Skip to content

SCAM LIBRARY · PHISHING & LINKS

The malicious QR code ('quishing')

A scammer sends you a QR code (often by text, email, or posted in public) that looks legitimate but secretly directs you to a fake website designed to steal your login details or payment information.

Documented by the FTC & FBI IC3 · reviewed 2026-07-11T18:14:57.874Z

How it works

You receive a message that seems urgent or official—perhaps claiming there's a problem with your account, a delivery waiting, or a prize to claim. The message includes a QR code and tells you to scan it 'right away' to verify something or take action. When you scan it with your phone camera, it takes you to a convincing fake website that looks like a real company, bank, or service.

What it can look like

You get a text saying your package is held for delivery and to 'scan this code to confirm your address.' You scan it, and a page pops up asking for your name, address, and credit card details—but it's actually a fake site capturing your information for criminals.

How it unfolds

Scams like this follow a pattern. Knowing the arc helps you notice where you are — and step away before the ask.

You receive a text, email, or see a poster with a QR code. It looks like it's from a company you know—your bank, a delivery service, a utility, or a popular retailer. The message creates a small sense of urgency ('confirm your account', 'claim your package', 'update your payment').
You scan the QR code with your phone. It takes you to a website that looks almost identical to the real one. You don't notice small differences in the web address or design. Everything feels official and familiar.
The site asks you to log in, verify your identity, or enter payment details. You may be asked for your username, password, Social Security number, card number, or banking information. It all seems routine—like something the real company would ask.
After you enter your information, the page may say 'thank you' or redirect you to the real website. You may not realize anything is wrong until later—when you notice unexpected charges, login failures on your real account, or contact from your bank about suspicious activity.

Red flags

  • A message creates urgency ('act now,' 'confirm immediately,' 'your account will be closed').
  • You don't recognize who sent the QR code, or the sender's name seems slightly off.
  • The website that opens after scanning asks for passwords, banking details, or personal information you wouldn't normally enter this way.
  • The QR code appears in an unsolicited text, email, social media message, or public posting.
  • The design or web address of the page looks almost—but not quite—like the real company's site.

What to do

  • Don't scan QR codes from unknown or unexpected sources; instead, visit the official website directly by typing the company name into your browser.
  • If you do scan a code and a site asks for passwords or financial information, close it immediately and contact the company using a phone number or website you know is real.
  • Report the suspicious message and QR code to the FTC at reportfraud.ftc.gov, and also forward it to the company being impersonated.

If it already happened

Acting quickly can limit the damage. You are not alone, and it is not your fault.

  • Stop responding to any follow-up messages or emails from the sender. Do not click any more links or scan any codes from them.
  • Contact your bank or credit card issuer immediately using the phone number on the back of your card or your account statement. Tell them what information you entered and ask them to monitor your account for fraud, freeze it if needed, and issue a new card.
  • If you entered your password, change it right away on the real company's website (type the web address directly into your browser, do not use any link you received). Change passwords on any other accounts that use the same or similar password.
  • Report the scam at reportfraud.ftc.gov. Save a copy of the message that contained the QR code, take a screenshot of the fake website if you still can, and keep records of any charges or account changes. This helps protect others.

Sources

Guidance on this page draws on public, authoritative consumer-protection resources (verified live 2026-07-10). Documented by the FTC & FBI IC3 · reviewed 2026-07-11T18:14:57.874Z.

Spotted this or lost money? Report it at reportfraud.ftc.gov. This is general educational information, not legal or financial advice — and ScamVet never asks for your identity or account details.