Fake Product Recall QR Code Scam: What It Is and What to Do

How fake product recall QR code scams work

A real product recall is alarming — especially if it involves something in your home or your car. Scammers know this, and they engineer fake recall notices designed to make you scan quickly without scrutinizing the source. These attacks appear in four main forms:

1. Mailed recall notices impersonating agencies or brands. You receive an official-looking mailer with the logo of the CPSC (Consumer Product Safety Commission), the FDA, or a recognizable manufacturer like Samsung, Philips, or a major appliance brand. The letter lists a model number, describes a vague safety hazard, and includes a QR code directing you to “register your recall and claim your replacement.” The QR leads to a fake registration page that collects your name, address, purchase date, credit card number for a supposed “return shipping fee,” and sometimes your Social Security Number for “identity verification.”
2. In-box insert attacks targeting online shoppers. Products shipped from third-party sellers on Amazon and other marketplaces sometimes include a small card claiming to be a “product safety notice.” The card instructs you to scan a QR code to “register for recall monitoring” or “verify product authenticity.” The destination page harvests Amazon login credentials, payment information, or personal data. Sellers who plant these inserts may be attempting to pull buyers off-platform or steal account access.
3. Email recall notices using real brand data. A phishing email arrives bearing a product's genuine logo and branding — sometimes with the correct model number obtained from a data breach or purchase history leak — claiming a safety recall has been issued. A QR code in the email directs you to a convincing lookalike of the manufacturer's official recall page. The email may even reference a real recall number that exists for a different product, to make the claim seem verifiable.
4. Fake auto recall notices. Vehicle owners receive mailers or text messages impersonating NHTSA (the National Highway Traffic Safety Administration) or a car manufacturer, claiming a safety defect and promising a “free repair.” A QR code links to a fake dealer-scheduling portal that harvests vehicle identification, personal information, and sometimes a “pre-authorization deposit” paid by card. Real automaker recalls are free and require no advance deposit.

The tactic behind all four variants is the same: a safety fear overrides normal skepticism, and a QR code hides the destination URL until it's too late. This is the same technique security researchers call quishing.

How real product recalls actually work

Knowing the legitimate process makes fakes easy to spot:

• The CPSC lists all recalls at recalls.gov. Every consumer product recall in the United States — appliances, electronics, toys, furniture, food — is published on recalls.gov and cpsc.gov. If you can't find it there, it isn't a real CPSC recall. The CPSC never contacts consumers by unsolicited text, and it never sends QR codes.
• Vehicle recalls are searchable by VIN at nhtsa.gov/recalls. Enter your 17-character VIN to see all open safety recalls for your vehicle. Automakers mail physical recall notices by USPS first-class mail with a specific recall campaign number — repairs are performed free of charge at authorized dealerships. No advance payment or QR-code scheduling link is ever required.
• Real recall registration is optional and simple. Some manufacturers include a registration card or a link to their own support page to facilitate a remedy, but registration is never required to receive a free repair, replacement, or refund. A legitimate recall process never demands a “shipping fee” or “identity verification fee.”
• Amazon does not insert QR code recall notices in packages. If you have a safety concern about an Amazon purchase, check your order on amazon.com or contact Amazon Customer Service. A QR code in a box from a third-party seller is not from Amazon.

Red flags that a recall notice is fake

• A QR code is the only way to “register” the recall. Real recalls include a phone number, a manufacturer website, or a physical mailing address. A notice that forces you to scan a QR code is a red flag.
• You are asked for a credit card, debit card, or payment of any kind. Recall remedies — replacement, refund, or repair — are always free. Any fee is fraudulent.
• The QR code destination does not match the manufacturer or a government domain. Scan the code with QRsafer first. The URL should end in .gov for government agency notices, or the manufacturer's official domain for brand-issued recalls. Generic domains, hyphenated subdomains, or short-link redirects are warning signs.
• Urgency language: “act within 72 hours” or “immediate action required.” Real recalls have extended remedy windows — manufacturers cannot physically serve every affected consumer overnight. Artificial urgency is a pressure tactic.
• The recall notice references your name or purchase but doesn't match any real recall on recalls.gov. A scammer may have obtained your name and product details from a data breach and crafted a targeted fake notice. Always verify independently at recalls.gov.

What to do if you already scanned the QR code

1. If you entered a credit or debit card number: Call your bank or card issuer immediately to report potential fraud and request a replacement card. Do not wait. The sooner you report, the better your odds of reversing unauthorized charges. See I scanned a QR code and it asked for my credit card for the full action checklist.
2. If you entered personal information (name, address, date of birth): Place a fraud alert at one of the three major credit bureaus — Equifax, Experian, or TransUnion — which automatically extends to all three. This alerts creditors to take extra steps before opening new accounts in your name.
3. If you entered your Social Security Number: Consider placing a free credit freeze at all three bureaus, and file a report at IdentityTheft.gov (FTC). See that page for step-by-step guidance.
4. If you entered an Amazon or other retailer login: Change that account's password immediately at the official site — do not use any link in the suspicious message. Review saved payment methods and recent orders for unauthorized activity.
5. If you only scanned and looked but entered nothing: You are almost certainly fine. Simply viewing a page does not expose your data. Close the browser, clear your recent history, and monitor your accounts over the next few weeks.
6. Report the scam. File a complaint at reportfraud.ftc.gov. If the notice impersonated a government agency (CPSC, NHTSA, FDA), report it to that agency's fraud tip line as well.

Frequently asked questions