I Scanned a QR Code and It Asked for My Phone Number — What to Do

Q: Is it a scam if a QR code asks for my phone number?

Not always — some legitimate businesses use QR codes to collect a phone number for reservations, order pickup notifications, or loyalty programs. The red flags are: the URL does not match a brand you recognize, the page has no clear branding or business name, the form says your number is required to access a menu or claim a prize, or the QR code came from an unsolicited text, flyer, or sticker rather than a physical location you chose to visit. When those warning signs are present, the page is almost certainly harvesting phone numbers for spam, smishing campaigns, or sale to robocallers.

Q: I submitted my phone number — what can scammers do with it?

A phone number alone does not give attackers access to your accounts or money, but it opens several follow-up attack paths. They can add your number to smishing lists and send texts impersonating banks, the IRS, or delivery services. They can use it in SIM-swap research — calling your carrier while posing as you to redirect your number. They can sell it to robocall operations, and they can pair it with other data to build a more convincing phishing profile. The most important immediate steps are to watch for suspicious texts using your name, enable app-based two-factor authentication (not SMS-based) on your most important accounts, and register your number with the National Do Not Call Registry at donotcall.gov.

Q: I saw the form but did not submit my number — am I safe?

Yes. Simply loading the page cannot expose your phone number — it can only be captured if you typed and submitted it. The page may have recorded your IP address and device type through tracking scripts, but those do not create a safety risk. Close the browser, clear cookies and cached data for that site, and report the URL to the FTC at ReportFraud.ftc.gov. No further action is needed.

You scanned a QR code and a form appeared requesting your phone number. This happens on both legitimate pages and scam pages — the two look nearly identical. What matters is whether you submitted your number and what the page was actually for. Find your scenario below.

If you saw the form but did not submit your number

You are fine. A phone number can only be captured if you typed it and pressed submit. Simply loading the page does not give anyone your number.

Do these three things and move on:

Close the page and do not return to it.
Clear your browser's cookies and cached data for that site — go to your browser settings, find Privacy or History, and clear data for the specific site or for the last hour.
Report the URL at ReportFraud.ftc.gov and to the Anti-Phishing Working Group at reportphishing@apwg.org. This helps get the page taken down before someone else submits their details.

That is all that is needed. No further action is required.

If you submitted your phone number

Your number alone does not give attackers access to your bank account or personal data, but it opens several follow-up attack paths. Take these steps now to limit the fallout:

Watch for smishing texts. Scammers who collect phone numbers via QR forms often follow up with texts impersonating banks, the IRS, FedEx, or USPS. Any text you receive in the coming weeks that contains an urgent link — especially one with a QR code — should be treated as suspicious. Do not tap links in texts from unknown senders.
Switch to app-based two-factor authentication. If any of your important accounts (email, banking, Apple ID, Google) are protected by SMS-based two-factor authentication, a scammer who has your number could attempt a SIM swap — convincing your carrier to transfer your number to a device they control. Switching to an authenticator app (Google Authenticator, Authy, or Apple's built-in passkeys) eliminates this risk. Do this for your email and banking accounts at minimum.
Register with the National Do Not Call Registry. Visit donotcall.gov and add your number. This does not stop scammers, but it reduces legitimate telemarketer calls so that genuinely suspicious calls are easier to identify.
Enable spam-call filtering. On iPhone: go to Settings → Phone → Silence Unknown Callers. On Android: open the Phone app → Settings → Spam and Call Screen → turn on Filter spam calls. Both options significantly reduce unsolicited calls from numbers that show up in scam databases.
Check whether you entered anything else. Many phone-number forms also ask for your name, email, or ZIP code. If you provided those alongside your number, you may receive more targeted phishing follow-up using your real name — be extra skeptical of any contact that opens with personal details.
Report the scam. File a report at ReportFraud.ftc.gov. If you received follow-up texts to your number, forward them to 7726 (SPAM) — this reports them to your carrier's spam filter.

Why scammers collect phone numbers via QR codes

Phone number harvesting through QR codes is a growing tactic because it feels innocuous. Unlike a page asking for your credit card or Social Security number, a phone number form looks like something many real businesses use — and it is. Scammers exploit that familiarity.

Smishing list building

Collected numbers are added to bulk smishing campaigns. The more targeted the original QR context (a restaurant, a pharmacy, a gym), the more convincing the follow-up texts can be — for example, a fake “loyalty reward” text tailored to where the victim scanned.

SIM-swap preparation

A SIM swap lets an attacker redirect your phone number to their device, intercepting SMS two-factor codes for banking and email. Having your phone number is the first step in that research. This is the highest-risk outcome, which is why switching to app-based 2FA is important.

Robocall and data broker sales

Phone numbers collected via fake forms are frequently sold in bulk to telemarketing operations and data brokers. While this is more of an annoyance than a security risk, it can generate a noticeable increase in spam calls within days of submission.

How to tell a legitimate phone number form from a scam

Legitimate businesses do ask for phone numbers via QR codes — for restaurant waitlists, order pickup alerts, or loyalty sign-ups. The difference comes down to context and the URL:

The URL matches the brand. A real restaurant reservation page shows the restaurant's actual domain. A real gym loyalty form shows the gym's official site. Generic domains like “loyalty-rewards-signup.com” or “verify-account-now.net” are red flags regardless of what the page looks like.
The page makes sense for where you scanned it. A QR code on a table tent at a pizza place asking for your number for a waitlist is plausible. An unsolicited QR code on a parking flyer asking for your number to “claim your prize” is not.
No urgency about providing the number. Scam forms frequently say your number is “required to access the menu,” “needed to claim your coupon,” or “necessary to receive your reward.” Genuine opt-ins offer a clear value exchange and are optional.
You chose to visit, not the other way around. If the QR code came from a text, an email, a flyer left on your windshield, or a sticker placed in a public location, the risk is significantly higher than if you scanned a code at a business you deliberately walked into.

Frequently asked questions

Is it a scam if a QR code asks for my phone number?

Not automatically — many legitimate businesses collect phone numbers through QR-linked forms for reservations and loyalty programs. The red flags are a URL that does not match a recognizable brand, urgency language about needing your number to access something, or a QR code that came to you unsolicited rather than being displayed at a physical business you chose to visit.

I submitted my phone number — what can scammers do with it?

Your number can be added to smishing lists, used in SIM-swap research, or sold to robocallers. The most important protective steps are switching to app-based two-factor authentication on your important accounts and watching for suspicious texts in the coming weeks — especially any that contain a link or QR code.

I saw the form but did not submit my number — am I safe?

Yes. Visiting a page cannot expose your phone number. Close the browser, clear the site's cookies and cached data, and report the URL to the FTC at ReportFraud.ftc.gov. No further action is needed.

See where a QR code leads before it asks for anything

QRsafer previews the destination URL and checks it against threat intelligence databases before your browser opens the page — so you know whether a form is coming from a trusted site or a scam before you see it.

Download for iOS Download for Android

I Scanned a QR Code and It Asked for My Phone Number — What to Do

If you saw the form but did not submit your number

If you submitted your phone number

Why scammers collect phone numbers via QR codes

How to tell a legitimate phone number form from a scam

Frequently asked questions

Is it a scam if a QR code asks for my phone number?

I submitted my phone number — what can scammers do with it?

I saw the form but did not submit my number — am I safe?

See where a QR code leads before it asks for anything

Related guides

Product

Contact

Legal

Connect