Share
UTILITY PAYMENT SCAM

PG&E barcode scam: the shutoff threat that ends at a cash register

The call says your power goes off within the hour. Then a barcode arrives by text. What happens next is why victims are losing $969 at a time.

SafeBrowz Threat Research Security ResearchJuly 10, 202610 min read

At a Glance

This is a scam, and PG&E has confirmed it by name. No US utility sends customers a payment barcode or QR code, and none demands payment during a phone call to stop a same-day disconnection. If a caller threatens shutoff and a code arrives by text or email, hang up and check your balance yourself: sign in at pge.com (or your own utility's site) or call PG&E at 1-800-743-5000. PG&E customers reported losing more than $211,000 to impersonation scams in the first half of 2026 alone, with the average loss at $969 per victim.

The two ways this scam arrives

PG&E's warning about what it calls an emerging "barcode scam" went out in June 2026, and California outlets were still amplifying it into July. The whole campaign runs on two delivery routes, both starting with the same phone call: an "agent" says your account is past due and your power will be disconnected, often within the hour, unless you pay right now.

  1. Route 1: the barcode and the cash register. The caller keeps you on the line while a barcode or QR code lands in your texts or inbox, with instructions to take it to a nearby store and pay the cashier cash against the scanned code. The register accepts it, a receipt prints, and the panic ends. Except the code was never linked to your utility account: it loads an account the scammer controls, and PG&E says the funds are drained almost instantly. The cashier has no way to know a scam is in progress - to the register it is just another bill payment.
  2. Route 2: the QR code and the fake payment page. The same pressure call, but the code opens in your phone's browser instead of at a register. It lands on a payment page dressed up in utility branding that asks for your card number, bank login, or a prepaid card code. This is the classic quishing pattern pointed at utility customers - the half of the scam that lives entirely in your browser.

Both routes work because the threat is calibrated to the season. Losing power in a July heat wave means losing air conditioning, refrigerated food, and medical equipment, and the urgency lands hardest during extreme heat or cold. A deadline measured in minutes exists to stop you from doing the one thing that kills the scam: checking your actual balance.

Why the cash register is the perfect getaway

Paying a bill in cash at a retail counter is a real service - utilities across the US maintain authorized payment locations where a customer scans a code and pays at the register. That is exactly why a barcode on a phone at a checkout looks unremarkable to everyone, including the cashier. The scam borrows a legitimate payment rail and swaps the destination account.

That swap makes this variant nastier than the older prepaid-card script: no card to photograph, no numbers to read out loud, no moment where a store employee might recognize the familiar gift-card warning signs. Matt Foley, PG&E's lead scam investigator, says scammers are constantly evolving their tactics and calls the barcode scam a prime example, with one thing unchanged: the demand for immediate payment to avoid disconnection. His advice for the call itself: hang up.

The caller ID will not save you either. PG&E warns that scammers now spoof authentic-looking 800 numbers on your phone's display, numbers that do not lead back to PG&E if called back. A familiar-looking number proves nothing - the same lesson from how phone and text scams actually work: the display name and number are attacker-controlled fields, not identity checks.

🛡 LIVE CHECK

Got a utility payment link or QR code? Test it first

If a text, email, or QR code claims to be a PG&E or utility payment page, paste the link here before you open it. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

The numbers behind PG&E's warning

The figures PG&E published alongside the alert explain why this got a dedicated press release:

  • $211,000+ lost in the first half of 2026 by PG&E customers to impersonation scams, on pace to beat 2025's full-year total of more than $301,000 by nearly 30 percent.
  • The average loss jumped to $969 per victim by mid-2026, up from roughly $590 in 2025. The barcode route moves more money per hit than the old gift-card script.
  • Nearly 24,000 scam reports in 2025 from customers targeted by PG&E impersonators, across a service area of about 16 million people in Northern and Central California.
  • Businesses are targeted too: PG&E logged around 656 scam-attempt reports from business customers in under six months of 2026, closing in on the 846 reported across all of 2025. Callers deliberately hit during busy business hours, when an owner will pay almost anything to keep the lights on.

Not just PG&E: every US utility gets the same script

The barcode is new packaging on the oldest utility scam there is. Utilities United Against Scams (UUAS), a consortium of more than 150 US and Canadian electric, water, and natural gas utilities, has been tracking the disconnection-threat script for a decade, runs an awareness day every November under the message "Slow down, verify, stop the scam," and says customer reports have helped take more than 14,800 scammer phone numbers out of operation. Whoever your provider is - Con Edison, Duke Energy, ComEd, or your city water department - the impersonation call reaching you follows the same beats as the one reaching a PG&E customer in Fresno.

The FTC's guidance for all of them matches PG&E's: real utilities do not demand immediate payment over the phone, or payment by gift card, wire transfer, or cryptocurrency. The identical disconnection-threat template runs in India, where it delivers a malicious APK, and in France against EDF and Enedis customers. Only the payment rail changes by country. In the US it is the retail barcode, the QR code, prepaid cards, and Zelle or other instant payment apps, all picked for the same reason: the money is unrecoverable minutes after it moves.

PG&E's reporting names no specific scam domains, so we cannot list real ones here, but fake payment portals in this class follow a predictable shape: the utility's brand welded to a payment word on a domain the utility does not own. Illustrative examples of the pattern, not real reported sites, look like pge-billpay[.]com, pge-payment-center[.]net, or my-utility-payments[.]com. The real PG&E site is pge.com, and every legitimate page of it, including payments, sits on that domain.

The 30-second check that beats every version

You do not need to out-argue the caller or judge the payment page's design. One habit defeats both routes, and it costs 30 seconds.

  1. Seconds 0-5: hang up. Not "let me think about it," not "can I call you back." A real utility does not lose your account status when the call ends, and PG&E's own instruction for these calls is exactly this.
  2. Seconds 5-25: check the balance yourself, on a channel you chose. Sign in to your online account at pge.com (or your own utility's real site, typed by hand or from a saved bookmark), or call the number printed on a paper bill. For PG&E that is 1-800-743-5000. Never use a callback number the caller gave you or that appeared on caller ID.
  3. Seconds 25-30: apply the one rule that needs no judgment. If the payment method arrived during the call - a barcode, a QR code, a prepaid card, a payment-app handle - it is a scam, every time, regardless of how real everything else felt. Real past-due balances are visible in your account and payable through it.

If your account shows no past-due balance, the call was a scam and you are done. If it does show one, pay it right there, through the utility's real site.

What PG&E says it will never do

Each item on PG&E's published list is a hard tripwire rather than a judgment call, and nearly all of it applies to any US utility:

  • It will never ask for your financial information over the phone.
  • It will never request payment via barcode, QR code, or prepaid debit card, and never via gift cards, cryptocurrency, or third-party payment apps like Zelle or Venmo.
  • It will never send a single notification within one hour of a service interruption. Real disconnections for non-payment come only after a series of advance notices, so a first-contact call with a 60-minute deadline is self-identifying as fraud.
  • It will never ask to see your bill at your door. If someone shows up asking, close the door.

If you already paid against a scanned code

  1. Act inside the first hour if you can. Go back to (or call) the store where you paid and ask the retailer to contact its bill-payment processor about freezing the transaction. The funds drain fast, and a quick report is the only chance of interception.
  2. If you entered card or bank details on a QR-linked page, call your bank now. Ask for the card to be blocked and the transactions disputed as fraud, and change your online banking password if you typed it on the page.
  3. Report it to the utility. PG&E customers can report scams at 1-833-500-SCAM (1-833-500-7226) or forward scam emails to [email protected]. Other utilities list their fraud lines on the back of the paper bill.
  4. Report it to the FTC at reportfraud.ftc.gov and, for text or email-delivered codes, to the FBI's Internet Crime Complaint Center at ic3.gov. If a caller threatened you, PG&E also recommends contacting local law enforcement.
  5. Expect follow-up scams. People who paid once get called again, sometimes by "refund agents" offering to recover the loss for a fee. That second call is part of the same operation.

Catch the fake utility payment page before you scan

Half of this scam - the cash register route - never touches a browser, and no software can intercept cash handed across a counter. But the other half does: the QR code that opens a payment page, the "pay your bill" link in a follow-up text, the portal asking for your card. That is where a browser-layer scanner sits, checking the destination in the instant between scanning a code and the page loading. It is the same gap we walk through in how to check whether a QR code is safe and how to tell if a website is a scam: the code and the page can look perfect, but the domain cannot lie.

How SafeBrowz reads a fake utility payment portal

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL patterns and 550+ brand signatures run inside the extension before the page paints. A utility brand name welded to a payment keyword on a domain the utility does not own - the pge-billpay[.]com shape - is flagged client-side, with no round trip and no waiting for the domain to be reported.
  • Layer 2 - API checks: domains that have been reported anywhere in the network are matched against Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs, so a fake portal already flagged by another victim's report is blocked on sight.
  • Layer 3 - AI deep scan (Premium): content-aware analysis reads the page itself. A payment form demanding immediate settlement of a utility bill, on a non-utility domain, steering you toward a card number or prepaid-card code, is the exact urgency-plus-payment-method pattern the AI layer is built to recognize, even on a first-seen domain no blocklist knows yet, in 100+ languages.

Honest scope: a phone call that ends with cash at a store register never touches your browser, and SafeBrowz cannot see or stop it. SafeBrowz protects the link and portal side of this scam - the QR codes, payment links, and fake portals - while the phone side is defeated by the 30-second callback habit above. Use both. Detection signatures come from threat-intelligence research and brand-database analysis, not from user browsing data. Per-user URL history is never stored.

Install SafeBrowz free

Add the browser extension, or the SafeBrowz Android app, that catches the fake utility payment page in the moment between scanning the code and the page loading. Free forever.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

Frequently asked questions

Does PG&E ever send customers a barcode or QR code to pay a bill?

No. PG&E states it will never ask for payment via barcode, QR code, or prepaid debit card, and never by gift card, cryptocurrency, or payment apps like Zelle or Venmo. Any code that arrives by text or email after a disconnection-threat call is a scam. Real PG&E balances are visible and payable by signing in at pge.com, and billing can be verified by phone at 1-800-743-5000.

The caller ID showed a real-looking PG&E 800 number. How is that possible?

Caller ID spoofing. PG&E warns that scammers now display authentic-looking 800 numbers on your phone that do not lead back to PG&E if you call them back. Never verify a call using the number that just called you - hang up and dial the number printed on your paper bill or on the utility's official website instead.

I scanned the QR code but did not pay anything. Am I at risk?

Scanning alone usually just opens the page, and the danger starts with what you type. If you entered nothing, close the page and do not return to it. If you typed card details, bank credentials, or personal information, treat them as compromised: call your bank, block the card, dispute any charges, and change any password you entered. Either way, report the text to your utility's fraud line and forward the details to reportfraud.ftc.gov.

I already paid cash against the barcode at a store. Can I get the money back?

It is difficult, because PG&E says funds paid against a scammer's code are drained almost instantly, but speed matters. Contact the store where you paid and ask it to flag the transaction with its bill-payment processor, report the scam to PG&E at 1-833-500-SCAM (1-833-500-7226), file with the FTC at reportfraud.ftc.gov and the FBI at ic3.gov, and contact local law enforcement if you were threatened. Be alert for follow-up "refund" calls, which are part of the same scam.

Does this scam hit utilities other than PG&E?

Yes. The disconnection-threat script targets customers of electric, gas, and water utilities across the US and Canada, which is why Utilities United Against Scams, a consortium of more than 150 utilities, runs a continent-wide awareness campaign against it. Only the payment method varies: barcodes, QR codes, prepaid cards, or payment apps. The defense is identical everywhere - hang up, then verify your balance through your own utility's official site or the phone number on your bill.

Related reading

Bottom line: a real utility never introduces a payment method mid-phone-call. A shutoff threat followed by a barcode or QR code is the scam PG&E warned about, the one that has already cost its customers over $211,000 this year. Hang up, sign in at pge.com or call 1-800-743-5000 to see your real balance, and let a browser-layer scanner like SafeBrowz catch the fake payment portal before it ever loads.

Related reading