Getting tattooed or pierced involves a level of trust you extend to very few people. You're in a chair for hours, you're focused on the work, and you've already decided this artist is someone you can rely on. That trust is exactly what QR code scammers exploit.
Tattoo studios and piercing shops are more QR-dependent than almost any other service business. Artists use codes for tips on Cash App and Venmo, portfolio links to Instagram or personal sites, appointment booking pages, downloadable aftercare PDFs, and digital consent forms. Clients scan them without hesitation — the context makes the codes feel official. For a scammer, that's a perfect opening.
Here are the four tattoo parlor QR code scams that appear most often, and how to avoid each one.
1. Tip QR sticker swaps — the highest-risk vector
Most tattoo artists accept tips through Venmo, Cash App, or Zelle, and they display a QR code on a tip envelope at their station or on a sign at the reception desk. These codes are easy targets.
A scammer walks in, places a sticker printed with their own payment QR code directly over the artist's real one, and leaves. The next client who scans it and taps "Send" routes their tip to a fraudulent account. The artist receives nothing and has no way to know until a client asks why the tip didn't show up.
The amounts are small — $20, $40, $60 — which is why many clients don't dispute the charge even when the payee name looks unfamiliar on the confirmation screen. That's by design.
What to do: Always read the payee name on your payment app's screen before confirming. If the name doesn't match the studio's business name or your artist's known username, stop and ask staff to verify. See our guide on Venmo QR code scams and Cash App QR code scams for the full breakdown of this attack.
2. Fake "book your appointment" QR codes on physical flyers
This scam runs outside the studio. A flyer appears on a corkboard at a music venue, barbershop, or clothing store near a popular tattoo district: "Custom flash — [Artist Name] — scan to book." The QR code links to a convincing fake booking page that collects a deposit — typically $50 to $150 — and personal information. The artist has no record of the booking and never receives the money.
The fakes are effective because artists genuinely do post flyers this way, and the booking pages often mirror real platforms like Booksy or StyleSeat closely enough that a quick glance doesn't raise flags.
Key rule: If a flyer asks for a deposit through a link you reached by scanning, verify the domain matches the artist's official site or portfolio before paying. Book directly through the artist's social media bio link instead.
3. Fake aftercare instruction QR codes
Some studios include a small card or sleeve with aftercare supplies — ointment, wrap, soap — that contains a QR code linking to their aftercare guide. Scammers replace these inserts with identical-looking versions where the QR code leads to a credential-harvesting page disguised as a "healing support" or "product registration" form.
The page asks for your name, email, phone number, and sometimes a date of birth to "send personalized healing reminders." That data is harvested and sold or used in follow-on phishing attempts.
What to look for: Legitimate aftercare information doesn't require you to create an account or submit personal details. If a page asks for anything beyond your email for a PDF download, treat it with suspicion.
4. Consent form QR codes at the front desk
Many studios have moved their consent and liability waivers to digital form using services like Google Forms, JotForm, or custom platforms. A QR code at the front desk or on a tablet links clients directly to the form.
Attackers place sticker codes over the real tablet QR or swap a printout near the front desk. The replacement code leads to a phishing page that mimics a waiver form but also asks for login credentials or payment card details — framed as "ID verification" or a "deposit hold" that wasn't part of your original booking.
What to check: Consent forms never require a payment card or login credentials. If a form asks for either, notify the front desk before submitting anything.
What artists can do to protect clients
- Inspect tip and payment QR codes at the start of each day — run a fingertip over the code surface to feel for a raised sticker edge
- Use platform-generated QR codes tied to your verified username rather than third-party QR generators, which create codes that point to generic redirect URLs
- Scan your own studio's codes with QRsafer weekly to confirm they still point to the expected destination
- Post your Venmo or Cash App username in text next to the QR code so clients can verify the payee name before sending
How QRsafer protects clients in the studio
Opening QRsafer takes the same two seconds as opening your camera. Point it at any code — tip envelope, booking flyer, aftercare card, or front desk tablet — before tapping through. It checks the destination URL against threat intelligence databases and returns a clear verdict before anything loads in your browser. A swapped code pointing to a phishing page or a freshly registered scam domain surfaces immediately.
For a look at how this same pattern plays out in other service environments, see our guide on QR code scams at nail salons and spas.
Quick checklist for studio clients
- Tip codes: Read the payee name on the confirmation screen before sending — if it's unfamiliar, ask staff
- Booking links on flyers: Verify the domain before paying any deposit; book directly from the artist's bio link when possible
- Aftercare QR codes: Legitimate guides don't require personal data or account creation
- Consent form tablets: Waivers never ask for payment card details or login credentials
- Any unfamiliar code in the studio: Scan with QRsafer before tapping through
Your artist spent years earning your trust. One quick check with QRsafer makes sure a scammer isn't collecting on it.
Download QRsafer for iOS or Android — scan any QR code safely before you tap.