QRsafer LogoQRsafer

I Scanned a QR Code and It Charged My Card — What to Do Right Now

You scanned a QR code, something happened, and now there's a charge on your card you didn't expect. Here's exactly how this happens, what to tell your bank, and the fastest path to getting your money back.

How a QR code scan ends up charging your card

A QR code cannot charge your card on its own — it can only open a URL. But what happens next on that page is where the money gets taken. There are three common paths:

  • Fake payment page. The QR code opened a convincing lookalike for a parking meter, restaurant, utility company, or delivery service. You entered your card number thinking it was the real thing, and the attacker harvested it — charging it immediately or selling it for later use.
  • Real transaction, wrong payee. Some QR codes at physical locations (food trucks, pop-up vendors, parking kiosks) route to a real payment processor, but the sticker QR was placed there by a scammer. You completed a genuine credit card transaction — just to the wrong account.
  • Hidden subscription sign-up. The QR code led to a page for a “free trial” or “access pass” with fine-print billing terms. Tapping “continue” or “claim offer” enrolled you in a recurring charge using payment details your browser or Apple Pay autofilled.

Identifying which scenario applies helps you take the right next step — and shapes what you tell your bank when you call.

Do these things immediately

1. Call your card issuer now

Call the number on the back of your credit or debit card and report the charge. Use these words: “I'd like to dispute an unauthorized charge and report potential card compromise.” The representative will walk you through opening a dispute and issuing a replacement card number.

Even if the charge hasn't appeared yet — if you entered your card number on an unfamiliar page — still call. Ask them to issue a new card number proactively. Fraudulent charges often arrive days after the card number is stolen.

2. Document everything before you forget

  1. Screenshot the charge in your banking app, including the merchant name, amount, and date.
  2. Find the URL in your browser history (Safari or Chrome) from the time of the scan — screenshot it. Your bank's fraud team will want this.
  3. Note where the QR code was physically located (address, business name, what the code was labeled).

3. Secure accounts where that card is saved

A stolen card number is often used to take over accounts where it's saved as a payment method. Change your password and enable two-factor authentication on:

  • Amazon, Apple ID, Google — the big three where cards are stored and accessible
  • PayPal, Venmo, Cash App, or any P2P payment app
  • Any subscription service (Netflix, Spotify, etc.) using that card

4. If you paid via a P2P app (Venmo, Cash App, Zelle)

Peer-to-peer transfers have little built-in buyer protection. Act quickly:

  1. Contact the app's support team immediately and report the transaction as unauthorized — some transfers can be reversed within a short window if the funds haven't been withdrawn.
  2. File a report with the FTC at reportfraud.ftc.gov. Include the transaction ID and any contact info you have for the recipient.
  3. File a local police report — some banks and apps require this documentation before they'll investigate.

What your bank can actually do

Your protections depend on how you paid:

  • Credit card. The strongest protection. Under the Fair Credit Billing Act, you can dispute any unauthorized charge and the issuer must investigate. Most issuers provision provisional credit to your account within 1–5 business days while they review. Keep the documentation you gathered — you may need to submit it.
  • Debit card. Report within 2 business days of discovering the fraud for maximum protection (liability capped at $50). Waiting 2–60 days raises your cap to $500. After 60 days, you may be responsible for the full amount. Banks vary in how generously they apply these rules — be persistent.
  • P2P transfer (Zelle, Venmo, Cash App). These are treated more like cash transactions. Voluntary transfers — even to a scammer — are hard to reverse. Your best path is reporting the scammer to the platform and filing an FTC complaint; law enforcement occasionally seizes and returns funds in large cases, but individual recovery is rare.

How to stop this from happening again

  • Preview QR codes before your browser opens them. QRsafer shows you the destination URL and checks it against threat databases before anything loads. A phishing payment page gets flagged before it can display a card form.
  • Check the URL before entering payment info. Legitimate payment pages for parking, transit, and utilities always use the official operator's domain (e.g., paybyphone.com, not parkpay-secure.com). A mismatched or unfamiliar domain is a stop sign.
  • Use a virtual card number for online or QR-initiated payments. Most major banks and Apple Pay / Google Pay can generate single-use or merchant-locked virtual card numbers. If one is stolen, it can't be used elsewhere.
  • Inspect physical QR codes for stickers. Scammers place sticker QR codes over legitimate ones at parking meters, gas pumps, and kiosks. If the code looks layered, raised, or slightly misaligned with the surrounding label, don't scan it — pay at the main terminal instead.

Frequently asked questions

Can a QR code charge my credit card without me entering my details?

A QR code itself cannot initiate a charge — it only opens a URL. But the resulting page can display a fake payment form where you entered your details, redirect a real payment to the wrong payee, or trigger a subscription using details your browser autofilled. In all three cases, some action on that page completed the charge — the QR code just got you there.

What should I do immediately if a QR code led to an unauthorized charge?

Call the number on the back of your card the same day and report it as unauthorized fraud. Ask to dispute the charge and request a replacement card number. Screenshot the transaction and the URL from your browser history — your bank's fraud team will ask for documentation. If you also entered credentials anywhere, change your email and banking passwords immediately.

Will my bank refund a charge that came through a QR code scam?

Credit cards almost always refund unauthorized charges under the Fair Credit Billing Act — dispute it promptly and keep your documentation. Debit cards offer similar protection if you report within 2 business days. Peer-to-peer payments (Cash App, Venmo, Zelle) carry little protection for voluntary transfers — contact the platform and file an FTC report, but recovery is not guaranteed.

Check where a QR code goes before it reaches a payment page

QRsafer previews the destination URL and checks it for threats before your browser opens it — so a phishing payment page gets flagged before you can enter your card number. Free on iOS and Android.

Download for iOSDownload for Android

Related guides