Google Pay QR Code Scam: What It Is and What to Do

The three ways scammers use Google Pay QR codes

Google Pay's QR code feature makes splitting bills or paying at local shops convenient — which also makes it a tool scammers exploit. These three variants account for most Google Pay QR code fraud.

1. The fake "receive payment" QR code

This is the most disorienting Google Pay scam because it flips the expected direction of money. You're selling an item on Facebook Marketplace, OfferUp, or a similar platform. The "buyer" says they've already sent payment via Google Pay and shares a QR code as supposed proof or asks you to scan it to "collect" your funds.

When you scan it, the code initiates an outgoing payment request from your account — you think you're collecting $200, but you just sent it. By the time you check your balance, the scammer has the money and has gone silent. Google Pay displays a QR code to request payment from someone else; scammers abuse this feature by framing it as proof that they've already paid you.

2. Marketplace QR codes from fake buyers

A variant of the above that doesn't require scanning at all: the fake buyer sends a fraudulent screenshot of a Google Pay confirmation screen alongside a QR code, claiming the payment is "pending release" until you scan the code to confirm. The screenshot is fabricated, and the QR code leads to a phishing page or sends a new payment to the scammer.

The same pattern appears on OfferUp, Craigslist, and Facebook Marketplace. The shared thread is an off-platform payment method with no buyer or seller protection and a QR code as the mechanism. This mirrors the Venmo QR code scam and the Cash App QR code scam.

3. Phishing emails impersonating Google

You receive an email that looks exactly like a Google security alert — Google's logo, fonts, and formatting are easy to clone. The message claims your Google account or Google Pay wallet has been flagged for suspicious activity and that you must scan a QR code to verify your identity or restore access within 24 hours.

The QR code leads to a convincing but fake Google login page. When you enter your credentials, the attacker gains access to your entire Google account — Gmail, Google Pay, Google Drive, and any saved passwords. From there, they drain your Google Pay balance and linked bank account and may sell your credentials. Google will never ask you to verify your account by scanning a QR code in an unsolicited email.

Why Google Pay scams are hard to reverse

Google Pay person-to-person transfers are processed instantly and are not reversible within the app once the recipient accepts them. Google Pay's terms of service, like those of Zelle and Cash App, treat peer-to-peer transfers as authorized transactions — which means the burden of proof falls on you to demonstrate the transfer was fraudulent.

If you funded the Google Pay payment via a linked debit card or bank account, your bank may be able to dispute the originating ACH transfer — but speed is critical. Banks generally have a narrow window (often 24–48 hours) to attempt a reversal before funds clear to the scammer's account.

If a phishing page stole your Google account credentials and an attacker made unauthorized payments, that is a different legal situation. Unauthorized electronic fund transfers may be recoverable under the Electronic Fund Transfer Act — report it to your bank and Google immediately.

What to do right now

Speed matters. Take these steps in order.

1. Contact Google Pay support immediately. Open Google Pay, tap your profile photo, go to Help & feedback, and report the transaction. Explain that it was fraudulent and request a reversal if the payment is still pending.
2. Call your bank or card issuer. If the Google Pay transfer was funded by a linked bank account or debit card, call the number on the back of your card right now. Ask them to dispute the ACH transfer or debit as unauthorized. The sooner you call, the better your chances of reversal.
3. Secure your Google account. Go to myaccount.google.com, review active sessions under Security, and sign out any unrecognized devices. Change your Google password and enable two-factor authentication if it isn't already on. If a phishing page stole your password, do this before the attacker locks you out.
4. File an FTC complaint. Report the scam at reportfraud.ftc.gov. This creates an official record and helps the FTC track fraud patterns.
5. Report to the FBI's IC3. File a complaint at ic3.gov, especially if the loss is significant. Payment app fraud is prosecuted as wire fraud.
6. Document everything. Screenshot the QR code, every message from the scammer, the Google Pay transaction record, and any fake confirmation images. You'll need this documentation for your bank dispute and law enforcement.

How to protect yourself before you scan

The clearest rule: never use Google Pay to pay strangers for goods or services. Google Pay is designed for people who already trust each other — splitting dinner, paying a friend back. It was not built to protect marketplace transactions with unknown sellers or buyers.

Before scanning any QR code that might initiate a payment or a login, run it through QRsafer first. QRsafer checks the destination URL against threat databases and identifies phishing pages or suspicious redirects before you interact — giving you a Safe, Risky, or Dangerous verdict before you commit.

• Verify incoming payments inside the app. If someone says they've paid you via Google Pay, check your balance in the official Google Pay app — not by scanning a QR code they sent you. A QR code is never proof that money has arrived.
• Google never initiates contact with a QR code. Any email or text asking you to scan a QR code to verify your Google account or Google Pay wallet is a phishing attempt. Navigate to myaccount.google.com directly if you're concerned about your account.
• Legitimate QR codes open inside the app. A genuine Google Pay QR code resolves inside the official Google Pay app. If it redirects to an external website or asks for your credentials anywhere other than the official Google app, stop immediately.
• Use platform-native payments for marketplace transactions. Facebook Marketplace, OfferUp, and eBay all have built-in payment systems with fraud protections. Any buyer who insists on paying via a separate QR code outside the platform is a red flag.

Frequently asked questions