Signal QR Code Scam: What It Is and What to Do

How Signal QR code scams work

Signal has a legitimate feature called "Link a Device" that lets you connect your Signal account to a tablet or desktop computer. It works exactly the way you'd expect: Signal generates a QR code inside the app's own settings, and you scan it on your secondary device. This is safe — when you initiate it yourself.

The scam flips that process. An attacker opens Signal on their own device and starts the "Link a Device" flow — which generates a QR code unique to their session. They then send that QR code to you disguised as something else:

1. Fake account-verification or safety-number QR code. The attacker — posing as a contact, a Signal group admin, or "Signal Support" — sends you a QR code claiming you need to scan it to verify your identity, confirm your safety number, unlock a new feature, or prevent your account from being suspended. The moment you scan it using Signal's camera, the attacker's device is linked to your account. From that point on, every message you send and receive is visible to them in real time.
2. Fake "encrypted file" or external link QR codes in groups. A second variant involves QR codes posted in Signal groups that don't use the device-linking exploit directly. Instead, scanning leads to an external page that prompts you to download a file or log in to a service — delivering malware or harvesting credentials. Because Signal encrypts its messages, users assume anything shared there is inherently trustworthy, which lowers their guard.

Both variants are forms of quishing — using a QR code to deliver a phishing attack. The device-linking variant is especially dangerous because it requires no credentials from the victim and leaves no obvious sign that anything went wrong.

Why Signal users are targeted

Signal's reputation for security works against its users in this specific scenario:

• Users trust Signal implicitly. People choose Signal precisely because it's secure. That trust makes them less likely to question a QR code they receive there — especially if it arrives from a contact they know, whose account may already be compromised.
• The device-linking attack leaves no obvious trace. Unlike a phishing page that asks for a password, scanning a device-linking QR code feels like doing nothing at all. There's no login prompt, no error, no confirmation screen visible to the victim — the attacker's device simply starts receiving a copy of all messages silently.
• High-value targets use Signal. Journalists, activists, attorneys, executives, and others who handle sensitive communications are disproportionately represented on Signal — making account access extremely valuable to attackers.

The same social-engineering playbook appears in WhatsApp QR code scams and Telegram QR code scams, where attackers exploit each platform's own device-linking or web-login features.

The one rule that protects you

Signal will never ask you to scan a QR code from another person. The only QR codes Signal generates appear inside your own Signal app, under Settings > Linked Devices, when you intentionally start the "Link a Device" flow yourself. Any QR code someone sends you through a message — regardless of who they claim to be — should be treated as a potential attack.

If you receive a QR code in a Signal DM or group, do not scan it using the Signal camera. Close the message and verify with the sender through a different channel (a phone call, or an in-person conversation) before doing anything else.

What to do if you already scanned

Act immediately — the attacker's access begins the moment you scan:

1. Check and remove linked devices. Open Signal and go to Settings (tap your profile icon) > Linked Devices. Review every device listed. If you see anything you don't recognize, tap it and select "Unlink" immediately. This cuts off the attacker's access.
2. Change your Signal PIN. Go to Settings > Account > Signal PIN and set a new one. Your PIN is used to register your account and recover your profile — changing it adds another layer of protection.
3. Enable registration lock. Under Settings > Account, turn on Registration Lock. This requires your PIN to re-register your Signal account on a new device, preventing an attacker from taking over your number.
4. Warn your contacts. If an attacker had access to your messages, they may have seen who you talk to and what you discussed. Alert the people in your most sensitive conversations so they can be on guard for follow-up attacks.
5. If you also entered info on an external page: Contact your bank or card issuer immediately to report potential fraud if you entered payment details. Change the password for any account you logged into after scanning.
6. Report the scam. File a complaint at reportfraud.ftc.gov. If the attacker impersonated someone you know, let that person know their account or contact information may be compromised.

Frequently asked questions