# QR Code Scam Incident Response Checklist

> Scanned a suspicious QR code? Use this decision-tree checklist to decide what to do next based on whether you only opened a page, entered a password, paid money, installed an app, or used a work account.

URL: https://www.qrsafer.com/blog/qr-code-scam-incident-response-checklist
Published: 2026-07-09

---

Start with one practical question: what did the QR code get you to do?

The scan itself is rarely the whole incident. The risk depends on what happened after the scan: whether a page loaded, whether you typed a password, whether you paid money, whether you installed something, or whether a work account was involved. Use this checklist to pick the right response without overreacting or waiting too long.

## First 60 seconds

Do these before you investigate:

1. Close the page or app the QR code opened.
2. Do not enter more information.
3. Take a screenshot of the page or URL if it is still visible.
4. Photograph the physical QR code if it was on a sign, sticker, receipt, flyer, kiosk, or package.
5. Write down what you entered or approved, if anything.

Then use the decision tree below.

## Scenario A: You only opened the page

If you scanned the code, saw a page, and closed it without entering anything, the risk is usually low on a modern phone. A web page can log a visit, approximate location from IP address, device type, and browser details. It usually cannot steal passwords, contacts, files, photos, or bank details just because the page loaded.

Your checklist:

- Close the page.
- Clear the browser tab if it keeps reopening.
- Report the suspicious QR code if it was in a public place.
- Do not change every password unless you entered one or approved a prompt.
- Read [what happens if you scan a fake QR code](/what-happens-if-you-scan-a-fake-qr-code) for the plain-language risk breakdown.

## Scenario B: You entered a password

Treat this as a credential compromise. Speed matters.

- Go to the official website or app by typing the address yourself.
- Change the password immediately.
- Sign out of all active sessions.
- Enable two-factor authentication.
- Check account recovery email, recovery phone, forwarding rules, and connected apps.
- Change the same password anywhere else you reused it.

If the page looked like Microsoft, Google, Apple, or a work login, also check these guides:

- [I scanned a QR code and it sent me to a fake login page](/i-scanned-a-qr-code-and-it-sent-me-to-a-fake-login-page)
- [Microsoft QR Code Scam](/microsoft-qr-code-scam)
- [Apple ID QR Code Scam](/apple-id-qr-code-scam)

## Scenario C: You entered card or bank details

Act as if the payment information is exposed.

- Call the card issuer or bank using the number on the card or the official app.
- Ask whether the account should be locked, monitored, or reissued.
- Dispute unauthorized charges.
- Save receipts, confirmation pages, and screenshots.
- If online banking credentials were entered, change the password and revoke active sessions.

For deeper recovery, use [bank QR code scam guidance](/bank-qr-code-scam) and the guide on [QR code credit card scams](/blog/qr-code-credit-card-scam).

## Scenario D: You sent money through P2P, crypto, wire, or ACH

Payment recovery depends on the payment rail. Move quickly and do not negotiate with the scammer.

- Contact the payment provider immediately.
- Contact your bank if the funds came from a bank account or card.
- Ask whether the transfer can be reversed, recalled, or disputed.
- Preserve the payment ID, wallet address, recipient handle, phone number, email, and QR code photo.
- Report the incident to ReportFraud.ftc.gov. For substantial losses, also report to IC3.gov.

If the scam involved an invoice, see [fake invoice QR code scams](/fake-invoice-qr-code-scam).

## Scenario E: You downloaded or installed something

The response depends on whether you only downloaded a file or installed an app.

- Delete the downloaded file if you did not open it.
- If you installed an app, uninstall it.
- Review app permissions for camera, contacts, photos, location, and files.
- Update your operating system and browser.
- If the app asked for device management, accessibility, VPN, or remote-control permissions, get technical help before using the device for banking or work.

For a related scenario, read [I scanned a QR code and it downloaded something](/i-scanned-a-qr-code-and-it-downloaded-something).

## Scenario F: It involved a work account or workplace QR code

Report it even if you feel unsure. Early reporting gives IT a chance to revoke sessions, review sign-in logs, and warn other employees.

- Tell IT or security what account was involved.
- Send the screenshot, message, URL, and photo of the QR code.
- Do not delete the original email or message unless IT tells you to.
- If you entered credentials, change the password through the official company portal.
- If the code was posted in an office, lobby, kiosk, or customer-facing location, preserve a photo before removing it.

This connects to the broader guidance on [protecting employees from QR code scams](/blog/how-to-protect-employees-from-qr-code-scams).

## Quick reporting map

| Incident type | Who to contact first | What to preserve |
|---|---|---|
| Password entered | Account provider or IT | URL, screenshot, message |
| Card entered | Card issuer | Receipt, URL, merchant name |
| Bank details entered | Bank fraud line | Account used, URL, screenshots |
| P2P payment sent | Payment app support | Recipient handle, payment ID |
| Crypto sent | Exchange or wallet provider | Wallet address, transaction hash |
| Work account involved | IT/security | Original email, QR image, URL |
| Physical sticker found | Property owner or business | Photo, location, time |

## Prevention for next time

The strongest habit is simple: preview the QR destination before the browser opens it. If the destination is shortened, misspelled, unrelated to the place where you found the code, or asking for credentials too early, stop and verify through another channel.

Use the prevention guide on [how to spot a malicious QR code before you scan](/blog/how-to-spot-a-malicious-qr-code-before-you-scan) and keep [the QR Code Threat Map](/threat-map) handy for local patterns.

## See also

- [What to Do If You Scanned a Suspicious QR Code](/blog/what-to-do-if-you-scanned-a-suspicious-qr-code)
- [Bank QR Code Scam](/bank-qr-code-scam)
- [Fake Invoice QR Code Scam](/fake-invoice-qr-code-scam)
- [I Scanned a QR Code and It Sent Me to a Fake Login Page](/i-scanned-a-qr-code-and-it-sent-me-to-a-fake-login-page)
- [QR Code Threat Map](/threat-map)

Download QRsafer for [iOS](/app/ios?source=content&utm_campaign=qr-code-scam-incident-response-checklist&utm_content=cta) or [Android](/app/android?source=content&utm_campaign=qr-code-scam-incident-response-checklist&utm_content=cta) so the next QR code is checked before the page opens.

---

## Frequently asked questions

**What should I do first after scanning a suspicious QR code?**

Close the page, stop entering information, and identify what happened: did you only open the page, enter a password, enter card or bank details, send money, install an app, or use a work account? Your next steps depend on that answer.

**Do I need to change passwords if I only scanned the QR code?**

Usually no. If you only opened a page and did not enter credentials, approve a prompt, download an app, or submit information, changing passwords is usually unnecessary. Report the suspicious code and avoid returning to the page.

**What evidence should I keep after a QR code scam?**

Keep screenshots of the page, the URL, payment confirmations, messages, emails, and a photo of the physical QR code if there was one. Do not keep scanning the code to investigate it.

**When should I report a QR code incident at work?**

Report it immediately if you scanned with a work device, entered work credentials, used a work account, saw a QR code in a work email, or found a suspicious code in an office or customer-facing location.