Max (HBO Max) QR Code Scam: What It Is and What to Do

How the Max (HBO Max) QR code scam works

Scammers run three main variants of this attack:

1. “Payment failed” account suspension phishing. You receive a text or email with Max branding claiming your payment method was declined and your account will be deactivated. A QR code directs you to “update your billing info now.” The code leads to a convincing fake Max login page that collects your email, password, and credit card number. Because Max is frequently bundled with internet or mobile plans, a compromised account can expose both the streaming service and the payment method on file.
2. “Max Ultimate ad-free upgrade” promotion scam. A text message, social media ad, or flyer near college campuses or apartment buildings promises a free upgrade to the ad-free Max Ultimate plan — just scan the QR code to “apply the offer to your account.” The destination requests your Max login to “verify eligibility,” harvesting your credentials and stored payment details in the process.
3. Rebranding confusion scam. When HBO Max rebranded to Max in May 2023, scammers immediately sent fake “complete your Max account transition” QR codes to existing HBO Max users. These mimicked a mandatory migration that Warner Bros. Discovery never actually required — but millions of subscribers had received genuine rebrand communications, making the fake ones difficult to distinguish. Scammers continue to exploit major brand rebrands the same way every time they happen.

All three variants use urgency, brand trust, and the visual authority of a QR code to bypass your skepticism. Using a QR code instead of a typed link also bypasses spam filters that flag suspicious URLs — a technique security researchers call quishing.

How Max account management and device activation actually work

Knowing the real process makes the fake one easy to spot:

• Billing problems — Max notifies you through the Max app or a verified email from max.com. You update payment info inside the app or at max.com/account. Max never texts you a QR code to collect payment.
• Account upgrades — Plan changes happen through Settings inside the Max app or at max.com. Max does not send unsolicited QR codes offering free plan upgrades.
• Device activation — Your TV or streaming device displays an activation code. You visit max.com/activate on your phone or computer and type the code shown on the TV screen. You do not scan an external QR code from a text or email to activate a device.
• Rebranding or account migrations — Warner Bros. Discovery never required existing HBO Max subscribers to complete a migration via QR code. Any future rebrand or platform change will be announced through in-app notifications and verified emails from a max.com or wbd.com domain — never via an unsolicited QR code.

If what you received doesn't match one of those four flows, it is a scam.

Red flags to recognize before you scan

• Any QR code in a billing or suspension text or email. Max does not use QR codes in texts or emails for account management, payment collection, or fraud alerts.
• Urgency language. Phrases like “your account will be deactivated in 24 hours” or “act now to keep your subscription” are pressure tactics designed to make you scan before you think.
• A sender address that isn't from max.com or wbd.com. Check the full email address, not just the display name. Scam emails frequently come from addresses like “max-billing@accounts-notify.net.”
• The URL behind the QR code isn't max.com. Scan any suspicious code with QRsafer first — it shows you the destination URL before your browser opens it. If the domain is not max.com, do not proceed.
• A social media ad or flyer offering a free plan upgrade. Max plan changes happen only inside the Max app or at max.com — not through QR codes in social media ads, DMs, or printed flyers.

What to do if you already scanned the QR code

Your next steps depend on what you did after scanning:

1. If you entered your credit or debit card number: Call your bank or card issuer immediately to report potential fraud and request a replacement card number. The sooner you call, the better your chances of stopping unauthorized charges. See I scanned a QR code and it asked for my credit card for a full checklist.
2. If you entered your Max email and password: Go directly to max.com — type it into your browser, do not use any link from the suspicious message — and change your password immediately. Then sign out of all devices in your Max account settings.
3. If you reuse that password on other accounts: Change it on every other account, starting with your email and any financial accounts. A stolen Max password is most dangerous when it unlocks higher-value accounts that share the same credentials.
4. If you only scanned and looked — but entered nothing: You are most likely fine. Opening the page by itself does not install malware or compromise your account on modern iOS or Android devices. The risk is in what you do after the page loads.
5. Report the scam. Forward the phishing text or email to the FTC at reportfraud.ftc.gov and to Max support at max.com/support.

For the complete step-by-step recovery guide, see what happens if you scan a fake QR code.

Frequently asked questions