QRsafer LogoQRsafer

I Scanned a QR Code and It Sent Me to a Fake Login Page — What to Do Now

You scanned a QR code, a login page appeared, and something felt wrong. That instinct was probably right. QR codes that lead to fake login pages are one of the most common forms of phishing today. Here is how to confirm what happened, whether you are at risk, and exactly what to do next.

Why attackers use QR codes to deliver fake login pages

A traditional phishing link in an email or text shows you the destination URL before you click. That triggers suspicion — or gets caught by spam filters. A QR code hides the URL entirely. By the time you see the page, your browser has already loaded it.

Attackers build fake login pages that visually copy the real thing: same logos, fonts, colors, and layout. The only difference is the URL in the address bar — which most people never check. Common targets include Apple ID, Google, Microsoft, bank portals, PayPal, and corporate email systems.

This technique is known as quishing — QR code phishing. It has grown sharply because it bypasses the URL-scanning filters that email security tools use to block traditional phishing links. The QR code itself is just an image; security software cannot inspect what it encodes until after the scan.

How to confirm the page was fake

The URL in the address bar is the definitive tell. Look at the domain — the part just before the first single slash. In https://accounts.google.com/login, the domain is google.com. A fake page might use google-accounts-verify.com or accounts.google.secure-login.net — the word “google” appears, but the actual domain is different.

  • Misspellings or extra words: paypa1.com, appleid-support.com, microsoft-verify.org
  • Suspicious extensions: Domains ending in .xyz, .top, .info, .click, or .online are commonly used for phishing because they are cheap to register
  • Hyphens in the domain: bank-of-america-login.com is not Bank of America — it is a phishing site
  • A padlock icon is not proof of safety: It only means the connection is encrypted. Phishing pages routinely have valid HTTPS certificates

If you did not save the URL, check your browser history for the address you visited.

What to do now — based on what you did on the page

If you closed the page without entering anything

Your risk is low. A web page cannot steal credentials you never typed. Clear your browser cache as a precaution, and watch your accounts for unusual activity over the next day or two. If the page triggered an unexpected download or install prompt, investigate that separately.

If you entered your username or password

Act immediately — attackers run automated tools that test stolen credentials within minutes of capture.

  1. Change the password right now. Open a new tab, type the real service's address yourself, log in, and update your password to something unique.
  2. Sign out of all active sessions. Google, Apple, Microsoft, and most banks offer a “sign out everywhere” or “active sessions” option in security settings. Use it to end any session the attacker may have already created.
  3. Turn on two-factor authentication. Even with your password, an attacker cannot log in without your phone or authenticator app.
  4. Check for password reuse. If you use the same password anywhere else, change it on every account where it appears — prioritize email, banking, and payment apps.
  5. For financial accounts, call the fraud line on the back of your card. Report the incident and ask them to watch for suspicious transactions.
  6. Check your email for unauthorized rules. Attackers who capture email credentials often add forwarding rules to intercept your messages. In Gmail: Settings → See all settings → Filters. In Outlook: Settings → Rules.

Frequently asked questions

How do I know if the login page I reached by scanning was fake?

Check the URL in your browser history. The domain — the part just before the first single slash — must exactly match the real service. “apple.com” is real; “apple-id-verify.net” or “appleid.secure-login.com” are fake. Misspellings, hyphens, extra words, and unusual extensions (.xyz, .top, .info) are all red flags. A padlock icon proves nothing — it only means the connection is encrypted.

What should I do if I entered my password on the fake login page?

Change the password immediately by navigating directly to the real service yourself. Sign out of all active sessions, enable two-factor authentication, and change the same password anywhere else it appears. For bank or payment accounts, call the fraud line now. Attackers process stolen credentials within minutes, so speed is critical.

Is it dangerous if I landed on a fake login page but did not enter anything?

Your risk is low if you did not type any information. A page cannot steal credentials you never entered. Clear your browser cache, do not revisit the URL, and watch your accounts for the next 24–48 hours. If the page triggered any unexpected behavior — downloads, install prompts, or device slowness — run a security scan on your device.

See where a QR code goes before the page loads

QRsafer checks the destination URL before your browser opens it and returns a Safe, Risky, or Dangerous verdict — so a fake login page never gets a chance to appear. Download the app and scan with confidence.

Download for iOSDownload for Android

Related guides