Citibank QR Code Scam: What It Is and What to Do

How the Citibank QR code scam works

Citibank is one of the most frequently impersonated financial brands in the United States — its large credit-card customer base makes it an attractive target. Scammers run four main variants of the Citi QR code scam:

• Smishing texts: A text message arrives with Citi branding and urgent language — “Suspicious activity detected on your account. Scan the code below to confirm your identity or your card will be suspended.” The QR code leads to a pixel-perfect Citi login clone that harvests your username and password. This is a classic QR code scam text message pattern that bypasses email spam filters by arriving as an SMS.
• Fake “Citi ThankYou Points” reward mailers: Physical mailers and emails impersonate Citi's popular ThankYou Rewards program, promising bonus points or exclusive redemption offers if you scan a QR code to “activate your reward.” The code leads to a phishing page that steals your Citi credentials and, often, additional card details. Citi's large rewards-card base makes this variant especially effective.
• ATM sticker scams: Fraudulent QR code stickers are placed over legitimate codes on Citi ATM screens or branch-lobby kiosks. When you scan them expecting to access your account or retrieve account-service information, you land on a credential-harvesting page instead. See the guide to ATM QR code scams for the full picture of this attack.
• Fake “mandatory security update” emails: Phishing emails with Citi's logo and color scheme claim your online banking access requires a “mandatory security verification” and provide a QR code to complete it. Scanning opens a fake Citi login page. The urgency framing — “your account will be locked in 24 hours” — pushes victims to act before thinking.

Scammers use QR codes instead of plain hyperlinks because QR codes slip past email security gateways that would otherwise flag a suspicious URL — and because mobile screens make it harder to inspect a destination address before you're already on the phishing page. This technique is called quishing, and it is rising specifically because banks are trusted brands and their customers are primed to respond to “security” messages.

What Citibank actually does — and never does — with QR codes

Citi does use QR codes in very limited ways:

• In-branch marketing materials and kiosk displays
• Deep links inside the Citi Mobile app itself
• Occasional promotional QR codes in official, printed Citi marketing (always resolved through citi.com)

Citibank will never send you an unsolicited QR code to:

• Verify your identity or log you into your account
• Unlock a restricted or suspended account
• Confirm, authorize, or dispute a transaction
• Claim, activate, or redeem ThankYou Points or any other reward
• Complete a “mandatory” account security update

Every legitimate Citibank security action happens inside the Citi Mobile app or at citi.com — not through an unexpected QR code in a text, email, or physical mailer. If a code claims to require your credentials to fix something urgent, that urgency is the scam itself.

For a broader explanation of how bank QR code scams work across all financial institutions, see the full guide.

What to do right now

Your response depends on what you did after scanning.

If you only scanned and didn't enter anything: Your risk is low. Close the page immediately, do not return to it, and monitor your Citi accounts closely for the next 48 hours.

If you entered your login credentials, card number, or a one-time passcode, act immediately:

1. Call Citi fraud support now. Use the number on the back of your Citi card, or call 1-800-950-5114. Do not use any phone number provided in the suspicious message — it may route to the scammer.
2. Ask them to flag and monitor your account. Citi can place a temporary security hold, review recent transactions, and block suspicious activity while you work through recovery.
3. Change your Citi online banking password from a trusted device on a trusted network — not the same device or connection you used when you scanned the code.
4. Enable two-step verification in the Citi Mobile app security settings if it isn't already active. This prevents an attacker who captured your password from accessing your account without a second factor.
5. Review recent transactions for any charges, transfers, or new payees you don't recognize. Report each unauthorized item to Citi immediately.
6. File a report with the FTC at reportfraud.ftc.gov and with the CFPB at consumerfinance.gov/complaint.

For a complete recovery checklist covering every type of financial QR scam, what to do if you scanned a suspicious QR code walks through each step in order.

How to protect yourself before you scan

The scam works because the fake Citi login page looks right — the logos, colors, and form fields are convincing replicas. You can't rely on design alone. You need to check the URL before your browser opens anything.

• Scan with QRsafer first. QRsafer analyzes the destination URL against threat intelligence databases and returns a verdict before your browser loads anything. A cloned Citi login page will not pass a safety check.
• Verify the domain before entering anything. Citibank's real domains are citi.com and citibank.com — nothing else. Scammers use lookalikes like citi-secure-verify.com or citibank-account-alert.net. Check the full URL, not just the page design.
• Never log in to Citi through an unsolicited QR code. If a message claims your account requires immediate action, open the Citi Mobile app directly or navigate to citi.com in your browser. Ten seconds is worth it.
• Call Citi to verify unexpected messages. Received a text, email, or mailer with a QR code supposedly from Citi? Call the number on the back of your card and ask if they sent it. If they didn't, you just avoided the scam entirely.

For a broader guide to recognizing suspicious codes in real time, how to spot a malicious QR code before you scan covers visual and contextual signals across every type of QR scam.

Frequently asked questions