I Scanned a QR Code and Started Getting Spam Texts — What to Do
You scanned a QR code, and now your phone is filling up with spam texts, robocall attempts, or suspicious phishing messages. The timing feels too coincidental to ignore — and you are probably right. Here is exactly what happened and what you should do now.
The short answer
A QR code itself cannot read your phone number or subscribe you to anything. But the site it led you to may have collected your number if you filled out a form — or inferred it from a logged-in account. Your number then likely went onto a spam or smishing list. The spam is annoying and can escalate to targeted phishing, but it is manageable with the steps below.
How the QR code led to spam texts
There are three ways a scan can result in your number landing on a spam list:
1. You submitted your phone number on the destination site
The most common path. You arrived at a page that looked like a menu, a coupon claim, a loyalty sign-up, or a contest entry — and it asked for your phone number. Scam sites that collect numbers this way almost always sell them immediately to bulk SMS marketing operations and smishing campaigns. The wave of texts you are seeing now is the result.
2. The site matched your device to an existing account
If you were logged in to Google, Facebook, or another service when the page loaded, a tracking pixel or browser fingerprinting script could associate your device with a profile that already contains your phone number — without you typing anything. This is less common but increasingly used on sophisticated phishing pages.
3. The site submitted your number to SMS marketing lists on your behalf
Some scam pages bury an opt-in in their terms or silently trigger an SMS subscription by sending a text from your device using a tel: link. If you tapped a “text us” button or the site prompted you to send a message, you may have unknowingly opted in to a marketing list that sold or shared your number.
What a QR code cannot do on its own: read your SIM card, access your contacts, query your carrier for your number, or register your number anywhere without your interaction. The risk is always at the destination — not in the scan itself.
What to do right now
- Forward every spam text to 7726 (SPAM). This five-digit shortcode is supported by AT&T, Verizon, T-Mobile, and most US carriers. It feeds your carrier's automated spam filter and helps block the sending number network-wide. Do this for each new spam text you receive.
- Block and report in your messaging app. On iPhone: open the message from an unknown sender, scroll to the bottom, tap Report Junk. On Android: open the message, tap the three-dot menu, select Block and report spam. This adds the number to Apple's and Google's shared spam databases.
- File a complaint at ReportFraud.ftc.gov. Include the sending phone number and any URLs in the texts. The FTC uses these reports to identify and shut down bulk SMS fraud operations.
- Check what you submitted on the original site. Try to recall what fields were on the page the QR code took you to. If you only submitted your phone number, follow the steps above. If you also submitted your name, email, address, or any financial info, you will need to take additional protective steps for those data types as well.
- Switch to app-based two-factor authentication. If your bank, email, or any important account uses SMS codes as your second factor, a scammer who has your phone number could attempt a SIM swap to intercept those codes. Move to an authenticator app — Google Authenticator, Authy, or Apple's built-in passkeys — for at minimum your email and banking accounts.
- Register at donotcall.gov. This will not stop scammers, who ignore the registry. But it reduces legitimate telemarketer calls, so any suspicious call stands out more clearly.
- Enable spam filtering on your phone. On iPhone: Settings → Phone → Silence Unknown Callers. On Android: Phone app → Settings → Spam and Call Screen → Filter spam calls. These settings significantly reduce the call volume from numbers that appear in scam databases.
What to watch for in the coming weeks
Generic blast spam will taper off as your reports take effect. The more dangerous follow-up is targeted smishing — texts that use your name or reference the context of the original scan (for example, a fake “loyalty reward” from a restaurant brand the QR code impersonated). These look more credible because they include real-sounding details.
- Any text with an urgent link — especially from a number you don't recognize — should be treated as suspicious regardless of how legitimate it looks.
- Texts claiming to be from your bank, the IRS, FedEx, USPS, or a streaming service are among the most common follow-up attacks. Do not tap any link. Go directly to the official app or website instead.
- Any text with another QR code embedded or asking you to scan something again is almost certainly an escalation attempt. Use QRsafer to preview the destination URL before opening any QR code — the app shows you the full URL so you can verify the domain before the page loads.
Frequently asked questions
Can a QR code automatically sign me up for spam texts without me doing anything?
No. A QR code is just a link — it cannot read your phone number, contact your carrier, or subscribe you to anything on its own. Your number had to be submitted on a form at the destination site, or inferred from a logged-in session via a tracking script. The QR code was just the entry point.
How do I stop the spam texts?
Forward every spam text to 7726 (SPAM) — supported by all major US carriers. Report and block each sender in your messaging app. File a complaint at ReportFraud.ftc.gov. Enable spam filtering in your phone settings (Silence Unknown Callers on iPhone; Filter spam calls on Android). Volume will decrease over days as your reports feed carrier and platform blocklists.
Should I be worried about something worse than spam texts?
If you only loaded the page without submitting anything, spam texts from this scan are unlikely. If you filled out a form with your phone number, watch for targeted smishing follow-ups and consider switching to app-based two-factor authentication on your email and banking accounts to protect against SIM-swap attempts.
Preview where a QR code goes before it can collect anything
QRsafer shows you the full destination URL and checks it against threat intelligence databases before your browser opens the page — so you can see the domain and decide whether to proceed before any form ever loads.