Facebook Marketplace QR Code Scam: What It Is and What to Do

The three Facebook Marketplace QR code scams

Facebook Marketplace is the most-used peer-to-peer selling platform in the US — which makes it the most-targeted. Scammers have developed three reliable QR code plays for it.

1. The fake "scan to receive your money" code

You're selling something. The buyer says they've paid you — via Zelle, Venmo, PayPal, or a wire — and sends a QR code you need to scan to "accept" or "release" the funds. Sometimes they claim the money is "on hold" until you complete the step.

The QR code leads to a phishing page that mimics your bank or payment app. If you enter your login credentials, the attacker now has access to your account. No money was ever sent to you.

2. The fake proof-of-payment or shipping-label QR code

You're buying something and the seller ships it. The "buyer" in a separate scam sends you a QR code claiming it's a prepaid shipping label you need to scan to print, or proof that payment was sent. Neither is true.

Fake shipping-label QR codes typically redirect to a payment page where you're asked to pay a small "fee" to process the label. Fake payment-confirmation QR codes redirect to a phishing login page for your bank or Zelle account. Either way, you end up paying or losing credentials.

3. The account-verification QR code (Facebook account hijack)

This is the most damaging variant. Posing as a serious buyer, the scammer sends a QR code claiming it's a "Facebook identity verification" or "seller badge" — required, they say, to complete the transaction or unlock your seller rating.

The QR code opens a fake Facebook login page. Once you enter your credentials, the attacker logs into your Facebook account, locks you out by changing the password, and uses your account to run more scams — messaging your contacts, creating fake listings, or selling access to other criminals.

Why Facebook Marketplace is a top fraud vector

Unlike eBay or Amazon, Facebook Marketplace has no mandatory escrow or payment protection for most transactions. Buyers and sellers negotiate directly, often communicating over Messenger — and Messenger is easy to spoof.

The platform's social-network context also creates false trust: you can see the other person's profile, mutual friends, and local community membership. Scammers create aged accounts or compromise real ones specifically to exploit this trust.

Facebook Marketplace's built-in checkout with Facebook Pay is the only safe digital payment method on the platform — and it never involves scanning a QR code. If someone moves the transaction outside of Marketplace's payment system, the platform's buyer protections don't apply.

What to do right now

How you respond depends on what happened when you scanned:

1. If you only scanned and didn't enter anything, you're likely fine. Check that no new apps were installed and no browser extensions appeared. On iOS, go to Settings → General → VPN & Device Management to make sure no unknown profiles were installed.
2. If you entered your Facebook login, go to facebook.com/settings/security immediately from a trusted device. Change your password, review active sessions (Settings → Security and Login → Where You're Logged In), and remove any sessions you don't recognize. Turn on two-factor authentication now if it wasn't already on. Also check your Messenger inbox for any messages the attacker may have sent while they had access.
3. If you entered bank or card details, call your bank immediately and report the transaction as fraud. Ask whether a chargeback is possible. The faster you act, the better your odds of recovery.
4. If you sent money via Zelle or a wire transfer, report it to your bank right away — Zelle payments are typically irreversible, but your bank's fraud team can sometimes help and will file a report. Contact the payment platform's fraud team as well.
5. Report the scammer's Facebook profile and listing using the three-dot menu on their profile or listing. This helps Facebook remove the account and warns other users.
6. File a report with the FTC at reportfraud.ftc.gov and with the FBI's Internet Crime Complaint Center at ic3.gov. Include any screenshots of the QR code, the conversation, and the listing URL.

How to protect yourself on future Marketplace deals

• Scan any QR code with QRsafer before opening it. QRsafer checks the destination URL against live threat intelligence and returns a plain-language verdict — Safe, Risky, or Dangerous — before you tap through to anything.
• Use Facebook's built-in checkout for shipped items. It's the only payment method on Marketplace that includes buyer protection. If a seller pushes you to pay via Zelle, wire, or a QR code instead, treat it as a red flag.
• Cash in person for local pickups. Meet in a public place — many police stations have designated "safe exchange zones" — and inspect the item before handing over any money.
• Never scan a QR code to "verify" your identity or seller status. Facebook has no such verification flow that involves scanning a QR code from another user. This is always a scam.
• Enable two-factor authentication on Facebook now. Even if an attacker gets your password via a phishing page, 2FA prevents them from logging in without your phone.

The same tactics appear on other peer-to-peer platforms. The Craigslist QR code scam and Zelle QR code scam pages cover the same mechanics from a different angle — worth reading if you sell across multiple platforms.

Frequently asked questions