SCAM LIBRARY · PHISHING & LINKS
The malicious QR code ('quishing')
A scammer sends you a QR code (often by text, email, or posted in public) that looks legitimate but secretly directs you to a fake website designed to steal your login details or payment information.
Documented by the FTC & FBI IC3 · reviewed 2026-07-11T18:14:57.874Z
How it works
You receive a message that seems urgent or official—perhaps claiming there's a problem with your account, a delivery waiting, or a prize to claim. The message includes a QR code and tells you to scan it 'right away' to verify something or take action. When you scan it with your phone camera, it takes you to a convincing fake website that looks like a real company, bank, or service.
What it can look like
You get a text saying your package is held for delivery and to 'scan this code to confirm your address.' You scan it, and a page pops up asking for your name, address, and credit card details—but it's actually a fake site capturing your information for criminals.
How it unfolds
Scams like this follow a pattern. Knowing the arc helps you notice where you are — and step away before the ask.
Red flags
- A message creates urgency ('act now,' 'confirm immediately,' 'your account will be closed').
- You don't recognize who sent the QR code, or the sender's name seems slightly off.
- The website that opens after scanning asks for passwords, banking details, or personal information you wouldn't normally enter this way.
- The QR code appears in an unsolicited text, email, social media message, or public posting.
- The design or web address of the page looks almost—but not quite—like the real company's site.
What to do
- Don't scan QR codes from unknown or unexpected sources; instead, visit the official website directly by typing the company name into your browser.
- If you do scan a code and a site asks for passwords or financial information, close it immediately and contact the company using a phone number or website you know is real.
- Report the suspicious message and QR code to the FTC at reportfraud.ftc.gov, and also forward it to the company being impersonated.
If it already happened
Acting quickly can limit the damage. You are not alone, and it is not your fault.
- Stop responding to any follow-up messages or emails from the sender. Do not click any more links or scan any codes from them.
- Contact your bank or credit card issuer immediately using the phone number on the back of your card or your account statement. Tell them what information you entered and ask them to monitor your account for fraud, freeze it if needed, and issue a new card.
- If you entered your password, change it right away on the real company's website (type the web address directly into your browser, do not use any link you received). Change passwords on any other accounts that use the same or similar password.
- Report the scam at reportfraud.ftc.gov. Save a copy of the message that contained the QR code, take a screenshot of the fake website if you still can, and keep records of any charges or account changes. This helps protect others.
Sources
Guidance on this page draws on public, authoritative consumer-protection resources (verified live 2026-07-10). Documented by the FTC & FBI IC3 · reviewed 2026-07-11T18:14:57.874Z.

