Do payment QR codes expire?

Depends. Static QR (no amount) doesn't expire. Dynamic QR (with amount + unique invoice ID, generated by integration) usually has expiry set by the recipient — typically hours or days. Past expiry, the bank rejects the payment automatically.

Is it worth checking QR on a physical bill?

YES, that's the most common fraud scenario right now. Physical bill intercepted, original QR covered by sticker. Always scan the QR and verify the recipient matches the billing company. Better yet: pay using the typed barcode (not scanned).

Does BlipFiles store the QRs I read?

No. The reading happens 100% in your browser via canvas decoding. The decoded data never reaches our server. You can use it for sensitive QRs without worry.

What if the recipient key is a random UUID?

Random keys don't directly show the owner's name. But the "merchant" field (recipient) still appears in the QR — that's what you use to verify identity. If the QR comes from a business but the recipient is a personal name, be suspicious.

Can I read dynamic QR codes (live invoices)?

Yes. Dynamic QRs (which point to a bank endpoint that returns data in real time) are also readable. The decoder shows all QR fields. The only difference is the payment depends on the recipient's bank being online at the moment.

Is there a 100% safe way to pay payment QR codes?

The combination that minimizes risk: (1) QR coming from a verified channel (not random WhatsApp message); (2) reading in a decoder beforehand; (3) verifying the 4 fields; (4) amount below your "concern threshold" (everyone sets their own — $100-500 is a good reference); (5) preference for visible business ID over random key, allowing cross-check.

Tutorial · qrCodeReader

How to read payment QR codes safely

QR-swap fraud is the fastest-growing payment scam globally. Before paying any QR sent via message or shown on a printed bill, taking 5 seconds to verify the recipient can save you thousands.

5 min readUpdated on April 29, 2026

In Brazil, PIX (instant payment) QR fraud grew 150% in 2025. The MO is simple: a scammer intercepts a communication (WhatsApp, email, printed invoice) and swaps the original QR for one pointing to their key. The customer pays, money goes to the wrong account, and it almost never comes back. Same patterns exist with UPI in India, SEPA Instant in Europe, and Zelle/Venmo QR in the US — different rails, same trick.

Good news: you can prevent 100% of these scams in 5 seconds. Before paying any payment QR, read it in a decoder (NOT your bank's app — I'll explain why) and check 4 fields. If anything looks off, don't pay.

Why read BEFORE opening your bank app

When you scan a QR directly in your bank app, you're already in the payment flow. You see the data, yes — but in the context of "I'm about to pay this". That cognitive bias (already on the pay screen) makes you check less.

Reading the QR in a SEPARATE decoder, you're just verifying. No pressure, no flashing "pay" button. You see the data as pure info, not imminent action. Same logic as "think before clicking an email link" — changing context reduces error.

The 4 fields to verify

Recipient key (account ID, email, phone, or random UUID for PIX) — make sure it matches whoever you expect to pay.
Recipient name (the "merchant" field) — should be readable and make sense. "JOE'S DELI INC" is coherent; "JOHN SMITH" on a big retailer's QR is NOT.
Amount — some payment QRs have fixed amount (you can't change), others come blank (you type). Invoice/billing QRs SHOULD always have fixed amounts. If it's blank, be suspicious.
City/location — required by most QR payment standards. If the city is wildly different from context (a local restaurant's QR showing a foreign city), be suspicious.

Signs of a malicious QR

Recipient doesn't match the expected payee

You got an invoice from "ABC SERVICES LLC" but the QR shows recipient "JOHN P. SMITH". Clear sign of swapped QR. Cancel and contact the business via official channel for a new QR.

Amount different from agreed

You agreed on $80 lunch and the QR comes with $800. Could be: (a) waiter typo, (b) old QR from another table, (c) fraud. Either way, DON'T pay — ask them to redo the QR in front of you.

QR out of context

Physical bill from a known company has a QR pasted ON TOP of the original (sticker). Classic "bill interception" scam. Scammer takes your bill from the mailbox, sticks their QR on, returns it. Always be suspicious of QR that looks applied over the original.

What to do if you fell for the scam

Call your bank IMMEDIATELY — most countries have a return mechanism if reported within hours/days (Brazil PIX MED, US chargeback for some rails).
File a police report — needed for any insurance/refund process.
Notify the regulator (Central Bank, FTC, FCA depending on country) — feeds the fraud database and may freeze the scammer's account.
Document everything — screenshot of the QR, conversation with scammer, payment receipt. Bank will ask.
Notify the company whose identity was used — they may help with circumstantial proof.

TL;DR: 5-second checklist

1. Read the QR in an external decoder (not your bank app).
2. Verify recipient key + name + amount + location.
3. Make sure it matches who you expected to pay.
4. If anything looks off, DON'T pay — confirm via official channel.
5. For payments above your "concern threshold" ($100-500 is a good reference), double the attention.

Frequently asked questions

You can, and most people do. But the ideal is to read it FIRST in an external decoder — the bank app already assumes you're going to pay. In the decoder you're just reading. Changing context reduces verification mistakes.

More guides