Disney+ QR Code Scam: What It Is and What to Do

How the Disney+ QR code scam works

Scammers run three main variants of this attack:

1. “Account suspended” phishing. You receive a text or email with the Disney+ logo stating your account was suspended due to a failed payment or suspicious activity. A QR code is included with instructions to “scan to reactivate.” The code leads to a fake Disney+ login page that harvests your email, password, and credit card number. Because Disney+ is part of a bundle with Hulu and ESPN+, victims often see charges across multiple accounts they didn't expect.
2. Free trial or bundle offer scam. Social media ads, event flyers, and campus postings advertise a free Disney+/Hulu/ESPN+ bundle or a discounted subscription via QR code. The destination site looks like a real sign-up page and collects full payment details — but either charges you immediately with no actual service, or captures credentials to take over an existing account.
3. Device activation scam. A caller claims to be Disney+ support and tells you that your device needs to be re-linked. They instruct you to scan a QR code to “restart the activation process.” The QR code either launches a phishing page or routes to a remote-access tool download. Legitimate Disney+ device activation never originates from an outbound call — the process always starts from your TV screen.

All three variants exploit urgency and the trust that comes with a widely recognized brand. Using a QR code instead of a typed link is intentional — it bypasses spam filters that flag suspicious URLs, a tactic security researchers call quishing.

How Disney+ device activation actually works

Understanding the real process makes the fake one obvious. Here's how legitimate Disney+ activation works:

1. Open the Disney+ app on your TV, streaming stick, or gaming console.
2. Select “Log In” and choose the option to use a code.
3. Your TV displays an 8-character alphanumeric code.
4. On your phone or computer, go to disneyplus.com/begin.
5. Type the 8-character code from your TV into the website.

You enter a code from your TV into the website. You never scan a QR code from an outside source to activate a device. Any message — text, email, or social media — that includes a QR code for Disney+ device activation is a scam.

Red flags to recognize before you scan

• Any QR code in a billing or suspension text or email. Disney+ does not send QR codes by text or email for account management. All account actions happen inside the Disney+ app or at disneyplus.com.
• Urgency language. “Your account will be deactivated in 24 hours” or “act now to avoid losing access” are pressure tactics designed to make you scan before you think.
• A sender address that isn't from disney.com. Check the actual email address, not just the display name. Scam emails often come from addresses like “disney-billing@accounts-update.net.”
• The URL behind the QR code isn't disneyplus.com. Scan the code with QRsafer first — it shows you the destination URL before your browser opens it. If the domain isn't disneyplus.com, do not proceed.
• A social media ad offering a free trial that seems too good. Disney+ free trials are offered only through the official Disney+ website or authorized partner promotions — not through QR codes in ads or flyers.

What to do if you already scanned the QR code

The steps you take depend on what you did after scanning:

1. If you entered your credit or debit card number: Call your bank or card issuer immediately to report potential fraud and request a replacement card number. Do not wait — the sooner you call, the better your chances of reversing any unauthorized charges. See I scanned a QR code and it asked for my credit card for a full checklist.
2. If you entered your Disney+ email and password: Go directly to disneyplus.com — type it in your browser, do not click any link from the suspicious message — and change your password immediately. Then go to Account > Security & Privacy > Log Out of All Devices to revoke any active sessions.
3. If you reuse that password on other accounts: Change it on every other account, starting with your email inbox and any financial accounts. A stolen Disney+ password is most dangerous when it unlocks higher-value accounts.
4. If you only scanned and looked — but entered nothing: You are most likely fine. Scanning a QR code alone does not install malware or compromise your account. The risk is in what you do after the page loads.
5. Report the scam. Forward the phishing email to phishing@support.disney.com and file a complaint at reportfraud.ftc.gov.

For the complete step-by-step recovery guide, see what happens if you scan a fake QR code.

Frequently asked questions