QRsafer LogoQRsafer
QR Code Scams on Public Transit: What Every Commuter Should Know
← Back to blog

QR Code Scams on Public Transit: What Every Commuter Should Know

Buses, subways, and commuter trains are ideal territory for QR code scammers — high-volume, distracted riders scan codes quickly without checking where they go. Here's what to watch for at every point of your commute.

2026-04-30 · QRsafer Team

You scan the QR code on the kiosk to reload your transit card before the train arrives. It's a routine you've done a dozen times. But this time the page looks slightly different — and by the time the train doors close, your card number is in someone else's hands.

Public transit stations and vehicles are among the highest-value environments for QR code scammers. High foot traffic, distracted riders under time pressure, and surfaces that are easy to tamper with and rarely inspected combine to create ideal conditions. The three most common variants target different points in a typical commute.

Variant 1: Tampered fare-payment kiosks and ticket machines

This is the highest-stakes variant because it captures card data at the moment of payment.

Attackers place a sticker QR code over the legitimate payment or reload code on fare kiosks, ticket vending machines, and contactless payment panels. The sticker is printed in the transit authority's colors and style, flush with the machine's surface. In a busy station at rush hour, it looks identical to everything around it.

Scanning it takes you to a page that mimics the transit authority's payment portal — the logo, the layout, the color scheme are all convincing. You enter your card number, expiration, and CVV. The payment page may even display a fake confirmation. Your card data goes to the attacker; your transit balance never changes.

Real transit payment pages always use the authority's official domain — no hyphens, no extra words, no subdomains you haven't seen before. If the address bar shows anything other than the authority's known URL, close the browser immediately.

The tell: The legitimate payment interface for your transit system looks consistent every time you use it. If the fonts, layout, or field labels look different from what you're used to, stop before entering any information.

Variant 2: Sticker QR codes on seat-back cards and in-vehicle signage

The second variant operates inside the vehicle itself and targets riders during the trip rather than at the point of payment.

Buses and commuter trains carry printed "service information" cards, safety notices, and advertising placards — many already include legitimate QR codes for transit apps, Wi-Fi networks, or rider feedback forms. Attackers ride the route and place sticker QR codes over these legitimate codes, or post their own printed cards in areas where official signage appears.

The destination is typically one of two things: a fake Wi-Fi captive portal that asks for an email and password to "activate" free transit Wi-Fi, or a credential-harvesting page disguised as a transit benefit or rewards program sign-up. Either way, the goal is the same — collect credentials that can be tested against other accounts or personal information that enables targeted phishing.

Real transit Wi-Fi never requires a password that matches your existing accounts. If a captive portal asks you to log in with an email and a personal password, close it and use your cellular data.

The tell: Seat-back cards and in-vehicle signage that include QR codes are official and consistent across an entire route. A card that looks handmade, is taped rather than mounted, or has a QR code that doesn't match the surrounding graphics is worth treating as suspicious.

Variant 3: Fake transit authority flyers posted in stations

The third variant is broader in scope and operates before you interact with any machine.

Printed flyers appear on community boards, station pillars, and platform walls — or are left on benches and seats — with QR codes advertising things like: "Download our new transit app for real-time alerts," "Claim your commuter tax benefit," or "Register for our rider rewards program." The flyers use real logos, real route names, and real station photography.

The QR code leads to a lookalike page that collects personal information — name, address, email, and sometimes the last four digits of a transit card "for verification" — or directs to a fake app download that installs a credential stealer or adware.

Transit authorities release new apps and programs through official channels: their website, official social media accounts, and announcements in-app. They do not distribute QR codes on unsigned flyers.

The tell: Navigate to the transit authority's official website directly to verify any program or app before providing any information through a flyer QR code.

What to do if you entered information on a suspicious transit QR code page

If you entered payment information:

  1. Call your bank immediately and report the potential compromise. Request a new card number.
  2. Check your recent transactions for small test charges ($0–$2) as well as larger unauthorized purchases.

If you entered a login or password:

  1. Change that password immediately on the affected account.
  2. Change it on every other service where you use the same password.
  3. Enable two-factor authentication on the account.

If you provided personal information:

  1. Be alert for targeted phishing calls, texts, and emails that reference the information you entered.
  2. File a report at reportfraud.ftc.gov and notify your transit authority so they can locate and remove the tampered code.

What to remember on public transit

  • Always pay at official machines using tap-to-pay, physical card, or an app downloaded from the App Store or Google Play — avoid payment QR codes on kiosks whenever an alternative exists.
  • Inspect the physical QR code before scanning: sticker overlays have edges and texture differences that are visible on close inspection.
  • Check the address bar before entering any information: the domain must match your transit authority's known website exactly.
  • The same tampered-sticker attack used on transit kiosks appears at EV charging stations and vending machines — the playbook is identical across any unattended payment terminal.

See also

Download QRsafer for iOS or Android and scan any transit QR code before your browser opens it. Two seconds of preview is all it takes to know whether the destination is safe before your train arrives.

FAQ

Can a QR code on a subway or bus ticket machine be fake?

Yes. Attackers place sticker QR codes over legitimate payment or information codes on fare kiosks and ticket machines — the same technique used at parking meters and EV charging stations. The sticker is printed to match the kiosk's branding and sits flush with the surface, making it difficult to notice unless you physically inspect the panel. Scanning it takes you to a page that looks like the transit authority's payment portal but captures your card details for the attacker. Real transit payment pages use your local authority's official domain (e.g., mta.info, mbta.com, bart.gov) — always check the address bar before entering any payment information.

What should I do if I entered my card details on a transit QR code page that felt wrong?

Contact your bank or card issuer immediately and report the transaction as potentially fraudulent. Request a replacement card number — compromised card data is often tested within hours of collection. Review your recent statement for any charges you don't recognize, including small test transactions ($0–$2) that scammers use to verify a card is live before making larger purchases. File a report at reportfraud.ftc.gov and, if the kiosk was in a specific location, notify the transit authority so they can inspect for tampered codes.

How do I tell a real transit authority QR code from a fake one?

Three checks: (1) Domain — after scanning, the address bar should show the transit authority's official domain with no extra hyphens, misspellings, or unfamiliar subdomains. (2) Physical inspection — legitimate QR codes are printed directly onto signage or inlaid into kiosk screens; sticker overlays often have visible edges, slightly different textures, or alignment that's off from surrounding graphics. (3) Context — real transit agencies direct you to download their official app from the App Store or Google Play; they do not post QR codes on flyers that link directly to payment forms or credential logins.

Does QRsafer protect against transit QR code scams?

Yes. Before scanning any QR code at a transit station, on a kiosk, on a seat-back card, or on a posted flyer — open QRsafer and scan the code through the app first. QRsafer previews the destination URL and checks it against threat intelligence databases, flagging known phishing pages and fraudulent payment portals as Risky or Dangerous before your browser opens them. In a rush-hour environment where you have seconds to make a decision, a two-second check with QRsafer is the fastest way to know whether a code is safe.