How Do QR Code Scams Trick People Into Sending Funds?
A QR code feels like a shortcut that removes room for error — no address to type, no characters to mistype. That same convenience is exactly what makes it useful for a scam, because most people scan first and verify never.
The short answer
A QR code scam works by getting someone to scan a code that encodes a scammer’s wallet address instead of the intended one, often by physically covering a legitimate code with a fake sticker or by distributing a manipulated code through messages, fake websites, or printed materials. Because the destination address is hidden inside the code itself, the person scanning it usually has no easy way to verify where funds are actually headed until after the transaction is sent.
Why QR codes are trusted more than they should be
Typing out a long wallet address invites careful double-checking, since the string of characters looks intimidating and error-prone. A QR code removes that friction entirely, and with it, the instinct to slow down and verify. That’s the core vulnerability being exploited: the code looks like a neutral, technical object, when in reality it’s just an image encoding whatever the creator chose to put in it — there’s no built-in guarantee it points to the right destination.
Common ways this plays out
- Physical overlay scams. A fraudulent sticker is placed directly over a legitimate QR code — on a printed sign, an invoice, or even a cryptocurrency ATM — redirecting anyone who scans it without noticing the code was swapped.
- Fake support or refund codes. A scammer posing as support staff sends a QR code claiming it will process a refund or verification, when scanning and following the prompts actually authorizes an outgoing transfer.
- Manipulated marketing materials. Fake flyers, ads, or social posts include a QR code that looks like it leads to a legitimate platform or promotion but instead leads to a malicious site or wallet.
- Compromised displays in peer-to-peer trades. In an in-person or peer-to-peer trade using an escrow service, a manipulated code shown at the point of exchange can redirect funds away from the agreed escrow address entirely.
Why irreversibility makes this especially costly
Once a transaction confirmed through a scanned code is broadcast, it generally can’t be recalled — a consequence of how crypto transactions work once sent. There’s no bank to call for a reversal and no built-in dispute process, which is part of why QR-based redirection scams are appealing to scammers in the first place: the funds are usually gone the moment the transaction confirms.
How to reduce the risk
- Verify the destination separately. Where possible, cross-check a scanned address against a known, independently obtained source rather than trusting the code alone.
- Inspect physical codes for tampering. A sticker with slightly different edges, texture, or placement than the surrounding material is a warning sign worth pausing over.
- Confirm the amount and address shown after scanning. Most wallet apps display the destination address and amount before finalizing — reading that confirmation screen carefully, rather than approving on autopilot, catches many redirection attempts.
- Be skeptical of urgency. A QR code paired with pressure to act immediately, such as a claimed limited-time refund, is a common pairing worth treating as a red flag on its own.
What to weigh
QR codes aren’t inherently riskier than any other way of sharing a wallet address — the risk comes entirely from trusting the source without verifying it. Treating a scanned code with the same scrutiny as a typed address, rather than as a shortcut past that scrutiny, closes most of the gap scammers rely on.
The takeaway
A QR code is only a container for information, not a guarantee of where that information leads. Slowing down to confirm the destination shown after a scan, rather than trusting the scan itself, is the single habit that defuses most of these scams.