I Scanned a QR Code and It Started a Phone Call — Is It a Scam?

What just happened: tel: QR codes

QR codes can encode more than website URLs. A QR code containing a tel: URI — such as tel:+19005551234 — instructs your phone to open the native dialer with that number ready to call. On most modern iPhones and Android devices, the dialer opens and waits for you to tap the call button, giving you a moment to decide. On some older Android devices or in certain in-app scanners, the call may connect automatically without asking first.

This behavior is not a bug — it is a legitimate phone feature used by businesses for click-to-call QR codes on storefronts, business cards, and menus. The problem is that scammers exploit the same mechanism to connect you to premium-rate numbers that bill your carrier account by the minute, or to route you to a live scammer who will attempt to extract money or personal information over the phone.

Scenario 1: The dialer opened but you didn't call

If your phone opened the dialer with a number pre-filled and you declined, hung up, or pressed “cancel” before the call connected, your risk is very low. No call was placed, no data was transmitted, and you were not charged. Simply close the dialer and move on.

You may want to note the pre-filled number for future reference, but you do not need to take any further action if the call never connected.

Scenario 2: The call connected — what's the real risk?

If the call connected, the risk depends on the type of number:

• Premium-rate domestic numbers (1-900-…). These numbers can charge several dollars per minute, billed directly to your phone carrier account. Even a short call — a few rings before you hang up — can generate a charge. US carriers are required to offer premium-rate blocking; call your carrier and ask them to apply it.
• International numbers. Calls to international numbers, especially in countries with high per-minute carrier rates (certain Caribbean, Pacific Island, or African country codes), are a well-known fraud vector. The charges appear on your bill as standard international calls. Your carrier can dispute them once.
• Carrier-billed short codes. Some short codes can trigger charges when a call is placed or when a text is sent after the call. These are less common but used in subscription scams.
• A live scammer on the line. Even a regular phone number can connect you to someone posing as tech support, a bank fraud department, a prize organization, or a government agency. These social engineering calls are designed to pressure you into giving up passwords, Social Security numbers, or payment details. If the person who answered was unexpected and asked for any personal information or payment, treat it as a scam call.

These QR codes are deliberately placed where people trust them — tourist information boards, fake “call for help” signs in parking lots, stickers on ATMs, and business-directory posters. The goal is to route an unsuspecting caller to a premium-rate or scammer-controlled number before they realize what happened.

What to do right now

1. Check your recent call list. Open your phone's call log and note the exact number that was dialed or that called back. Write it down — you will need it for disputes and reports.
2. Search the number in a reverse-phone lookup. Free services such as 800notes.com, WhoCalledMe.com, or the FTC's complaint search can confirm whether the number is associated with known scams or premium-rate fraud.
3. Do not call the number back. Even if you are curious, calling back can start a billing cycle on premium-rate numbers or give the scammer a second attempt.
4. Contact your carrier's fraud line. If the call connected to a premium-rate or international number, call your carrier's customer service or fraud line and explain what happened. Ask them to block future premium-rate calls and dispute any resulting charges. Most major US carriers (Verizon, AT&T, T-Mobile) will reverse one fraudulent premium charge per account.
5. Report it to the FTC. File a report at ReportFraud.ftc.gov. Include the phone number, the location where you scanned the QR code, and any charges you incurred. FTC reports inform enforcement and help other consumers.
6. If you gave personal information to the person who answered, treat this as a social engineering incident. See the full recovery checklist for steps based on what you disclosed.

How to prevent this from happening again

The core problem is that your phone acted on the QR code before you could see where it was sending you. Scanning with QRsafer puts a verification step between the scan and any phone action — the app checks the destination and flags tel: links to suspicious or known-fraud numbers before your dialer opens.

• Scan unfamiliar QR codes with QRsafer first. QRsafer previews the encoded content — including tel: URIs — and warns you before your phone takes any action.
• Be skeptical of QR codes that prompt you to call. Legitimate businesses that use click-to-call QR codes display the phone number clearly alongside the QR code. If the number is hidden inside the code with no visible text, that is a red flag.
• Ask your carrier about premium-rate blocking. All major US carriers offer free or low-cost blocking of 1-900 and international premium-rate calls. Enable it proactively.

Frequently asked questions