QRsafer LogoQRsafer

I Scanned a QR Code and It Asked for My Password — What to Do Now

You scanned a QR code and landed on a page asking you to log in. That is one of the most common QR phishing tactics in use today. Here is what it means, whether you are at risk, and exactly what to do — whether you typed your password or not.

Why QR codes are used to steal passwords

Attackers use QR codes for credential theft for a simple reason: you cannot see the destination URL before you scan. A link in a text message or email shows you the address, which triggers suspicion. A QR code hides it entirely. By the time you see the page, you are already there — and a well-designed fake login page can be nearly indistinguishable from the real thing.

The pages scammers build typically mimic high-value targets: Apple ID, Google, Microsoft, banks, PayPal, and corporate email portals. They copy logos, fonts, and layouts from the official sites. The only tell is the URL in the address bar — and most people never check it.

This attack is known as quishing — QR code phishing — and it has grown significantly because it bypasses the link-scanning filters that email security tools use to block traditional phishing URLs.

The one question that determines your risk

Did you type your password? That single answer splits the situation into two very different responses.

  • If you did not enter anything — you saw the login page, felt something was wrong, and closed it — your password is not compromised. The page may have loaded some tracking scripts, but a web page cannot steal a password you never typed. Clear your browser cache and monitor your accounts for the next 24 hours as a precaution.
  • If you typed your password — even just partially, or if you hit submit — treat the account as compromised and act immediately. The steps below tell you exactly what to do.

What to do if you entered your password

Speed matters. Attackers process stolen credentials immediately — often within minutes — using automated tools that try the username and password combination on other platforms.

  1. Change the password right now. Open a new tab, type the real service's address yourself, log in, and go to security settings to update your password to something unique.
  2. Sign out of all active sessions. Most platforms (Google, Apple, Microsoft, Facebook) have a “sign out everywhere” or “active sessions” option in security settings. Use it to invalidate any session the attacker may have already started.
  3. Enable two-factor authentication immediately. Even if the attacker has your password, 2FA blocks them from logging in without your phone or authenticator app.
  4. Check for password reuse. If you use the same password on other accounts, change it everywhere it appears — especially on email, banking, and payment apps.
  5. If it was a financial account, call the number on the back of your card or your bank's fraud line. Report what happened and ask them to monitor for unusual activity. Do not wait.
  6. Check your email account for new rules. Attackers who capture email credentials often set up forwarding rules or filters to intercept future messages. In Gmail, check Settings → See all settings → Filters and Blocked Addresses and Forwarding. In Outlook, check Settings → Rules.

How to check if a login page is real before you type anything

Before entering credentials on any page you reached by scanning a QR code, do one thing: read the address bar.

  • Look for the exact domain. The domain is the part just before the first single slash: in https://www.apple.com/id/login, the domain is apple.com. Phishing pages use variations like apple-id-verify.net or appleid.secure-login.com — the word “apple” appears, but the actual domain is different.
  • Be suspicious of unfamiliar extensions. Domains ending in .xyz, .top, .info, .click, or .online are commonly used for phishing because they are cheap and easy to register.
  • HTTPS is not proof of safety. A padlock icon only means the connection is encrypted, not that the site is legitimate. Phishing pages routinely have HTTPS.

The safest rule: if you need to log into a service, close whatever page a QR code opened and navigate there yourself by typing the address. For a fuller picture of what malicious QR codes can do, what happens if you scan a fake QR code covers every scenario.

Frequently asked questions

Is it a scam if a QR code asks for my password?

Almost certainly yes. Legitimate services do not route you to a login page via a QR code you found on a sign, flyer, or message. The only exceptions are QR codes you generate yourself from within an official app (like linking WhatsApp Web or Discord on a new device). Any other QR-to-login-page flow should be treated as a phishing attempt — close the tab and navigate to the service directly.

What do I do if I already typed my password after scanning a QR code?

Change the password immediately by going directly to the real service — type the address yourself. Sign out of all active sessions, enable two-factor authentication, and change the same password anywhere else you use it. If the account is financial, call your bank's fraud line now. Speed is critical because attackers use stolen credentials within minutes.

How can I tell if a login page I reached by scanning is real?

Check the address bar before typing anything. The domain — the part just before the first single slash — must exactly match the real service. “apple.com” is real; “apple-id-verify.net” is not. A padlock icon does not mean the site is safe — it only means the connection is encrypted. If the URL looks off in any way, close the tab without entering anything.

See where a QR code goes before it asks for anything

QRsafer checks the destination URL against threat intelligence databases and returns a Safe, Risky, or Dangerous verdict before your browser loads the page — so you know what you are walking into before a password prompt ever appears.

Download for iOSDownload for Android

Related guides