QRsafer LogoQRsafer

American Express QR Code Scam: What It Is and What to Do

You received a QR code claiming to be from American Express — for a fraud alert, unclaimed Membership Rewards, or a mandatory security check. Here's how the scam works, what Amex would never ask you to scan, and the exact steps to take right now.

How the American Express QR code scam works

American Express cardmembers skew high-income, which makes them a premium target for phishing. Scammers impersonate the Amex brand across four main attack patterns:

  • Smishing fraud alerts: A text arrives styled exactly like an Amex security message — “Unusual activity detected on your Amex card. Scan below to verify this charge or your card will be suspended.” The QR code leads to a cloned American Express login page that captures your user ID, password, and sometimes a one-time verification code. This is one of the most pervasive QR code scam text message patterns currently in circulation.
  • Membership Rewards phishing: Fake mailers or emails claim the cardmember has unclaimed Membership Rewards points expiring soon — “Your 62,500 points expire in 72 hours. Scan now to redeem.” Because Amex heavily markets its rewards program and cardmembers are accustomed to rewards communications, this variant has high click-through rates. The QR code leads to a convincing rewards portal that harvests card details or account credentials before displaying a fake confirmation screen.
  • ATM and merchant terminal sticker scams: Amex is prominently accepted at high-end retailers, hotel check-in desks, airport lounges, and standalone ATMs. Scammers affix QR sticker codes over legitimate payment terminal codes or Amex-branded signage, redirecting users to phishing payment pages. The premium context — a luxury hotel lobby, a Centurion Lounge — lowers suspicion and raises the value of credentials stolen.
  • Fake “Amex SafeKey” intercept: American Express's legitimate SafeKey system sends one-time passcodes to verify online purchases. Scammers intercept this flow by sending a QR code to “complete your SafeKey verification” — timed to coincide with a real transaction — harvesting both the passcode and account login in the same session. This is a real-time adversarial attack that exploits cardmembers who are in the middle of a purchase.

The technique behind all of these is called quishing— QR code phishing — and it bypasses the URL-inspection tools that email spam filters and most security software apply to plain hyperlinks. A QR code hides the destination URL entirely until after the scan.

What American Express actually does — and never does — with QR codes

American Express does use QR codes in limited ways:

  • Printed advertising campaigns and in-branch marketing materials
  • Deep links inside the American Express Mobile app
  • Occasionally in physical cardholder welcome kits

American Express will never send you a QR code to:

  • Verify your identity or log you into your account
  • Unlock, secure, or unsuspend your card or account
  • Confirm, authorize, or dispute a transaction
  • Claim or activate Membership Rewards points
  • Complete a SafeKey or other security verification step
  • Update your payment method or personal information

All legitimate American Express account actions happen inside the Amex Mobile app or at americanexpress.com — not through an unsolicited QR code in a text, email, or physical mailer. If urgency is involved (“your points expire in 24 hours,” “your card will be suspended”), that urgency is the scam mechanism, not a real deadline.

For a broader overview of how bank QR code scams operate across all financial institutions, see our full guide.

What to do right now

Your response depends on what happened after you scanned.

If you only scanned and didn't enter anything: Your risk is low. Close the page, do not return to it, and monitor your Amex accounts closely for the next 48 hours for unauthorized transactions.

If you entered login credentials, a card number, or a one-time passcode, act immediately:

  1. Call American Express fraud support now. Use the number on the back of your Amex card, or call 1-800-528-4800 for personal cards. Do not use any number provided in the suspicious message.
  2. Ask them to flag your account for fraud monitoring. This allows their team to alert on and block unusual transactions in real time while you work through recovery steps.
  3. Change your American Express online account password from a trusted device on a trusted network — not the same device or connection you used when you scanned.
  4. Enable two-step verification in the Amex Mobile app or at americanexpress.com under security settings, if not already active.
  5. Review recent transactions for any charges, cash advances, or transfers you didn't authorize. Dispute each one directly with American Express.
  6. File reports with the FTC at reportfraud.ftc.gov and the CFPB at consumerfinance.gov/complaint. These create a paper trail supporting any dispute resolution.

For a complete recovery checklist that covers every type of financial QR scam, what to do if you scanned a suspicious QR code walks through every step in order.

How to protect yourself before you scan

The scam works because the fake Amex page looks convincing — cloned fonts, accurate card art, and a plausible scenario. You can't rely on design alone to tell real from fake. You need to check the destination URL before your browser opens anything.

  • Scan with QRsafer first. It decodes the QR code and checks the destination URL against threat intelligence before your browser loads anything. A cloned Amex login page will not pass a domain reputation check.
  • Verify the domain before entering anything. American Express's real domain is americanexpress.com — nothing else. Attackers use lookalikes like amex-account-verify.com or americanexpress-secure.net. Check the full URL, not just the page appearance.
  • Never log in through a QR code you didn't seek out. If a code claims to require your credentials to fix something urgent, open the Amex Mobile app directly or navigate to americanexpress.com in your own browser instead.
  • Call the number on the back of your card to verify. Received a text or mailer with a QR code from “Amex”? Call American Express directly at the number on your card and ask if they sent it. If they didn't, you've avoided the scam entirely.

For a broader guide to identifying suspicious codes in real time, how to spot a malicious QR code before you scan covers visual and contextual signals across every scam type.

Frequently asked questions

Does American Express ever send QR codes?

American Express uses QR codes only in limited, controlled contexts — printed advertising and in-branch materials. Amex will never text, email, or mail you a QR code asking you to verify your identity, secure your account, or redeem rewards. Any unsolicited QR code making those claims is a scam.

What should I do if I scanned a QR code that looked like it was from American Express?

If you scanned but didn't enter anything, monitor your accounts for 48 hours. If you entered your login credentials, card number, or a one-time passcode, call American Express fraud support immediately at 1-800-528-4800 — or the number on the back of your card. Ask them to flag your account, then change your password and review recent transactions from a clean device.

Can I get my money back after an American Express QR code scam?

Speed matters most. Call American Express immediately to report unauthorized access and dispute any transactions. Amex's zero-liability fraud protection covers unauthorized charges reported promptly. Also file complaints with the CFPB at consumerfinance.gov/complaint and the FTC at reportfraud.ftc.gov.

See where the QR code leads before Amex asks for your password

QRsafer scans any QR code and shows you whether the destination is safe before your browser opens it. Free on iOS and Android.

Download for iOSDownload for Android

Related guides