Paying for notarization via GCash or BPI QR: how to do it safely (and what scam patterns to avoid)

A pattern we've been watching in 2026: fake GCash payment screenshots are everywhere. The fonts are right. The colors are right. The transaction reference number even looks plausible. Then the recipient ships the goods (or the document), and the customer disappears. The payment never actually happened.

GCash itself issued an advisory earlier this year warning users and merchants about this. It's now serious enough that no responsible merchant in the Philippines should be confirming payments based on customer-supplied screenshots.

This guide is about how to pay safely as a customer — and how to spot the merchants who are doing it right.

The two kinds of QR codes

You'll run into two kinds in the wild.

QR Ph (the BSP national standard). This code is interoperable. You can scan it from GCash, Maya, BPI, BDO, UnionBank, or any participating wallet/bank app. It's identified by the "QR Ph" logo and a 14-digit merchant identifier. Settlements happen via InstaPay.

Proprietary QR codes. GCash has its own personal/business QR format. BPI has BPI OneQR. These can only be paid from the specific wallet they belong to. They're identified by the wallet's branding.

At getnotaryo, we use proprietary GCash and BPI OneQR codes — shown side by side at checkout. Two reasons: it gives us cleaner transaction tracking through each provider's merchant portal, and it lets us comply with the user's preference to avoid Maya routing (which a QR Ph code would also accept).

The safe payment pattern

Here's what a payment from a reputable merchant should look like.

Step 1: You see a posted QR code, not one a person emailed you.

The QR should be displayed in the merchant's own checkout interface, on their official website, with their domain visible in the browser. If someone DMs you a QR code on Facebook Messenger or sends one in an unrelated email, even if they claim to be the merchant, do not pay it. Open the merchant's website fresh and use the QR they show there.

Step 2: A unique reference code is assigned to your transaction.

When you confirm your booking, the platform should generate a code like NTRY-2026-A7K3X9 and clearly display it. This code does two things: it lets the platform automatically match your incoming payment, and it gives both you and the merchant a way to look up the transaction later.

Step 3: You're told exactly what to do with that code.

The right pattern is to ask you to paste the reference into the "Notes" or "Memo" field of your transfer. In GCash, this is the "Note (Optional)" field. In BPI, it's the "Notes" field on the BPI app's transfer screen.

If a merchant doesn't give you a reference code, that's a yellow flag. Their reconciliation will be manual and slower. If they give you a code but don't tell you where to put it, that's a smaller yellow flag — paste it in the Notes field anyway.

Step 4: You pay from your own wallet.

Open GCash or BPI. Scan the QR. Confirm the amount matches what you were quoted. Paste the reference code. Send.

Keep the SMS or in-app confirmation. This is your record. You don't need to upload a screenshot to the merchant in most cases.

Step 5: The merchant verifies on their side.

A reputable platform will check their own GCash Business or BPI OneQR portal — or their merchant-account SMS alerts — for the incoming transaction. They'll match the reference code, the amount, and the timestamp. When everything lines up, your order auto-confirms.

If everything is set up correctly, this happens in seconds.

Red flags to walk away from

A few patterns we've seen on fraudulent or careless sites.

"Just send a screenshot and we'll confirm." No reputable merchant relies on this in 2026. Fake screenshots are too easy to make. Either they're naive (and your real payment may not even register if their match logic is sloppy) or they're using "send a screenshot" as a backdoor to defraud the bank by confirming orders that were never actually paid.

Personal QR code with no merchant brand. A "merchant" QR that's actually pointing to someone's personal GCash account. The receiving name is just a person's name, not a registered business. This may be technically legal in some cases (very small operators do this), but you have no recourse if something goes wrong. Real merchant accounts have transaction-level support.

Pressure to pay before you see the document. "Pay first, then we'll send your notarized doc within an hour." If the merchant insists on full prepayment with no escrow or hold protection, and you've never used them before, be cautious. A legitimate operator will accept payment on completion or use a platform that holds the funds until you receive the deliverable.

Different QR every time. A site that shows a different QR code on each page refresh, or asks you to email them for a "fresh QR." Real merchant QR codes are stable. The reference code is what changes per transaction, not the QR itself.

No receipt issued. If you pay and the merchant doesn't send you any form of receipt — even an emailed confirmation — that's a non-starter. For business use, you'll need a proper Official Receipt with the merchant's TIN, especially for any amount you plan to claim as a business expense or as deductible.

What to do if you suspect a scam

If you've already paid and you suspect the merchant is fraudulent:

1. Report the transaction to GCash or BPI. Both have fraud-reporting hotlines. The sooner you report, the better the chance of recovery — though for completed P2P transfers, recovery is rarely possible.

2. File a complaint with the National Bureau of Investigation Cybercrime Division or the PNP Anti-Cybercrime Group. For amounts above PHP 10,000, this is worth doing even if recovery is unlikely — the complaint feeds the database that catches repeat offenders.

3. Warn others. A short post on Reddit r/Philippines or a Facebook community page describing the platform, the amount, and the date helps others avoid the same trap.

How we handle it

Our payment flow follows the safe pattern above. You see a reference code on screen, our merchant SMS feed auto-matches the incoming payment, your order confirms when the match succeeds. If the auto-match fails — wrong reference, missing notes, amount mismatch — a human reviews within one business hour. Either way, you get an email confirmation as soon as the payment is confirmed, and an Official Receipt with our TIN within twenty-four hours.

If you ever pay us and don't receive at least the email confirmation within thirty minutes, contact us. We'll find the transaction.

Common questions

Why do reputable platforms not trust screenshots of payment? Because AI-generated fake screenshots have become a documented scam pattern in 2026. GCash itself has issued warnings. Any platform that confirms a payment based purely on a screenshot is taking on serious fraud risk.

Is QR Ph the same as GCash QR? Not exactly. QR Ph is the national standard set by the BSP. A QR Ph code can be paid by GCash, Maya, BPI, BDO, and other participating banks and wallets. A GCash-only QR code can only be paid from a GCash wallet.

What happens if I forget to include the reference code in the Notes field? The payment will still arrive, but auto-matching may not work — a human will have to match it manually, which adds time. If you forgot, send the platform a message with your name, the amount, and the date so they can find it faster.

What to do next

If you'd like to see the payment flow in action, start a booking. You won't be charged until you actually pay through your own wallet.

If you've experienced a payment scam and want to share the pattern so others can avoid it, send us the details. We catalog these on our trust page.