QRsafer LogoQRsafer

I Scanned a QR Code and Someone Is Using My Identity — What to Do Right Now

You scanned a QR code, entered personal details on what turned out to be a phishing page, and now someone is opening accounts, filing taxes, or making purchases in your name. Here is the exact sequence of steps to contain the damage and begin recovery.

Do these five things immediately — in this order

  1. Freeze your credit at all three bureaus — right now. A credit freeze is free, reversible, and blocks any new credit application from being approved in your name. Contact each bureau separately:
    • Equifax: equifax.com/personal/credit-report-services or 1-800-685-1111
    • Experian: experian.com/freeze/center.html or 1-888-397-3742
    • TransUnion: transunion.com/credit-freeze or 1-888-909-8872
    Freezing at one bureau does not automatically freeze the others — you must contact all three. You will receive a PIN or code to lift the freeze when you need to apply for legitimate credit in the future.
  2. Place a fraud alert. After freezing, call any one of the three bureaus and place a one-year fraud alert. The bureau you contact is required by law to notify the other two. A fraud alert instructs lenders to take extra steps to verify your identity before extending credit — it is a secondary layer on top of the freeze.
  3. File an identity theft report with the FTC at IdentityTheft.gov. This generates a personal recovery plan, pre-fills dispute letters for creditors, and creates an official FTC Identity Theft Report — a document many banks and creditors require before they will remove fraudulent accounts from your record. It also protects you legally by establishing the date and nature of the theft.
  4. File a report with the FBI's Internet Crime Complaint Center at IC3.gov and with your local police department. Ask your local police for a copy of the police report number — you will need it when disputing fraudulent accounts with creditors, and many banks require it before honoring a fraud claim. Because QR code phishing is internet-facilitated fraud, the IC3 report is the federally appropriate channel.
  5. Monitor all financial accounts and change every password tied to a compromised email address or credential. Review bank statements, credit card transactions, and brokerage accounts for unauthorized activity. Change passwords for any account that shares a username or password with whatever you entered on the phishing page. Enable two-factor authentication on every account — using an authenticator app, not SMS, where possible.

What scammers do with your information — and what it means for you

The steps above matter most because of what identity thieves actually do with stolen data:

  • SSN + date of birth: Fraudsters open new credit cards, personal loans, and lines of credit. They may file a fraudulent tax return in your name to collect your refund before you file — if you think this may have happened, request an IRS Identity Protection PIN at ips.irs.gov. This is a six-digit PIN that blocks anyone but you from electronically filing a return using your SSN.
  • Driver's license number: Used to pass identity checks at financial institutions, or to commit criminal identity theft (giving your ID to law enforcement during an arrest). Contact your state DMV to flag the number and request a replacement.
  • Financial account details: Used to drain accounts, initiate wire transfers, or set up ACH debits. For banking fraud, see our guide on scanning a QR code and entering bank details.
  • Login credentials: Used to access existing accounts for direct theft, or to reset other accounts via password recovery emails. Change credentials immediately and end all active sessions.

If you are unsure exactly what information you entered, assume the worst case and follow all five steps above regardless. Over-reporting costs you an hour; under-reporting can cost you years of credit recovery.

How QR codes lead to identity theft

The most common vectors are fake government forms and fake financial portals. A QR code in a mailed notice impersonating the IRS, Social Security Administration, Medicare, or DMV directs the victim to a phishing page that looks pixel-perfect — same seals, same fonts, same layout. The page asks for SSN, date of birth, license number, or banking details under the guise of “identity verification.” Because the context feels official, victims comply.

QR codes are used instead of plain links because they bypass email security filters, redirect the interaction to a mobile browser where the address bar is minimized, and carry an implied legitimacy — people associate QR codes with authoritative sources like government agencies and banks. This technique is called quishing.

If you entered your information on a fake government page, you may also want to review the specific guides for scanning a QR code that asked for your SSN and scanning a QR code that asked for your personal information.

Frequently asked questions

What is the difference between a credit freeze and a fraud alert?

A credit freeze blocks lenders from accessing your credit report entirely, which prevents new accounts from being opened in your name. It is free and reversible. A fraud alert signals lenders to verify your identity before extending credit, but does not block access to your report. A credit freeze is the stronger protection when you believe your information has been stolen.

How quickly do I need to act after QR code identity theft?

As fast as possible — ideally within hours. Fraudsters move quickly to open new credit lines or file fake tax returns before victims notice. A credit freeze placed today blocks account-opening fraud immediately. The sooner you report to the FTC at IdentityTheft.gov, the stronger your legal standing for disputes.

Can a QR code directly steal my identity?

Scanning a QR code alone does not steal your identity. Identity theft occurs when you enter personal details — SSN, date of birth, driver's license number, or financial account information — into a fake website the QR code directed you to. The QR code is the delivery mechanism; the phishing page does the harvesting. If you only scanned and the page loaded but you entered nothing, your risk is low.

Do I need a police report for QR code identity theft?

Yes. A police report — or the FTC Identity Theft Report from IdentityTheft.gov — is required by many creditors, banks, and agencies to dispute fraudulent accounts. It also establishes a timeline that protects you legally. File with IC3.gov in addition to local police since QR code phishing is internet-facilitated fraud.

Stop identity theft before it starts

QRsafer checks the destination URL of any QR code before your browser opens it — so you can see whether it leads to a real government or financial site, or a phishing page, before entering a single character.

Download for iOSDownload for Android

Related guides