What is a QR code scam text message?

A QR code scam text — a form of smishing — is a fraudulent SMS or iMessage that includes a QR code image instead of a clickable link. Attackers use codes because QR images bypass the spam filters and phishing-link detectors that flag suspicious URLs in text messages. Scanning routes you to a phishing page designed to harvest credentials or payment information.

Why do scammers use QR codes in texts instead of links?

Spam filters and carrier-level security tools scan the text body for known phishing URLs. A QR code image contains no detectable link — just a pattern of pixels. The dangerous URL only exists after a phone camera reads the code, which happens entirely outside any automated text-message screening system.

What should I do if I get a suspicious QR code in a text?

Don't scan it. If the text claims to be from USPS, a toll authority, or your bank, go to their official website directly rather than scanning. Report the message to 7726 (SPAM) in the US and mark it as junk in your messaging app. If you already scanned, close the browser immediately and don't enter any information on the page that opened.

How can I tell if a QR code text is a scam?

Legitimate organizations — USPS, banks, state toll authorities — don't send QR codes in unsolicited texts. Red flags include unexpected delivery or toll notifications, urgency language like 'act within 24 hours,' and any request to scan to verify a payment or account. The rule is simple: if you didn't initiate the interaction, the QR code has no legitimate purpose for you.

QR Code Scam Text Message: How Smishing Works

A text arrives: your package couldn't be delivered — scan the QR code to reschedule. It has a logo, a tracking number, a professional layout. The QR code routes to a phishing site. You never had a package.

QR code scam text messages — a form of smishing — are one of the fastest-growing phishing delivery methods right now. Here's why attackers switched from plain links to embedded codes, and what to do when one lands in your messages.

Why scammers send QR codes instead of links

Carriers and operating systems scan text messages for suspicious links. Known phishing URLs get flagged. Messages containing links to newly registered or blocklisted domains can be stopped before delivery.

A QR code image defeats these filters entirely. There's no URL in the text body — just pixels. The dangerous link only becomes active after a phone camera reads the code, which happens outside any automated text-message screening system.

Attackers also exploit phone ergonomics. Scanning opens a link at full screen in your mobile browser. The address bar is small, tucked at the top, easy to miss when the page design looks exactly right.

What a QR code scam text looks like

These messages impersonate organizations with a legitimate reason to contact you.

USPS and delivery notifications

"Your package was held. Scan to confirm your address and reschedule delivery." USPS sends tracking texts — but never QR codes to resolve delivery issues. Real USPS links start with usps.com and are plain text you can read before tapping. A QR image in a delivery text didn't come from USPS.

Toll road unpaid-toll alerts

A message from what looks like a state toll authority claims you owe a small balance — scan to pay before a fine applies. No state toll system collects payment through a QR code in an unsolicited text. EZPass, SunPass, and similar services direct you to their official apps or websites.

Bank account verification

"Unusual activity detected on your account. Scan to verify your identity." Your bank communicates account issues through its official app — not random texts with QR images. These codes lead to cloned login pages designed to capture your username, password, and one-time passcode in a single form.

Prize and reward claims

"You've been selected for a loyalty reward — scan to claim." There's nothing to claim. There's a form that collects your personal information, and sometimes a fake "processing fee" payment page afterward.

What happens when you scan

Your browser opens a phishing page. The attack follows one of two paths: a fake login form that captures your credentials, or a fake payment form that captures your card details.

What happens if you scan a fake QR code covers the full technical sequence — from scan to data capture — in detail.

What to do when you receive a QR code text

Don't scan it. If you weren't expecting a delivery update, toll notice, or bank alert, the code has no legitimate purpose for you.
Verify through official channels. Go directly to USPS.com, your bank's app, or your state's toll authority website. Use contact details from those sources — not from the text.
Report it. Forward the message to 7726 (SPAM) in the US. Mark it as junk in your messaging app. Both help filter future attacks for everyone.
If you already scanned: Close the browser immediately. If you entered any information — credentials, card details, personal data — go to what to do if you scanned a suspicious QR code for step-by-step recovery.

How QRsafer protects against QR code scam texts

When you scan a QR code with QRsafer — even one received in a suspicious text — it checks the destination URL against threat databases before anything opens in your browser. A known phishing domain, a suspicious redirect chain, or a newly registered lookalike triggers a warning before you tap through.

The verdict is immediate: Safe, Risky, or Dangerous. No account, no login, no setup beyond installing the app.

The free tier checks codes against Google Web Risk. Premium runs every scan through five security engines simultaneously — catching newer phishing infrastructure that a single database may not have catalogued yet. That matters with text-based scams because attackers rotate domains frequently to stay ahead of blocklists.