Fake Invoice QR Code Scam: What It Is and What to Do
An invoice arrived — from what looks like a real vendor — with a QR code where the payment details should be. Before you scan: this is a known fraud technique used against businesses of every size. Here's how it works and what to do if a payment already went through.
Why attackers put QR codes on invoices
A bank account number printed in plain text is easy to scrutinize — employees can notice if a routing number looks different from last month. A QR code is opaque. You can't read it; you can only scan it. Attackers use that opacity to redirect payments to accounts they control without the discrepancy being visible at a glance.
This approach is a variant of business email compromise (BEC) — one of the costliest fraud categories tracked by the FBI. In traditional BEC, an attacker changes a bank account number in a spoofed invoice. In the QR code variant, there is no number to check at all. The code simply opens a payment portal controlled by the attacker, styled to look like the vendor's own payment page.
The two most common variants
The spoofed vendor invoice is the higher-value attack. The attacker monitors email communication between two businesses — often by compromising one party's email account or by registering a near-identical domain — and inserts themselves into an ongoing transaction. When a real invoice is expected, the attacker sends a lookalike with a QR code substituted for the normal payment instructions. Because the project name, invoice number, and dollar amount are all correct, the employee processing accounts payable has no obvious reason to question it.
The fake utility or service bill targets businesses rather than consumers. A mailed or emailed bill arrives claiming to be from a phone carrier, internet provider, cleaning service, or other routine vendor. The bill includes a QR code labeled "Pay Online" or "Scan to Pay." Small businesses that lack a dedicated finance team — and where one person handles everything from operations to bill payment — are the primary targets. The relatively small amounts ($200–$2,000) make employees less likely to escalate for approval.
The rule that stops this attack
Never verify payment details using the invoice itself. If an invoice arrives with a new payment method — a QR code, a new bank account, a new payment portal URL — treat that as a flag and verify through a separate channel before paying. Call the vendor using a phone number from a previous invoice, your own contact book, or their official website. Do not use a number printed on the suspicious invoice.
For recurring vendors, the appearance of a QR code where there was previously a bank account number should prompt a direct phone call — not just a reply email, since the attacker controls the email thread.
If you received a suspicious invoice:
- Do not scan the QR code. Use QRsafer to check the destination URL first, or hold the payment until you can verify with the vendor directly.
- Call the vendor through a verified number. Confirm whether they sent the invoice and whether the QR code payment method is legitimate.
- Check the sender's email domain carefully. Look for character substitutions: vendorcorp.com vs. vendor-corp.com, or a domain that replaces a letter with a number.
- Flag it internally. Alert your finance team or manager so the invoice is held pending verification.
What to do if you already paid
Speed matters. Wire transfers can sometimes be recalled within hours; ACH payments have a longer window.
- Call your bank's fraud line immediately. Ask for a wire recall or ACH reversal. Provide the payment amount, destination account, and transaction date. Recovery is not guaranteed but is most likely in the first few hours.
- File a report with the FBI IC3. Go to ic3.gov. BEC fraud has a dedicated recovery team at the FBI — the IC3 Financial Fraud Kill Chain can sometimes claw back international wire transfers if the report is filed quickly enough.
- Notify the real vendor. They may be unaware their identity was spoofed and should alert their other clients.
- Report to the FTC at reportfraud.ftc.gov and to your state attorney general's office.
- Contact your business insurance carrier. Many commercial policies include crime coverage for BEC losses — document everything before memories and evidence fade.
This same playbook — QR codes substituted for verifiable payment details — appears in utility company QR code scams targeting households and in bank QR code scams targeting individuals. In every case the defense is the same: verify payment changes through a separate, trusted channel before funds move.
Frequently asked questions
How can I tell if an invoice QR code is fake?
Watch for three red flags: the sender's email domain is slightly wrong (one character off), a QR code replaces the bank account details you'd normally see in plain text, and the invoice creates urgency to pay immediately. Legitimate vendors you have an established relationship with don't switch to QR-code payments without a phone call. When in doubt, call the vendor using a number from a previous invoice or their official website — not any contact info on the suspicious document.
What is business email compromise (BEC) and how does it use QR codes?
BEC is fraud where an attacker hacks into or impersonates a real business email account to send convincing invoices. In the QR code variant, the attacker inserts a QR code on an otherwise genuine-looking invoice. Scanning it opens a payment portal the attacker controls. QR codes are used because they're opaque — there's no bank account number to scrutinize, only a code that looks the same whether it's real or fake.
What should I do if my business already paid a fake invoice via QR code?
Call your bank's fraud line immediately to attempt a wire recall or ACH reversal — time is critical. File a report with the FBI IC3 at ic3.gov; BEC fraud has a dedicated FBI recovery process. Notify the real vendor so they can alert other clients. Report to the FTC at reportfraud.ftc.gov and contact your business insurance carrier to explore crime coverage for BEC losses.
Check any QR code before it opens
QRsafer scans a QR code and shows you whether the destination is safe before your browser loads it. Free on iOS and Android.