QRsafer LogoQRsafer

I Scanned a QR Code and Entered My Bank Account Details — Call Your Bank Right Now

If you entered bank account information on a page you reached by scanning a QR code, stop reading and call your bank's fraud line first. ACH debits and wire transfers can process within 24 hours. Every minute matters. Come back to this page after you've called.

Do this first — before anything else

Call the customer service number on the back of your bank card or on your bank's official website. Tell them you entered your account details on a page you believe was fraudulent. Ask them to flag your account, restrict outgoing transfers, and monitor for unauthorized activity. Do not wait until morning.

Scenario 1: You entered your online banking username and password

This is the highest-urgency scenario. With your login credentials, an attacker can access your accounts, change your contact details, set up new payees, and initiate wire or ACH transfers — all before you log back in.

  1. Change your password immediately on a clean device. Use a laptop or desktop that was not used to scan the QR code. Go directly to your bank's official website — type the URL yourself, do not click any link.
  2. End all active sessions. Most banks have a “Sign out of all devices” or “Active sessions” option in security settings. Use it. This terminates any session the attacker opened with your credentials.
  3. Call your bank's fraud line immediately. Report that your online banking credentials were phished via a QR code. Ask them to add a hold on outgoing wire and ACH transfers pending your confirmation, place a fraud alert on your account, and note the incident for Regulation E protection purposes.
  4. Enable two-factor authentication if it is not already on. With 2FA active, stolen passwords alone are not enough for a scammer to log in.
  5. Check your transaction history and pending transfers immediately. Look for any outgoing transfers you do not recognize and report them to your bank right away.
  6. Change the password on any other account where you use the same password. Password reuse is common, and attackers test stolen credentials on other banks, email providers, and payment apps.

Scenario 2: You entered your account number and routing number

Account and routing numbers are everything needed to initiate an ACH pull — an electronic debit from your account. These can process as fast as the next business day.

  1. Call your bank now. Ask them to add an ACH debit block or ACH positive pay filter to your account. This prevents anyone from initiating an electronic debit using your account number without your bank's manual verification.
  2. Ask about any pending ACH activity. If a debit has already been submitted, request that the bank return it as unauthorized before it settles.
  3. Monitor your account daily for at least two weeks. ACH fraud can appear days after the initial theft as attackers test small amounts before moving larger sums.
  4. Dispute any unauthorized ACH debits promptly. Under Regulation E, you have 60 days from your statement date to dispute unauthorized electronic transfers from a personal account. The sooner you report, the stronger your recovery position.
  5. Consider opening a new account number. If your bank cannot place an effective ACH block, the safest option is to move funds to a new account with a different number and close or freeze the compromised account.

Scenario 3: You entered your debit card number

A debit card number (with expiry and CVV) allows card-not-present purchases online and by phone. Unlike a credit card, the money comes directly out of your checking account.

  1. Call your bank immediately and cancel the card. Ask for a full card replacement with a new number — not just a temporary freeze. Any charge attempted on the old number after cancellation will be automatically declined.
  2. Check for pending or recent unauthorized charges. Dispute any charges you did not make. Under Regulation E, you are protected from unauthorized debit card transactions if you report them promptly.
  3. Update any automatic payments or subscriptions tied to the old card number. Your bank may issue a new card number automatically — update it everywhere before the new card arrives.
  4. If you also entered your PIN, change it immediately. An ATM PIN combined with account details gives an attacker everything needed to make in-person cash withdrawals.

How QR codes lead to fake bank pages

QR codes hide their destination URL until after you scan. Attackers use this to direct you to a convincing fake page before you can evaluate whether the source is legitimate. The most common setups include:

Fraud-alert smishing texts

A text impersonating your bank warns of “suspicious activity” and includes a QR code to “verify your identity.” The page looks exactly like your bank's login — same logo, same colors — but the URL is slightly off. Whatever you type is captured instantly.

Fake bank mailers

Printed letters using your bank's branding, sent by mail, include a QR code directing you to “confirm your details” or “activate a new security feature.” These can be convincing because physical mail feels more official than a text.

ATM sticker scams

A fraudulent QR code sticker is placed on or near a bank ATM — on the screen surround, the card reader, or a printed notice. Victims scanning it are taken to a fake bank login page.

Fake payment portals

A QR code on a parking meter, EV charger, or utility bill leads to a payment page that asks for bank details instead of a card. Victims assume a direct bank transfer is a normal payment option.

For a broader look at how these attacks are structured, see our guide on bank QR code scams.

Additional steps to take after contacting your bank

  • Place a fraud alert with the credit bureaus. If you also entered your name, address, date of birth, or Social Security number, place a free one-year fraud alert at Equifax, Experian, or TransUnion — alerting one bureau notifies all three. This requires lenders to verify your identity before opening new credit in your name.
  • File a report with the FTC. Go to ReportFraud.ftc.gov. The report creates an official record and generates a personalized recovery plan. If any money was actually transferred, also report to your state attorney general and the FBI's Internet Crime Complaint Center (IC3.gov).
  • Keep all records. Save screenshots of the fake page URL, the QR code itself if you can, and any texts or emails that directed you to scan. Your bank and law enforcement may need these.
  • Watch for follow-up phishing. Scammers who collect bank details often follow up with calls impersonating your bank's fraud department using personal details they already have. Any unexpected call asking you to confirm account information should be treated with suspicion — hang up and call your bank directly using the number on the back of your card.

Frequently asked questions

I entered my online banking username and password after scanning a QR code — what do I do?

Change your password immediately on a clean device, then end all active sessions in your bank's security settings. Call your bank's 24/7 fraud line and ask them to flag your account and restrict outgoing transfers. Enable two-factor authentication if you have not already. Check your transaction history for any transfers you did not initiate and dispute them right away.

I entered my bank account number and routing number — is my money at risk?

Yes, immediately. Those two numbers are everything needed to initiate an ACH debit from your account, which can settle as fast as the next business day. Call your bank now and ask for an ACH debit block on your account. If any unauthorized ACH debits appear, dispute them within 60 days of your statement date under Regulation E.

I entered my debit card number after scanning a QR code. Is that the same as entering my account details?

It is a slightly different risk but equally urgent. A debit card number with expiry and CVV allows online and phone purchases that withdraw directly from your checking account. Call your bank to cancel the card and issue a new one immediately. Dispute any unauthorized charges under Regulation E.

How did a QR code lead to a fake bank login page?

QR codes hide their destination URL until after you scan, allowing attackers to redirect you to a convincing fake page before you can check whether the source is legitimate. Common delivery methods include fraud-alert text messages, physical bank mailers, stickers placed on ATMs, and fake payment portals on parking meters or EV chargers. The fake login page looks identical to your bank's real one — same logo, same layout — but the URL is different, and anything you type is captured immediately.

Check where a QR code goes before you enter anything

QRsafer checks the destination URL against threat intelligence databases and shows you a Safe, Risky, or Dangerous verdict before your browser opens the page — so you never have to wonder whether a QR code is taking you to your real bank or a lookalike phishing site.

Download for iOSDownload for Android

Related guides