Car Wash QR Code Scam: What It Is and What to Do
You pulled into a self-serve bay, scanned the QR code to pay, and the page that opened looked a little off. Here's how scammers target car wash customers at unattended kiosks and through fake membership flyers — and exactly what to do if you already entered your card details.
How the car wash QR code scam works
Unattended car wash kiosks — the pay stations at self-serve bays and automatic tunnels — are prime targets for QR code tampering. Staff rarely inspect them between customers, there are no cameras trained directly on the payment panel, and most patrons are distracted and in a hurry. That combination makes it easy for an attacker to spend thirty seconds placing a small sticker QR code directly over the one printed on the kiosk, then walk away.
When you scan the sticker, instead of opening the car wash operator's payment system, you land on a phishing page designed to look like a generic card payment form. You enter your credit or debit card number, expiration date, and CVV — and the attacker captures all of it in real time while you're standing in the bay waiting for the wash to start (which never does, or which the attacker may allow to proceed through a separate mechanism to delay your suspicion).
The second variant targets customers of high-volume coin-op and express washes. Attackers leave professionally printed flyers on windshields or post them near the entrance advertising a discounted "car wash club" or monthly membership — scan the QR code to lock in the rate. The form that opens collects full card details for what appears to be a recurring subscription. There is no membership; the card is simply charged or sold.
The mechanics closely mirror the gas station pump QR code scam and the EV charger QR code scam: all three exploit unattended outdoor kiosks where the legitimate QR code is easy to cover and rarely verified.
Real car wash payment page vs. phishing page: how to tell them apart
Knowing what a legitimate page looks like is your fastest defense. Take two seconds to check the URL before you tap in a single digit.
Signs of a legitimate car wash payment page:
- The URL matches the car wash operator's brand or a well-known payment processor (e.g., mistercarwash.com, tideycars.com, or a recognizable POS provider)
- The page shows the specific wash type and location you selected — it knows which bay or tunnel you're at
- Payment is processed through a recognizable checkout with a confirmation screen before any charge
- The branding — colors, logo, fonts — matches the signage you see at the actual wash
Red flags on a phishing page:
- A generic or lookalike domain that doesn't match the car wash operator's name
- A plain card form that asks for your number, expiration, and CVV on the very first screen, with no order or location summary
- No mention of which wash package or bay you selected
- Slightly off branding — compressed logo, wrong color, unfamiliar font
- A membership or subscription sign-up form that arrived via an unsolicited flyer rather than the car wash's own app or website
The safest habit: if the QR code takes you somewhere unfamiliar, close the browser and use the physical keypad and card reader on the kiosk instead. Tap-to-pay via your phone's wallet is also safer than a QR-initiated web payment form.
What to do right now
Your response depends on how far you got before you noticed something was wrong.
If you only scanned and didn't enter any payment information: Your risk is low. Close the browser tab, don't return to the page. If you still want a wash, pay at the physical terminal or use the car wash operator's official app.
If you entered your credit or debit card details, act immediately:
- Call your card issuer now. Use the number on the back of your card — not a number from any page you visited. Report the card as potentially compromised and ask them to freeze it and issue a replacement.
- Watch for small test charges. Attackers often run a $0–$1 authorization or a tiny transaction to verify the card is active before selling it or making larger purchases. Dispute any charge you don't recognize, no matter how small.
- Alert the car wash operator. Tell the owner or the number on the kiosk sign what happened. They can inspect the pay station for sticker QR codes and remove them before the next customer is hit.
- File a report with the FTC at reportfraud.ftc.gov. Your report helps the agency track fraud patterns and build enforcement cases.
For a full step-by-step recovery guide after any suspicious QR scan, see what to do if you scanned a suspicious QR code. For detailed advice on card compromise specifically, see QR code credit card scam: what happens and what to do.
Frequently asked questions
How does a fake car wash QR code scam work?
Attackers place a sticker QR code over the legitimate one on a self-serve kiosk. Scanning it opens a phishing payment page that collects your card details instead of connecting to the car wash's actual system. A second variant uses flyers near the wash advertising a fake membership — the sign-up form harvests your card for a recurring charge that goes to the scammer.
What does a legitimate car wash payment page look like versus a phishing page?
A real payment page uses the car wash operator's domain, shows the specific wash and location you selected, and processes through a branded checkout. A phishing page lands on a generic or lookalike domain, presents a bare card form with no order summary, and may have slightly off branding. If the URL doesn't match the car wash name on the signage, close the browser and pay at the physical kiosk instead.
I entered my card info at a car wash QR code — what should I do?
Call your card issuer immediately using the number on the back of your card, report it as potentially compromised, and request a replacement. Watch for small test charges and dispute anything unfamiliar. Alert the car wash operator so they can inspect the kiosk, and file a fraud report with the FTC at reportfraud.ftc.gov.
Check a car wash QR code before you pay
QRsafer scans any QR code and shows you the destination URL with a Safe, Risky, or Dangerous verdict before your browser opens it. Free on iOS and Android — takes two seconds at the kiosk.