Bank of America QR Code Scam: What It Is and What to Do

How the Bank of America QR code scam works

Bank of America is one of the most widely impersonated bank brands in the United States — its size means that a fake BofA message reaches a large pool of real customers who find it credible. Scammers exploit that reach through four main variants:

• Smishing texts: A text arrives with BofA's branding and language like “Unusual activity detected on your account. Scan the code below to confirm your identity or your card will be suspended.” The QR code leads to a pixel-perfect Bank of America login clone. This is one of the most common QR code scam text message patterns in circulation.
• Fake paper mailings: Physical letters mimicking official BofA correspondence — complete with your name, a partial account number, and BofA's logo — direct you to scan a QR code to “resolve a security issue” or “update your billing information.” The envelope can look convincingly official.
• ATM sticker scams: Fraudulent QR code stickers placed over legitimate codes on BofA ATM screens or branch lobby signage. When you scan them expecting to access your account, you land on a credential-harvesting login page instead. See the full guide to ATM QR code scams for more on this attack.
• Fake Zelle or Erica notifications: Messages impersonating BofA's built-in Zelle transfers or Erica (BofA's AI assistant) with a QR code to “confirm” or “authorize” a pending transaction. Scanning it captures your banking credentials before any real transaction takes place.

Scammers use QR codes instead of plain links because QR codes bypass email security filters that would flag a suspicious URL — and they force you onto your phone, where the fake login page fills your screen and the address bar is easy to overlook. This technique is called quishing, and it is rising precisely because mobile browsers make URLs harder to inspect.

What Bank of America actually does — and never does — with QR codes

Bank of America does use QR codes in limited, controlled ways:

• In-branch appointment check-in kiosks
• Marketing materials linking to the Bank of America Mobile Banking app
• Deep links inside the app itself

Bank of America will never send you a QR code to:

• Verify your identity or log you into your account
• Unlock a restricted or suspended account
• Confirm, authorize, or dispute a transaction
• Claim a reward, activate a promotion, or redeem a benefit
• Confirm a Zelle payment from outside the Bank of America Mobile Banking app

Every legitimate Bank of America security action happens inside the BofA Mobile Banking app or at bankofamerica.com — not through an unsolicited QR code in a text, email, or physical mailer. If a code claims to require your credentials to fix something urgent, that urgency is the scam.

For more context on how bank QR code scams work across all financial institutions, see our full guide.

What to do right now

Your response depends on what you did after scanning.

If you only scanned and didn't enter anything: Your risk is low. Close the page, do not return to it, and monitor your Bank of America accounts closely for the next 48 hours.

If you entered your login credentials, card number, or a one-time passcode, act immediately:

1. Call Bank of America fraud support now. Use the number on the back of your BofA debit or credit card, or call 1-800-432-1000. Do not use any phone number provided in the suspicious message.
2. Ask them to freeze your online banking access. This blocks the attacker from draining your account or making transfers while you work through recovery.
3. Change your BofA password and PIN from a trusted device on a trusted network — not the device or connection you used when you scanned the code.
4. Enable two-step verification in the Bank of America Mobile Banking app security settings if it isn't already active.
5. Review recent transactions for any charges, Zelle transfers, or payee additions you didn't authorize. Report each one to BofA as unauthorized.
6. File a report with the FTC at reportfraud.ftc.gov and with the CFPB at consumerfinance.gov/complaint.

For a complete recovery checklist that covers every type of financial QR scam, what to do if you scanned a suspicious QR code walks through each step in order.

How to protect yourself before you scan

The scam works because the fake BofA page looks right. You can't rely on design — you need to check the URL before your browser opens anything.

• Scan with QRsafer first. It analyzes the destination URL against threat intelligence sources and returns a verdict before your browser loads anything. A cloned Bank of America login page will not pass a threat check.
• Verify the domain before entering anything. Bank of America's real domain is always bankofamerica.com — nothing else. Attackers use lookalikes like bankofamerica-secure-verify.com or bofa-account-alert.net. Check the full URL, not just the page design.
• Never log in to BofA through a QR code. If a code claims to require your banking credentials, open the Bank of America Mobile Banking app directly instead. Ten extra seconds is worth it.
• Call BofA to verify unexpected messages. Got a text or mailer with a QR code from Bank of America? Call 1-800-432-1000 and ask if they sent it. If they didn't, you just avoided the scam entirely.

For a broader guide to identifying suspicious codes in real time, how to spot a malicious QR code before you scan covers visual and contextual signals across every type of QR scam.

Frequently asked questions