Vending Machine QR Code Scam: What It Is and What to Do
You scanned a QR code on a vending machine to pay by phone or grab the cashless-payment app — and now the page you landed on doesn't look quite right. Here's how attackers target unattended vending machines, why small transactions make this scam particularly hard to catch, and exactly what to do if you entered your card details.
How the vending machine QR code scam works
Modern vending machines increasingly support cashless payment through QR codes. Networks like Cantaloupe, 365Pay, Nayax, and PayRange let you scan a code on the machine to open a payment interface or download an app — no cash required. Attackers exploit this convenience by placing a printed sticker with a malicious QR code directly over the legitimate one on the machine's screen or payment panel.
The sticker is often professionally printed and positioned to look indistinguishable from the original. You scan, a payment page opens that looks plausible, you enter your card number, and you've handed your details to a phishing server. The attacker captures your card data in real time — often while you're still standing in front of the machine waiting for it to accept payment.
Vending machines are an attractive target for this scam for two reasons. First, they're typically unattended and located in offices, schools, hospitals, and gyms — locations with high foot traffic but minimal oversight. Stickers can sit in place for days or weeks without anyone noticing. Second, the transaction amounts are small — usually $2–$5 — which means many victims either don't notice the unauthorized charge on their statement or decide the hassle of disputing it isn't worth it. This low-friction outcome is exactly what attackers count on.
The mechanics are essentially identical to laundromat QR code scams, where sticker codes are placed over legitimate payment codes on shared washers and dryers. The same low-dollar, high-volume playbook applies.
The fake app download variant
A second variant targets older machines that don't yet support cashless payment but display a QR code on a nearby flyer or sticker claiming “Scan to download our payment app.” These QR codes don't lead to the App Store or Google Play — they lead to a website that either:
- Prompts you to install an APK file directly (Android only) — a file that contains a credential-stealing app or banking trojan
- Redirects to a fake payment form that harvests your card number before the “app” ever loads
The rule is absolute: legitimate vending payment apps are only distributed through the Apple App Store and Google Play Store. If a QR code on a machine asks you to download an app from any other source, close the page immediately.
How to tell a real payment page from a fake one
Signs of a legitimate vending payment page:
- The URL matches the payment network exactly — cantaloupe.us, 365pay.com, nayax.com, payrange.com
- The page shows the specific machine ID or vending location before asking for payment
- It opens the official network app directly, or prompts you to download it from the App Store or Google Play
- The branding matches what you'd see if you searched the payment network's name directly
Red flags on a phishing page:
- A generic or lookalike domain — vend-pay.com, cantaloupe-payment.net, or anything that isn't the exact official domain
- A card form that asks for your full card number, expiration, and CVV with no machine ID or account context
- Slightly off branding — compressed logos, wrong colors, mismatched fonts
- An APK download link or any prompt to install a file outside the App Store or Google Play
If you're unsure, don't enter anything. Pay with cash or a tap-to-pay card at the machine's physical terminal instead.
What to do right now
If you only scanned and didn't enter any information: Your risk is low. Close the page and don't return to it.
If you entered your card details, act immediately:
- Call your card issuer now. Use the number on the back of your card — not a number from any page you visited. Report the card as potentially compromised and ask them to freeze it and send a replacement.
- Watch for small test charges. Attackers often run a $0–$1 authorization to verify the card works before selling it or making larger purchases. Report any unrecognized charge, even tiny ones.
- Report to the building or vending operator. Tell the office manager, school staff, or facility where the machine is located. They can contact the vending company to inspect and re-secure the machine before the next person is affected.
- File a report with the FTC at reportfraud.ftc.gov. Your report contributes to enforcement actions and helps the FTC track emerging fraud patterns.
For a full walkthrough of what to do after any suspicious QR scan, see what to do if you scanned a suspicious QR code. For detailed guidance on card compromise, see QR code credit card scam: what happens and what to do.
Frequently asked questions
How does a vending machine QR code scam work?
Attackers place a QR code sticker over the legitimate cashless-payment code on a vending machine. Scanning it opens a phishing page that mimics a real payment interface and collects your card details. Because transactions are typically only $2–$5, many victims never notice the charge or don't dispute it — which is exactly why vending machines are targeted.
How can I tell if a vending machine QR code is real or fake?
Legitimate cashless vending systems open their official app or redirect to an exact-match domain — cantaloupe.us, 365pay.com, nayax.com. A fake page uses a lookalike domain, shows a generic card form with no machine ID, and may look slightly off. If the QR code asks you to download an app, that download must come from the App Store or Google Play — never from a website you reached by scanning.
I entered my card info after scanning a vending machine QR code — what do I do?
Call your card issuer immediately using the number on the back of your card. Report the card as compromised and request a replacement. Watch for small test charges and report them. File a fraud report with the FTC at reportfraud.ftc.gov, and notify the building or vending operator so the machine can be inspected and the sticker removed.
Check any QR code before you pay
QRsafer scans any QR code and shows you the destination URL with a Safe, Risky, or Dangerous verdict before your browser opens it. Free on iOS and Android — takes two seconds at the machine.