PayPal Business QR Code Scam: What to Know and What to Do

Three ways scammers exploit PayPal Business QR codes

Unlike personal PayPal transfers, PayPal Business QR codes are used at real points of sale — which makes tampering harder to spot in the moment.

1. Swapped QR codes at the point of sale

This is the most common attack on physical businesses. A fraudster visits the merchant's location and places a sticker — printed with their own PayPal.me or PayPal Business QR code — directly over the legitimate payment code. Every customer who scans it sends money to the fraudster instead of the business. The merchant may not realize anything is wrong until they reconcile payments at the end of the day.

As a customer, always read the PayPal recipient name on the confirmation screen before approving the transaction. If the name doesn't match the business, cancel and alert the staff.

2. Fake invoice QR codes impersonating PayPal Business

Fraudsters generate professional-looking invoices — often PDF attachments or well-formatted emails — that appear to come from PayPal Business. The invoice includes a QR code the recipient is asked to scan to "pay securely." That code either leads to a phishing page that steals PayPal login credentials, or routes the payment directly to a scammer-controlled PayPal.me link.

Legitimate PayPal invoices from vendors you've transacted with appear automatically inside your PayPal account. If an invoice arrives unsolicited — especially for services you don't recognize — log into PayPal directly and check your invoice inbox rather than scanning any QR code in the message. See also: fake invoice QR code scams.

3. Overpayment scams using QR codes

A "buyer" contacts a seller, agrees to a price, and then sends a PayPal Business payment for more than the amount owed — claiming it was an accident. They ask the seller to refund the difference by scanning a QR code they provide. The original payment was funded by a stolen card or compromised bank account and will later be reversed by the true account owner. The seller's refund, however, has already gone to the scammer and cannot be recovered.

Never refund an overpayment by scanning a QR code a buyer sends you. Issue any refund exclusively through your own PayPal Business dashboard, and wait for the original payment to fully clear before shipping goods or providing services.

Why PayPal Business fraud is different from consumer PayPal fraud

Consumer PayPal fraud typically involves peer-to-peer transfers between individuals — the kind covered on our PayPal QR code scam page. PayPal Business fraud hits the payment infrastructure that merchants depend on. The stakes are higher: a compromised point-of-sale QR code can quietly redirect every customer payment for hours before the merchant notices. And because PayPal Business QR codes are legitimately used by real businesses, customers are far less suspicious than they might be with a stranger's peer-to-peer request.

PayPal's dispute resolution process can help in cases of unauthorized transactions or non-delivery, but it does not automatically restore funds in cases where a payment was voluntarily made to a fraudster — even if the customer was deceived.

What to do right now

1. Open a PayPal dispute immediately. Go to paypal.com/disputes within 180 days of the transaction. Select the payment and report it as unauthorized or as a problem with the transaction. Speed matters — PayPal can sometimes freeze funds before the scammer withdraws them.
2. Contact your bank or card issuer. If your PayPal balance was funded by a debit card or bank account, call your financial institution and report the transaction as fraud. They may be able to initiate a chargeback or ACH recall.
3. Secure your PayPal account. If you entered your PayPal credentials on a phishing page, change your password and the password of your linked email immediately. Enable two-factor authentication. Review your linked bank accounts and cards for unauthorized activity.
4. Report to the FTC. File a complaint at reportfraud.ftc.gov. If you're a merchant whose QR code was physically tampered with, local law enforcement and your state attorney general's consumer protection office are additional resources.
5. Document everything. Screenshot the QR code, the fraudulent invoice or message, the PayPal transaction record, and any communications with the scammer. You'll need this for PayPal's investigation and any law enforcement reports.

How to protect yourself going forward

Before scanning any QR code that leads to a payment page — especially one in an unsolicited invoice, at an unfamiliar point of sale, or provided by a buyer — run it through QRsafer first. QRsafer checks the destination URL for phishing signals, suspicious redirects, and known fraud infrastructure before you ever open the link.

• Verify the recipient name before every PayPal QR payment. The PayPal app shows the recipient's name after scanning. Confirm it matches the business before you approve.
• Inspect physical QR codes for tamper stickers. Merchants should check their point-of-sale QR codes daily. Look for raised edges, misalignment, or a sticker layered on top of the original.
• Access PayPal invoices through your account, not through QR codes. Log in at paypal.com and check your invoice inbox directly. Do not scan QR codes in emails or PDFs you weren't expecting.
• Never refund an overpayment via a third-party QR code. All refunds should flow through your PayPal Business dashboard. If a "buyer" insists otherwise, it's a scam.

Frequently asked questions