QRsafer LogoQRsafer

Discover Card QR Code Scam: What It Is and What to Do

You received a QR code claiming to be from Discover — locking your card, expiring your Cashback Bonus, or requiring an urgent account update. Here's how the scam works, what Discover would never ask you to scan, and the exact steps to take right now.

How the Discover QR code scam works

Discover is a top-5 US credit card issuer and a growing direct bank — its Cashback Bonus® rewards program and competitive savings rates are widely marketed, which makes reward-themed phishing especially credible. Scammers exploit this across four main attack patterns:

  • “Your Discover card has been locked” smishing: A text arrives styled like a Discover security alert — “Suspicious activity detected. Your Discover card has been locked. Scan to verify and restore access.” The QR code leads to a pixel-perfect cloned Discover login page that harvests your user ID, password, and sometimes a one-time verification code. This is one of the most common QR code scam text message patterns in circulation today.
  • Cashback Bonus® phishing: Fake mailers or emails claim the cardmember has unclaimed Cashback Bonus® rewards expiring soon — “You have $87 in unredeemed cash back. Scan now before it expires.” Because Discover genuinely markets its rewards program and sends similar-looking communications, this variant has a high believability rate. The QR code leads to a fake rewards redemption portal that harvests card details or login credentials before showing a fake confirmation screen.
  • Fake “Discover it® card upgrade” scam: A phishing email or physical mailer offers the recipient an upgrade to a premium Discover it® card tier — better cashback rates, a higher credit limit, or a new travel rewards version. The QR code leads to a fake application flow that collects full card details, SSN, income information, and banking credentials during what looks like a routine credit-card application.
  • Discover Bank savings account phishing: Discover's Online Savings Account is one of the most widely known high-yield accounts in the US — and scammers exploit this by sending fake “rate adjustment notification” or “account security verification” QR codes targeting online savings account holders. Because these customers expect digital communications and already manage their accounts entirely online, the QR code prompt feels natural and urgent.

The technique behind all of these is called quishing — QR code phishing — and it bypasses the URL-inspection tools that email spam filters and most security software apply to plain hyperlinks. A QR code hides the destination URL entirely until after the scan.

What Discover actually does — and never does — with QR codes

Discover does use QR codes in limited ways:

  • Printed advertising campaigns and direct mail marketing
  • In-app promotions inside the Discover Mobile app
  • Occasionally in physical cardholder welcome kits

Discover will never send you a QR code to:

  • Verify your identity or log you into your account
  • Unlock, secure, or unsuspend your card or account
  • Claim, activate, or redeem Cashback Bonus® rewards
  • Apply for or activate a card upgrade or new product
  • Confirm or update your savings account rate or interest
  • Respond to a fraud alert or suspicious transaction notification

All legitimate Discover account actions happen inside the Discover Mobile app or at discover.com — not through an unsolicited QR code in a text, email, or physical mailer. If urgency is involved (“your cash back expires in 24 hours,” “your card will be permanently locked”), that urgency is the scam mechanism, not a real deadline.

For a broader overview of how bank QR code scams operate across all financial institutions, see our full guide.

What to do right now

Your response depends on what happened after you scanned.

If you only scanned and didn't enter anything: Your risk is low. Close the page, do not return to it, and monitor your Discover accounts closely for the next 48 hours for unauthorized transactions.

If you entered login credentials, a card number, personal details, or a one-time passcode, act immediately:

  1. Call Discover fraud support now. Use the number on the back of your Discover card, or call 1-800-347-2683. Do not use any number provided in the suspicious message.
  2. Ask them to flag your account for fraud monitoring. This allows Discover's team to block and alert on unusual transactions in real time while you complete recovery steps.
  3. Change your Discover online account password from a trusted device on a trusted network — not the same device or connection you used when you scanned.
  4. Enable two-step verification in the Discover Mobile app or at discover.com under Account Center > Security Settings, if not already active.
  5. Review recent transactions for any charges, transfers, or cash advances you did not authorize. Dispute each one directly with Discover.
  6. File reports with the FTC at reportfraud.ftc.gov and the CFPB at consumerfinance.gov/complaint. These create a paper trail supporting any dispute resolution and may help others avoid the same scam.

For a complete recovery checklist that covers every type of financial QR scam, what to do if you scanned a suspicious QR code walks through every step in order.

How to protect yourself before you scan

The scam works because the fake Discover page looks convincing — cloned fonts, accurate branding, and an urgent but plausible scenario. You can't rely on visual design alone to tell real from fake. You need to check the destination URL before your browser opens anything.

  • Scan with QRsafer first. It decodes the QR code and checks the destination URL against threat intelligence before your browser loads anything. A cloned Discover login page will not pass a domain reputation check.
  • Verify the domain before entering anything. Discover's real domain is discover.com — nothing else. Attackers use lookalikes such as discover-account-verify.com or discover-secure-login.net. Check the full URL, not just the page appearance.
  • Never log in through a QR code you didn't seek out. If a code claims to require your credentials to fix something urgent, open the Discover Mobile app directly or navigate to discover.com in your own browser instead.
  • Call the number on the back of your card to verify. Received a text or mailer with a QR code from “Discover”? Call Discover directly at 1-800-347-2683 and ask if they sent it. If they didn't, you've avoided the scam entirely.

For a broader guide to identifying suspicious codes in real time, how to spot a malicious QR code before you scan covers visual and contextual signals across every scam type.

Frequently asked questions

Does Discover ever send QR codes?

Discover uses QR codes only in limited, controlled contexts — printed marketing materials and in-app promotions. Discover will never text, email, or mail you a QR code asking you to verify your identity, unlock your card, claim Cashback Bonus rewards, or complete a security action. Any unsolicited QR code making those claims is a scam.

What should I do if I scanned a QR code that looked like it was from Discover?

If you scanned but didn't enter anything, monitor your accounts for 48 hours. If you entered your login credentials, card number, or personal details, call Discover fraud support immediately at 1-800-347-2683 — or the number on the back of your card. Ask them to flag your account, change your password from a clean device, and review recent transactions.

Can I get my money back after a Discover QR code scam?

Speed matters most. Call Discover immediately to report unauthorized access and dispute any transactions. Discover's $0 Fraud Liability Guarantee covers unauthorized charges reported promptly. Also file complaints with the FTC at reportfraud.ftc.gov and the CFPB at consumerfinance.gov/complaint.

See where the QR code leads before Discover asks for your password

QRsafer scans any QR code and shows you whether the destination is safe before your browser opens it. Free on iOS and Android.

Download for iOSDownload for Android

Related guides