Chase Bank QR Code Scam: What It Is and What to Do

Why Chase is the most impersonated bank in QR scams

Chase is the largest retail bank in the United States — and that scale makes it the most-impersonated bank brand in QR code phishing campaigns. Scammers know that if they blast out fake Chase messages, a large share of recipients are actual Chase customers who will find them credible.

The scam arrives through four main channels:

• Smishing texts: A message arrives with Chase's logo and a line like “Your Chase account has been restricted. Scan the code below to verify your identity within 24 hours or your account will be suspended.” The QR code leads to a pixel-perfect Chase login clone.
• Fake Sapphire rewards mailers: Physical mail that mimics a Chase Sapphire or Freedom promotional offer, promising bonus points if you scan a QR code to “activate your reward.” The link harvests your Chase credentials.
• ATM sticker scams: Fraudulent QR code stickers placed over legitimate QR codes on Chase ATM screens or branch signage, redirecting you to a phishing login page when you try to access your account.
• Fake Zelle confirmation codes: Messages claiming a Zelle payment to or from your Chase account needs verification, with a QR code to “confirm” the transfer. Scanning it captures your banking credentials before any real transaction takes place.

Using a QR code instead of a plain link is deliberate. It bypasses email security filters that flag suspicious URLs, and forces you onto your phone — where the fake login page fills the screen and the URL bar is easy to miss. This technique is called quishing, and it's rising specifically because mobile browsers make URLs harder to inspect.

What Chase actually does — and never does — with QR codes

Chase does use QR codes in limited, controlled ways:

• In-branch appointment check-in kiosks
• Marketing materials that link to the Chase Mobile app download
• Deep links inside the Chase Mobile app itself

Chase will never send you a QR code to:

• Verify your identity or log you into your account
• Unlock a restricted or suspended account
• Confirm, authorize, or dispute a transaction
• Claim a reward, activate a bonus, or redeem points
• Confirm a Zelle payment from outside the Chase Mobile app

Every legitimate Chase security action happens inside the Chase Mobile app or at chase.com — not through an unsolicited QR code in a text, email, or mailer. If a code is asking you to log in and resolve something urgent, that urgency is the scam.

For more on how bank QR code scams work across all financial institutions, see our full guide.

What to do right now

Your response depends on what you did after scanning.

If you only scanned and didn't enter anything: Your risk is low. Close the page, do not return to it, and monitor your Chase accounts closely for the next 48 hours.

If you entered your login credentials, card number, or a one-time passcode, act immediately:

1. Call Chase fraud support now. Use the number on the back of your Chase debit or credit card, or call 1-800-935-9935. Do not use any phone number or contact info in the suspicious message.
2. Ask them to freeze your online banking access. This blocks the attacker from draining your account or making transfers while you work through recovery.
3. Change your Chase password and PIN from a trusted device on a trusted network — not the device or connection you used when you scanned the code.
4. Enable two-step verification in the Chase Mobile app security settings if it isn't already active.
5. Review recent transactions for any charges, Zelle transfers, or payee changes you didn't make. Report each one to Chase as unauthorized.
6. File a report with the FTC at reportfraud.ftc.gov and with the CFPB at consumerfinance.gov/complaint.

For a complete recovery checklist that covers every type of financial QR scam, what to do if you scanned a suspicious QR code walks through each step in order.

How to protect yourself before you scan

The scam works because the fake Chase page looks right. You can't rely on the design — you need to check the URL before your browser opens anything.

• Scan with QRsafer first. It analyzes the destination URL against threat intelligence sources and returns a verdict before your browser loads anything. A cloned Chase login page will not pass a threat check.
• Verify the domain before entering anything. Chase's real domain is always chase.com — nothing else. Attackers use lookalikes like chase-secure-verify.com or mychasealert.net. Check the full URL, not just the logo on the page.
• Never log in to Chase through a QR code. If a code claims to require your banking credentials, open the Chase Mobile app directly instead. Take ten seconds to do it the right way.
• Call Chase to verify unexpected messages. Got a text or mailer with a QR code from Chase? Call 1-800-935-9935 and ask if they sent it. If they didn't, you just avoided the scam entirely.

For a broader guide to identifying suspicious codes in real time, how to spot a malicious QR code before you scan covers visual and contextual signals across every type of QR scam.

Frequently asked questions