Is the QR Code at Home Depot Safe to Scan? Here's the Quick Answer

Where Home Depot legitimately uses QR codes

Home Depot uses QR codes in several well-defined places across its stores and digital channels:

• Product shelf labels and signage. Many Home Depot product displays include a QR code that links to the product's homedepot.com page, specifications, how-to videos, or the Home Depot app. Legitimate codes always resolve to homedepot.com.
• Product packaging and manuals. Manufacturers print QR codes on boxes, installation guides, and warranty cards that link to setup videos or brand support pages. These are generally safe, though counterfeit packaging is a known fraud vector for certain tool and hardware categories.
• Pro Xtra loyalty program. Contractors and Pro customers use QR codes in the Home Depot app to manage purchases, claim perks, and access volume pricing. These are app-generated codes that always point to official Home Depot infrastructure.
• In-store kiosks and self-checkout. Home Depot kiosks may display QR codes for order lookups or promotional activations. Codes on official equipment are safe; the risk is a sticker placed over the real code between staff inspections.
• Email and direct-mail promotions. Home Depot sends promotional emails and mailers to both consumer and Pro Xtra customers that sometimes include QR codes for seasonal deals or rebates. Legitimate Home Depot emails come from addresses ending in @homedepot.com. Any other sender domain is a red flag.

The three scenarios — and their real risk level

1. In-store product and shelf QR codes — low risk

QR codes embedded in official Home Depot product displays and shelf labels are generated and managed by Home Depot or verified manufacturers. The risk is physical tampering — a bad actor places a pre-printed sticker over the real code in seconds. This is the same attack seen at grocery stores and Walmart. Before scanning, run your fingernail lightly over the code — a raised edge or misalignment suggests a sticker has been applied. The URL preview after scanning should begin with homedepot.com. If it doesn't, close the browser immediately and alert a store associate.

2. Pro Xtra and contractor emails with QR codes — moderate risk

Home Depot is one of the most-impersonated home improvement brands in contractor- targeted phishing campaigns. Scammers send emails that look like official Pro Xtra volume-pricing offers, account-verification notices, or exclusive contractor promotions — each with a QR code that leads to a convincing fake homedepot.com login page designed to steal Pro account credentials and stored payment methods.

Contractors are high-value targets because their accounts often have purchase-order history, stored card details, and saved job-site addresses. Before scanning any QR from an email claiming to be from Home Depot Pro: verify the sender's email domain is exactly @homedepot.com (not homedepot-pro.com, homedepotpro.net, or any variation). When in doubt, sign in directly at homedepot.com rather than scanning the code.

3. Rebate and discount flyers with QR codes — high risk

Fake Home Depot rebate scams are a well-documented fraud pattern. Counterfeit flyers — printed to look like official Home Depot or manufacturer rebate forms — circulate in parking lots, are pinned to community boards, and spread on social media. The QR code on the flyer leads to a fake rebate-submission page that harvests your name, address, email, phone number, and sometimes card details "to issue your rebate check."

Real Home Depot rebates are submitted through the manufacturer's official rebate portal or at homedepot.com/rebates — never through a QR code on an unofficial flyer. If you received a flyer that was not in-store or part of a confirmed purchase receipt, treat the QR code as high risk and verify directly at homedepot.com before submitting any information. See also: fake coupon and discount QR code scams.

The one-second check before you scan

After your phone decodes a QR code, it shows a URL preview before opening the browser. Glance at it — the address should begin with homedepot.com (or a Home Depot app deep-link). If the URL contains a hyphen, extra words, or an unfamiliar domain (e.g., homedepot-rebates.com, pro-homedepot.net), close the prompt and don't scan.

• Use QRsafer. QRsafer reads the QR code and checks the destination URL against threat intelligence before your browser loads anything — delivering a safety verdict in under a second, even for shortened or redirected links.
• Check for sticker overlays. Lightly touch the QR code surface. A sticker feels slightly raised at the edges compared to a printed code.
• Verify the sender domain. For emails and mailers, confirm the message comes from an @homedepot.com address before trusting any QR code inside it.
• Confirm rebates at homedepot.com directly. Never submit rebate information via a QR code from an unofficial source — always go to the official Home Depot website or the manufacturer's rebate portal.

What to do if you already scanned and something felt off

1. Close the page immediately without entering any credentials, card details, or personal information. Do not tap any buttons on the suspicious page.
2. If you entered your Home Depot login: go to homedepot.com and change your password right away. Review your Pro Xtra account, saved payment methods, and recent order history for any unauthorized activity. Enable two-factor authentication if available.
3. If you entered payment or card details: call your bank or card issuer immediately to report potential fraud and request a card replacement. Credit card disputes are covered under the Fair Credit Billing Act.
4. Tell a Home Depot associate. Point out the QR code on the display or shelf label. If it's a sticker swap, they can remove it and protect other shoppers and contractors.
5. File a report at reportfraud.ftc.gov with any screenshots of the code and the page it opened. Reports help the FTC track and disrupt scam operations.

Frequently asked questions