper, or off-center codes
- Read the URL first: Your phone shows the destination before you open it — check it
- Verify the domain: Match it to the payment processor branded on the pump
- Scan with QRsafer: Takes the same two seconds as your camera app, catches what eyes miss
- Already paid? Call your card issuer immediately — don't wait to see if a charge appears
Gas station QR code scams work because the pump looks normal and the moment feels routine. A two-second check before you scan breaks the attack entirely.
See also
- How to Spot a Malicious QR Code Before You Scan
- Fake Parking Meter QR Code Scam
- EV Charger QR Code Scam
- ATM QR Code Scams
- QR Code Threat Map
Download QRsafer for iOS or Android and verify pump QR codes before your card number goes anywhere.