QRsafer LogoQRsafer
QR Code Scams on WhatsApp: How to Spot Them Before It's Too Late
← Back to blog

QR Code Scams on WhatsApp: How to Spot Them Before It's Too Late

WhatsApp QR code scams come from strangers and compromised contacts alike. One variant hijacks your account silently. Another drains your wallet. Here's how both work — and what to do if you already scanned.

2026-04-18 · QRsafer Team

A message lands in your WhatsApp from a contact you know. Or from a stranger who sounds urgent. There's a QR code attached — scan it to verify your account, claim a prize, or complete a payment. WhatsApp QR code scams have two distinct forms, and both are effective precisely because WhatsApp is a platform people trust.

Here's what's actually happening when those codes show up in your chats.

Vector 1: The account-hijack QR code

This is the more dangerous of the two — and the quieter one.

WhatsApp Web works by displaying a QR code on your computer screen that you scan with your phone. The moment you scan it, your account is mirrored on that browser session. Attackers exploit this mechanism by generating a legitimate WhatsApp Web login code and sharing it with you inside WhatsApp — disguised as something else entirely.

The message might say:

  • "WhatsApp is updating security — scan to confirm your account."
  • "We detected unusual activity. Scan to verify your identity."
  • "Scan this code to unlock a new feature."

None of those are real WhatsApp prompts. If you scan the code, you've handed the attacker a fully active session on your account. They can read every message in your inbox, send messages as you, share files, and access your contact list — all without triggering any obvious alert on your phone.

How to check right now: Open WhatsApp → Settings → Linked Devices. If you see any session you don't recognize, tap it and select Log Out. Then change your two-step verification PIN under Settings → Account → Two-step verification.

WhatsApp will never send you a QR code to scan inside the app. If a QR code arrives claiming to be from WhatsApp, it isn't.

Vector 2: Payment and phishing QR codes in chats

The second variant skips account takeover entirely and goes straight for money or credentials.

A contact — often one whose account has already been compromised — sends you a QR code with a plausible framing:

  • A payment link for something you supposedly owe
  • A prize or giveaway redemption page
  • A "secure link" to a shared document or deal

When you scan it, you're taken to a phishing page designed to look like a bank, a payment platform like PayPal or Venmo, or a login screen. Enter your credentials or card details and they go directly to the attacker.

This variant works because WhatsApp is a messaging platform — people share links and payments there naturally. The social proof of it coming from a known number removes the usual hesitation.

How compromised contacts spread the scam

When an attacker hijacks a WhatsApp account using the method above, the first thing they typically do is send the same scam to everyone in the victim's contact list and active chats. You receive the QR code from your friend's real number, using their real name and profile photo. Nothing signals that the account is compromised.

This is why a message that begins "Hey, quick favor — can you scan this?" from a friend should still make you pause. The friend may not know their account is being used. Verify through a phone call or a separate text before scanning anything.

Steps to secure your account after scanning

If you scanned a QR code sent to you on WhatsApp and aren't sure what it did:

  1. Check Linked Devices — Settings → Linked Devices. Remove every unfamiliar session.
  2. Change your PIN — Settings → Account → Two-step verification → Change PIN.
  3. Revoke active sessions on any payment platforms — if you entered payment details, contact your bank immediately.
  4. Alert your contacts — if your account was compromised, your contacts may have already received the same scam from your number. Send a message letting them know.
  5. Review your message history — check whether the attacker sent anything from your account while you were unaware.

For a complete walkthrough, see what happens when you scan a fake QR code and our recovery guide.

Why QR codes spread so effectively on WhatsApp

Attackers use QR codes in messaging apps for the same reason they use them in phishing emails: a QR code can't be hovered over to preview a URL the way a text link can. On mobile, it also bypasses built-in link-safety warnings. The code looks inert — just a square image — until you point your camera at it.

That's the gap QRsafer closes. Before anything loads, you get a destination preview and a threat verdict. For payment or phishing QR codes, that check stops the scam before your data ever leaves your phone.

What to remember on WhatsApp

  • WhatsApp never sends QR codes inside the app. Any code claiming to be from WhatsApp is an impersonation.
  • A code from a known contact is not automatically safe — their account may be compromised.
  • Scan any unknown QR code with QRsafer before tapping through.
  • Check Linked Devices regularly — it's the fastest way to catch an unauthorized session.

See also

Download QRsafer for iOS or Android and run it on every QR code that lands in your chats — trusted contact or not.

FAQ

Can someone hack my WhatsApp by sending me a QR code?

Yes — if you scan a QR code sent by an attacker and that code is a WhatsApp Web login code, you've granted them full access to your account. They can read your messages, impersonate you, and repeat the scam with your contacts. You won't see any notification that a new session was opened unless you check Settings > Linked Devices.

What should I do if I scanned a suspicious QR code in WhatsApp?

Act immediately. Open WhatsApp, go to Settings > Linked Devices, and remove every session you don't recognize. Change your WhatsApp PIN under Settings > Account > Two-step verification. If you also entered any payment or login details on the page the QR code opened, contact your bank and change those passwords from a trusted device.

Why do my trusted contacts sometimes send scam QR codes?

If a contact's WhatsApp account has been compromised, attackers use it to send the same scam to everyone in that contact's chat list. The message looks real because it comes from a familiar number. Always verify through a phone call or separate text if a contact unexpectedly asks you to scan a QR code.

Does QRsafer detect WhatsApp QR code scams?

QRsafer scans any QR code before you tap through — including codes sent in chats. For payment or phishing QR codes, it checks the destination URL against threat intelligence databases and returns a Safe, Risky, or Dangerous verdict in seconds. For WhatsApp Web login codes, the destination is a WhatsApp domain, so QRsafer won't flag it as malicious — which is why understanding the account-hijack scam is important: never scan a WhatsApp login code someone sent you.