Fidelity QR Code Scam: What It Is and What to Do

How fake Fidelity QR codes work

Fidelity Investments manages trillions of dollars in assets for over 40 million individual investors. That scale makes it one of the most impersonated financial brands in phishing campaigns. Scammers know that Fidelity customers are accustomed to digital account management — and they exploit that trust with three common QR code attacks.

1. Fake "Fidelity account security alert" emails and texts. You receive a message warning that your account has been flagged for suspicious activity or requires re-verification. A QR code in the message links to a site that mimics Fidelity's login page. Once you enter your username and password, the attacker has full access to your investment accounts.

2. Fake Fidelity Rewards Visa Signature Card mailers. Printed mail pieces arrive promising bonus points or a cash reward for existing cardholders. The QR code leads to a phishing page that collects your card number, account login, or Social Security number under the guise of "claiming" the reward.

3. Fake Fidelity NetBenefits QR codes. These target employees at companies that use Fidelity to administer 401(k) plans. Scammers send emails that appear to come from HR or NetBenefits directly — sometimes timing them around open enrollment — with a QR code to "log in and update your beneficiary" or "review your retirement savings." Because HR departments routinely forward Fidelity communications, employees are less suspicious of these messages.

All three variants share the same goal: steal credentials that give access to accounts holding years of savings.

The one rule to remember

Fidelity does not send unsolicited QR codes asking you to verify your account, complete a security check, or claim a reward.

Legitimate Fidelity security alerts direct you to open the Fidelity app or navigate to fidelity.com — they do not ask you to scan a QR code and enter your credentials on a third-party page. Any message combining urgency ("your account will be suspended") with a QR code as the only way to respond is a phishing attempt, regardless of how official it looks.

The same principle applies to Robinhood QR code scams and other financial platform impersonations — the delivery method changes, the playbook doesn't.

What to do if you scanned one

Act fast. Unauthorized access to a brokerage account can result in fraudulent trades, wire transfers, or account takeover within hours.

1. Call Fidelity fraud immediately: 1-800-544-6666. Tell them you may have entered credentials on a phishing page. They can place a hold on your account, review recent activity, and start the recovery process.
2. Change your Fidelity password from a trusted device on a secure network — not the one you used when you scanned the QR code. Also change any other accounts that use the same password or email address.
3. Enable two-factor authentication on your Fidelity account if it isn't already active. This limits what an attacker can do even if they have your password.
4. Review your account activity. Check for unauthorized trades, beneficiary changes, or pending wire transfers. Report anything suspicious to Fidelity during your fraud call.
5. File a complaint with the FTC at reportfraud.ftc.gov. Include the phone number or email address the scam arrived from and any details about the fake page you landed on.

For context on how credential-harvesting phishing attacks work across financial platforms, see our guide to bank QR code scams.

How to protect yourself before you scan

• Scan with QRsafer first. It checks the destination URL against threat intelligence databases and returns a Safe, Risky, or Dangerous verdict before you open anything — giving you a second opinion before your credentials are at risk.
• Never log in via a QR code. If you receive a message about your Fidelity account, open a browser and go directly to fidelity.com or nb.fidelity.com, or open the Fidelity app. Don't follow links or QR codes in unsolicited messages.
• Verify before you forward. If you work in HR and regularly share Fidelity NetBenefits communications, double-check that any QR code in the message matches what Fidelity's official portal would send — then confirm with your Fidelity plan representative when in doubt.
• Check the sender domain carefully. Phishing emails from "fidelity-secure.com" or "fidelity-netbenefits.net" are not from Fidelity. Legitimate Fidelity email comes from @fidelity.com.

QR code phishing attacks against financial accounts are rising. Our guide on crypto QR code scams covers how the same tactics are used to steal wallet access and why digital asset holders are particularly vulnerable.

Frequently asked questions