PayPal QR Code Scam: What It Is and What to Do

The two ways scammers use PayPal QR codes

PayPal's QR codes are a fast, contactless way to pay businesses and individuals. That convenience is exactly what scammers exploit. There are two distinct attack types to know.

1. Fake payment QR codes that route money to the wrong account

A fraudster generates a PayPal QR code linked to their own account, then presents it as the legitimate code for a business, event, or person you intend to pay. They may place a sticker over a real merchant's code, hand you a printed card, or send the code digitally over a marketplace chat. You scan, confirm the amount, and the money lands in their account — not the seller's.

This is the same underlying attack as the Venmo QR code scam and the Cash App QR code scam: replace a legitimate payment code with one tied to a fraudster's account.

One critical detail that makes PayPal different: if the scammer requests the payment as "Friends & Family," you have no purchase protection. If they use "Goods & Services," you do — but many scammers specifically ask for the F&F option to strip away your recourse.

2. Fake "verify your identity" QR codes that steal your login

You receive a text, email, or message claiming to be from PayPal. It warns about unusual activity, an account limitation, or a required security check — and instructs you to scan a QR code to "confirm your identity" or "restore your access." The code leads to a convincing fake PayPal login page at a domain like paypal-secure-verify.com or similar. When you enter your email and password, the attacker captures them and immediately takes over your real PayPal account.

PayPal never uses QR codes to initiate security checks. Any message urging you to scan a code to fix your account is a phishing attempt.

PayPal QR codes vs. PayPal.me links — what's different

PayPal offers two QR-adjacent tools that often get confused. Understanding the difference matters for spotting fraud.

• PayPal QR codes are generated inside the PayPal app under "Receive Money." They open a payment flow directly in the app when scanned. A legitimate one resolves to a PayPal-owned domain and launches the official PayPal app — never an external website.
• PayPal.me links are personal payment URLs (e.g., paypal.me/username) that can be shared as QR codes using any QR generator. Because anyone can wrap a PayPal.me link in a QR code, a scammer can trivially create a code pointing to their own PayPal.me account and present it as someone else's.

Before you pay, confirm the name on the PayPal profile matches the actual seller. If the QR code doesn't open inside the PayPal app — or takes you to any domain other than paypal.com — do not proceed.

What to do right now

Speed matters — especially if you sent a Goods & Services payment, which has a 180-day dispute window that starts closing the moment you send the money.

1. Open a dispute in the PayPal Resolution Center. Go to paypal.com → Activity → find the transaction → click "Report a Problem." If you paid for goods or services, select "I didn't receive the item" or "Item not as described." File within 180 days of the payment date.
2. Contact your bank or card issuer. If you funded the PayPal payment with a linked debit card or credit card, call your bank immediately. A credit card chargeback may be available even if PayPal denies the dispute.
3. Secure your PayPal account. Change your PayPal password immediately from a trusted device. Enable two-step verification. Check your linked bank accounts and cards for unauthorized changes.
4. If you entered credentials on a phishing page, also change the password for the email address linked to your PayPal account, and check whether any other accounts use the same password.
5. File an FTC complaint. Report the scam at reportfraud.ftc.gov. This creates a record and helps authorities identify fraud patterns.
6. Document everything. Screenshot the QR code, any messages with the scammer, the PayPal transaction, and any fake pages you landed on. You'll need these for your dispute and for law enforcement.

How to protect yourself before you scan

One habit prevents both attack types: check where a QR code leads before you act on it.

• Scan with QRsafer first. QRsafer checks the destination URL against threat intelligence sources and returns a Safe, Risky, or Dangerous verdict before you open anything — catching phishing domains and suspicious redirects before you enter any payment information.
• Verify the recipient name before you confirm payment. Every PayPal payment screen shows the account name you're sending to. If it doesn't match the seller or business, stop.
• Always pay Goods & Services for purchases. Friends & Family payments have no buyer protection. If a seller insists on F&F to avoid fees, walk away — that's a standard fraud signal.
• PayPal never sends QR codes for security checks. If any message asks you to scan a code to verify your account or avoid a limitation, go directly to paypal.com and log in there — never via the QR code.
• Check for physical tampering. If you're scanning a printed QR code in person, look for stickers placed over existing codes, raised edges, or codes that seem incongruous with the surrounding material.

Frequently asked questions