I Scanned a QR Code and Accidentally Logged In — What to Do Right Now
You scanned a QR code, a login page appeared, and you typed your credentials before realizing the page might not be real. This is one of the most urgent QR scam situations — but if you move quickly, you can still contain the damage.
Do these things immediately
Speed matters. If the page was a phishing clone, your credentials may already be in an attacker's hands. Take these steps now, in order:
1. Change the password on the real website — right now.
Open a new browser tab and navigate to the real site by typing the address yourself or using a saved bookmark. Do not click any link from the suspicious page. Find the account security or password settings and set a new, unique password you haven't used anywhere else.
2. End all active sessions.
Most platforms — Google, Apple, Facebook, banks — have a “sign out of all devices” or “active sessions” option in security settings. Use it. This invalidates any session token the attacker may have captured alongside your credentials.
3. Enable two-factor authentication (2FA) if it's not already on.
Even if your password was stolen, 2FA means the attacker cannot access your account without also having your phone. Turn it on before closing the account settings tab.
4. If it was a bank or financial account, call now.
The number is on the back of your card or on the real institution's website. Tell them you may have entered your login credentials on a fraudulent page. Ask them to flag the account for unusual activity and review any recent transactions. For investment accounts, ask whether any trades or transfers can be reversed.
5. Check whether you reuse that password elsewhere.
If the same password protects your email, another bank, or any other important account, change it on every one of those sites as well. Password reuse is how a single phishing incident turns into an account takeover chain.
How QR phishing captures your credentials
QR codes are an ideal delivery mechanism for fake login pages because you cannot read the destination URL before scanning. Attackers exploit this in a straightforward way:
- They build a pixel-perfect copy of a real login page — same logo, colors, fonts, and layout as the original.
- They embed that page's URL in a QR code and place it somewhere plausible: a printed sign, a sticker, an email, a text message.
- When you type your username and password and tap the login button, the credentials are submitted to the attacker's server rather than the real platform.
- To avoid raising suspicion, you are often redirected to the real site immediately after — so the experience feels normal and you may not realize anything went wrong until later.
The tell-tale signs are easy to miss in the moment: a domain that is slightly misspelled (paypa1.com, app1e.com), an extra subdomain (login.apple.com.phishing-site.net), or a URL with a random string of characters. By the time you notice, your credentials have already been sent.
For a broader breakdown of how attackers operate, what happens if you scan a fake QR code explains the full range of phishing and redirect techniques.
How to protect yourself going forward
The single most effective rule: never enter login credentials on a page you reached by scanning a QR code. If a QR code takes you to a login screen, close the browser, open a new tab, and navigate to the site directly by typing the address or opening your saved bookmark.
- Use QRsafer to check the destination before your browser loads it. QRsafer returns a threat verdict — Safe, Risky, or Dangerous — before anything opens. A phishing domain will be flagged before you see the login page.
- Always read the URL before interacting. Even on a page that loads, look at the address bar. Misspellings, extra hyphens, unfamiliar extensions, or long subdomain chains are all red flags.
- Use a password manager. A good password manager won't autofill your credentials on a domain it doesn't recognize — it only fills on the exact domain it saved them for. This acts as a last line of defense against lookalike phishing pages.
For a complete recovery guide covering every QR scam scenario, what to do if you scanned a suspicious QR code walks through every step in order.
Frequently asked questions
I scanned a QR code and entered my password on a login page — are my credentials stolen?
Possibly yes. If the page was a phishing clone, your credentials were sent to the attacker the moment you hit submit. Treat them as compromised: change the password on the real site immediately, end all active sessions, and enable 2FA right now.
How do fake login pages after QR codes work?
Attackers build pixel-perfect copies of real login pages. When you type your credentials and tap login, the fake page sends your username and password to the attacker's server. You may then be redirected to the real site so you don't notice anything went wrong.
What if the login was for my bank or a financial account?
Call your bank's official number immediately — it's on the back of your card. Report that you may have entered credentials on a fraudulent page, ask them to flag the account for suspicious activity, and review recent transactions for unauthorized transfers.
How do I prevent this from happening again?
Never enter login credentials on a page you reached by scanning a QR code. Navigate directly to the site by typing the address in a new tab. Use QRsafer to check the destination URL for threats before your browser loads anything.
Check where a QR code leads before you see the page
QRsafer checks the destination URL for phishing and threats before your browser loads anything. Free on iOS and Android.