QR Code Quishing at Walmart Self-Checkout and Returns
Criminals place counterfeit QR code stickers on Walmart self-checkout kiosks, returns desks, or in-store signage, redirecting customers to phishing pages that harvest payment card data under the guise of a Walmart payment portal.
Part of: Quishing: Physical Payment Point QR Code Scams
Last reviewed: 8 June 2026
Walmart is among the most-visited physical retail environments in North America, processing millions of in-store transactions daily. This creates an opportunity for criminals who physically plant fake QR code stickers over legitimate ones at self-checkout lanes, customer service desks, and digital payment instructions posted on walls or printed receipts.
Quishing — QR code phishing — is particularly effective in a busy retail environment because customers are accustomed to scanning QR codes to access loyalty programmes, return instructions, or payment confirmation. The trusted brand and familiar surroundings lower a customer's guard in a way that a standalone phishing email might not.
Walmart's own QR codes in store link to walmart.com domains or internal payment processors. A tampered QR code redirects to a convincingly styled fake Walmart portal that captures card details, login credentials, or installs malware on a mobile device.
How this scam works on the Walmart brand
A scammer visits a Walmart store during a quiet period and places small printed QR code stickers over genuine QR codes — particularly at self-checkout pay stations, where customers may not question a code appearing alongside a card terminal, or on return instruction cards near the customer service desk.
When a customer scans the fake code, a browser page opens that mirrors Walmart's visual style and asks for a card number and CVV to confirm payment or to complete a refund. Some variants claim that Walmart Pay is experiencing an issue and direct the customer to a substitute link. Payment data entered on the fake page is silently forwarded to the attacker.
A related variant involves fake QR codes placed on Walmart Money Center machines or near the MoneyGram kiosks inside stores, where customers may be more relaxed about entering financial information in a familiar retail context.
Common red flags
- A QR code sticker that appears to be placed over an existing label — check for raised edges, misaligned borders, or a different paper texture
- Scanning the code opens a URL that is not walmart.com — even minor variations like wal-mart-pay.com or walmartpayment.net are fraudulent
- The page that opens asks for your full card number, CVV, or bank login credentials as part of a payment or refund confirmation
- The page design looks subtly off — outdated Walmart logo, incorrect fonts, or missing standard footer links
- A sign near a kiosk says use this QR code instead without any official Walmart store branding consistent with surrounding signage
- The page requests personal information that Walmart self-checkout does not normally require, such as full SSN or date of birth
How to protect yourself
- Before scanning any in-store QR code, visually inspect it for stickers placed over existing labels
- If the QR code redirects to a non-walmart.com domain, close the browser immediately without entering any information
- Use the Walmart app's built-in Walmart Pay for in-store payments instead of scanning unknown static QR codes
- Alert Walmart store staff immediately if you spot a suspicious QR sticker so they can remove it and check other kiosks
- Pay by contactless card or phone tap-to-pay where possible to avoid any QR-based payment flow entirely
- Monitor your payment card for unauthorised charges and report them to your bank without delay
How to report it
- Report suspicious QR stickers directly to Walmart store management so they can be removed promptly
- Report the scam to the FTC at reportfraud.ftc.gov
- If you entered card details, contact your bank immediately to freeze the card and dispute any charges
- File a report with the FBI at ic3.gov if financial loss occurred
Frequently asked questions
Does Walmart use QR codes for legitimate payments in store?
Walmart Pay uses a QR code generated within the Walmart app displayed on your phone, not a static QR code you scan from a sign. If a physical sign asks you to scan a QR code to make a card payment, verify it with store staff before proceeding.
What should I do if I scanned the fake code but did not enter any details?
If you closed the page without entering information, you are likely safe. Run a malware scan on your phone as a precaution, as some quishing pages attempt drive-by downloads.
Is this unique to Walmart or does it happen at other retailers?
QR quishing occurs wherever QR codes are used in public spaces — parking meters, restaurant tables, EV chargers, and hotel lobbies. Walmart's extremely high footfall makes it a frequent target, but the same caution applies everywhere.