Museum QR Code Scam: What It Is and What to Do
You scanned a QR code at a museum — for an exhibit audio guide, a membership sign-up, or a special event — and something didn't feel right. Here's how museum QR code scams work, why cultural institutions are a target, and exactly what to do if you already scanned or paid.
Fake exhibit-guide QR codes on display panels
The most common museum QR scam involves a small sticker placed directly over — or right next to — a legitimate exhibit-guide code on a plaque or display panel. The fake code points to a page that mimics the museum's own design: same logo, same color scheme, and often real content pulled from the museum's public website.
After a few seconds of legitimate-looking content, a prompt appears: “Upgrade to the full exhibit guide — enter your card details for a $4.99 membership add-on” or “Create an account to continue listening.” Visitors who comply have handed their payment information or login credentials to an attacker-controlled page. The charge goes through; the membership or guide never materializes.
The rule: legitimate museum exhibit guides and audio tours do not ask for payment or account creation at the point of scanning. If a QR code inside a museum requests your card details or a password, navigate away and report it to the information desk immediately.
Fake membership and gift-shop QR codes
Scammers also target the transactional moments of a museum visit — the gift shop, the membership desk, and event sign-ups. A fake “Join as a member and save 20%” QR code on a lobby stand or near the register looks entirely plausible. Visitors who scan and enter their details to “create an account” or “purchase a membership online” end up on a phishing page harvesting their name, email, address, and credit card number.
A related variant uses QR codes on printed flyers near the exit, advertising a “members-only online shop” or “exclusive digital catalogue.” The link leads to a fake storefront that collects payment for merchandise that never ships.
Always sign up for a museum membership directly on the museum's official website — navigate there yourself rather than scanning a QR code from lobby signage. The official site URL should exactly match the museum's known web address.
Why museums are a target
Cultural institutions create an ideal environment for QR code fraud for several reasons:
- High ambient trust. People expect technology to feel educational and helpful inside a museum — a QR code prompt feels completely normal and credible.
- Visitors are distracted and engaged. When you're absorbed in an exhibit, you're not scrutinizing URLs or checking for sticker overlays.
- Small transaction amounts reduce suspicion. A $4.99 “exhibit guide fee” or $2.99 “audio download” feels plausible in a context where you've already paid for admission.
- Low staff-to-floor-space ratio. Large museum galleries are difficult to monitor continuously, giving scammers time to place sticker codes undetected.
What to do right now
If you only scanned and closed the page without entering anything: Your risk is very low. Note the URL you saw — if it didn't match the museum's official domain, alert a staff member so they can inspect the code.
If you entered card or payment details:
- Call your bank or card issuer immediately using the number on the back of your card. Report the transaction as fraudulent, request a chargeback, and ask for a new card number. Do not wait for the charge to post.
- If you paid via Venmo, Zelle, or Cash App, report the fraud to those platforms as quickly as possible. Peer-to-peer payments are harder to reverse, but early reporting creates a record and maximizes your chances.
- File a complaint with the FTC at reportfraud.ftc.gov. Include any screenshots of the page or QR code you can provide.
- Alert museum staff so they can inspect and remove the fraudulent code before other visitors are affected.
If you entered your museum membership login credentials:
- Go directly to the museum's official website and change your password immediately.
- Enable two-factor authentication if it isn't already active.
- Review your account for any memberships purchased or payment methods added that you don't recognize.
- If you reuse that password elsewhere, change those accounts too.
For more detail on what happens when you scan a fraudulent code, see what happens if you scan a fake QR code. For the full library and museum context, see QR code scams at libraries and museums.
Frequently asked questions
Can you get scammed by scanning a QR code at a museum?
Yes. Scammers place sticker QR codes over legitimate exhibit-guide codes on display panels, or post fake membership and gift-shop QR codes on lobby signage. Scanning can lead to a phishing payment page or a fake login portal. Museums feel safe, which is precisely why fraudsters target them — visitors are engaged with exhibits and less likely to scrutinize a URL. Use QRsafer to preview any QR code's destination before opening it.
How do I tell a real museum QR code from a fake one?
Check for sticker overlays — a raised edge or bubbling at the corners of the code is a warning sign. When you scan, the URL must match the museum's official domain exactly. Real exhibit guides don't ask for payment or account creation at the scan point. When in doubt, ask staff to confirm the code before you enter any information.
I entered my card details on a page I reached from a museum QR code — what do I do?
Call your bank or card issuer immediately, report the charge as fraudulent, and request a chargeback and a replacement card number. Alert museum staff so the fraudulent code can be removed. File a complaint with the FTC at reportfraud.ftc.gov. If you also entered login credentials, change that password immediately on the museum's official website and enable two-factor authentication.
Check any QR code before you scan
QRsafer previews the destination URL of any QR code — giving you a Safe, Risky, or Dangerous verdict before your browser opens it. Free on iOS and Android.