Bank QR Code Scam: What It Is and What to Do

How the bank QR code scam works

The scam starts with a message that looks like it came from your bank. It arrives as an email, a text, or even a printed letter — complete with your bank's logo, color scheme, and formal tone. The message creates urgency: your account is locked, a suspicious charge needs confirmation, or your debit card will be deactivated within 24 hours.

Included is a QR code. Scanning it opens a page that looks exactly like your bank's online login portal — same design, same fields, often a domain that resembles the real one. You enter your username, password, and sometimes a one-time passcode. That's all the attacker needs.

These messages arrive through several channels:

• Phishing emails spoofing your bank's domain or display name
• SMS messages claiming to be from bank fraud alerts
• Printed letters mailed to your home address
• Stickers placed over legitimate QR codes at bank branches or ATMs

Using a QR code instead of a plain link is deliberate. It bypasses email link scanners that flag suspicious URLs — and forces you onto your phone, where the fake login page fills your screen and the URL bar is easy to overlook. This is the same mechanic behind quishing attacks, which are rising specifically because phones make URLs harder to inspect.

What your bank actually does — and never does — with QR codes

Banks do use QR codes legitimately, but only in narrow, low-stakes ways:

• In-branch kiosk check-in for appointments
• Marketing materials linking to a mobile app download
• Deep links inside the bank's own app for transferring or referencing information

Your bank will never send you a QR code to:

• Verify your identity or confirm your login credentials
• Unlock a frozen or suspended account
• Authorize or dispute a transaction
• Avoid account closure or prevent fraud from spreading

If a QR code claims to be your bank asking you to log in and fix something urgent — that claim is the scam. The real bank would direct you to log in through their official app or website, not through a code.

What to do right now

If you scanned a QR code that claimed to be from your bank, your response depends on what you did next.

If you only scanned and didn't enter anything: Your risk is low. Close the page, don't return to it, and monitor your bank accounts for 48 hours.

If you entered your login credentials or a one-time passcode, act immediately:

1. Call your bank now. Use the number on the back of your debit or credit card, or go directly to your bank's official website to find it. Do not use any number provided in the suspicious message.
2. Ask them to freeze your online banking access. This prevents the attacker from draining your account or making transfers while you work through the next steps.
3. Change your banking password and PIN from a trusted device on a trusted network — not the device or network you used to scan the code.
4. Enable two-factor authentication if it isn't already active. Your bank's app or website will have this in security settings.
5. Review recent transactions for any charges, transfers, or payee additions you didn't authorize. Report them to your bank immediately.
6. File a complaint with the CFPB and FTC. Report banking fraud at consumerfinance.gov/complaint and general fraud at reportfraud.ftc.gov.

For a full recovery checklist after any suspicious scan, what to do if you scanned a suspicious QR code walks through each step in order.

How to protect yourself before you scan

The attack works because it looks exactly right. The protection isn't a sharper eye — it's a URL check before your browser opens anything.

• Scan with QRsafer first. It checks the destination URL against multiple threat intelligence sources and returns a Safe, Risky, or Dangerous verdict before your browser loads the page. A cloned bank login will not clear a threat check.
• Verify the domain before entering anything. Your bank's real domain is short and consistent — for example, chase.com or bankofamerica.com. Attackers use lookalikes like chase-secure-verify.com or b4nkofamerica.net. Check the full URL, not just the page design.
• Never log in to banking through a QR code. If a code claims to require your banking credentials, go directly to your bank's app or website instead of following the link. Take the extra ten seconds — it's worth it.
• Call your bank to verify unexpected messages. Got a text or email with a QR code from your bank? Call the number on your card and ask if they sent it. If they didn't, you just avoided the scam.

For a broader guide to identifying suspicious codes in the moment, how to spot a malicious QR code before you scan covers visual and contextual signals across every type of QR scam.

Frequently asked questions