SoFi QR Code Scam: How It Works and What to Do

How the SoFi QR code scam works

SoFi has grown to more than 9 million members who use it for banking, investing, lending, and crypto — all managed digitally with no physical branches. Because everything happens through the SoFi app, members are comfortable acting on mobile alerts, which makes them a high-value target for QR code phishing. Scammers run three main variants:

• Account suspension phishing: A text or email arrives with SoFi's branding and urgent language — “Suspicious activity detected on your SoFi account. Scan to verify your identity or your account will be restricted.” The QR code leads to a cloned SoFi login page designed to steal your username, password, and one-time passcode. Because SoFi has no branches to walk into, customers who fear losing digital-only access respond faster. This is a classic QR code scam text message pattern adapted for fintech users.
• SoFi Invest and crypto bonus scams: Fake “SoFi Invest exclusive bonus” QR codes appear in social media ads or investment communities on Discord and Reddit, promising free stock, trading credits, or crypto rewards. Victims who scan are taken to credential-harvesting pages or fake investment portals designed to look like SoFi's investing interface. SoFi's crypto and fractional-share trading features make investment-themed phishing especially credible to members who are already used to receiving promotional offers.
• Fake member referral scams: SoFi's real referral program is well-known and regularly promoted. Scammers circulate fake “refer a friend, earn $X” QR codes — on social media, in financial forums, and via direct message — that impersonate the official referral flow. Victims who scan hand over their own login credentials and in some cases also share the code with friends, giving attackers a compounding harvest of both referrer and new-user personal and financial details.

Scammers use QR codes specifically because they bypass email security filters that flag suspicious links — and they shift the interaction to your phone, where the address bar is minimized and a fake SoFi login page fills the entire screen. This technique is called quishing, and it is growing fastest among digital-bank and fintech users who expect all interactions to happen on mobile.

What SoFi actually does — and never does — with QR codes

SoFi does use QR codes in limited contexts — for example, for certain in-app features and in controlled marketing campaigns that link to sofi.com pages.

SoFi will never send you an unsolicited QR code to:

• Verify your identity or log you into your account
• Confirm a fraud alert or suspicious transaction
• Restore access to a restricted or frozen account
• Claim an investment bonus, crypto reward, or referral payment
• Download or update the SoFi app

All legitimate SoFi security actions happen inside the SoFi app or at sofi.com — never through a QR code sent via text, email, or social media. If the message creates urgency around your account access, a monetary reward, or an investment offer, treat that urgency as the scam itself.

For a broader picture of how bank QR code scams work across all financial institutions, see our full guide.

What to do right now

Your response depends on what you did after scanning.

If you only scanned and didn't enter anything: Your risk is low. Close the page, do not return to it, and monitor your SoFi accounts closely for the next 48 hours.

If you entered your login credentials, account number, or a one-time passcode, act immediately:

1. Call SoFi fraud support now. The number is 1-855-456-7634. Do not use any phone number provided in the suspicious message — call this number directly.
2. Ask them to freeze your account access. This blocks the attacker from initiating transfers, adding external accounts, or changing your contact information while you work through recovery.
3. Change your SoFi password from a trusted device on a trusted network — not the device or connection you used when you scanned the code.
4. Enable push notifications for all transactions in the SoFi app so every future account activity triggers an immediate alert.
5. Review recent transactions across all SoFi products — banking, investing, lending — for any transfers, payee additions, or orders you didn't authorize. Report each one to SoFi as unauthorized.
6. File a report with the FTC at reportfraud.ftc.gov and with the CFPB at consumerfinance.gov/complaint.

For a complete recovery checklist, what to do if you scanned a suspicious QR code walks through each step in order.

How to protect yourself before you scan

A cloned SoFi login page can look identical to the real thing — right down to the logo, color scheme, and app-style layout. You can't rely on page design alone. Check the destination URL before your browser loads anything.

• Scan with QRsafer first. It checks the destination URL against threat intelligence before your browser opens anything. A credential-harvesting SoFi clone will not pass a threat check — you'll see a warning before any page loads.
• Verify the domain before entering anything. SoFi's real domain is always sofi.com — nothing else. Attackers register lookalikes like sofi-secure-verify.com or sofi-member-portal.net. Check the full URL, not just the page design.
• Never log in to SoFi through a QR code. If a code claims to require your credentials to fix something urgent or claim a reward, open the SoFi app directly instead.
• Call SoFi to verify unexpected messages. Received a text or email with a QR code from “SoFi”? Call 1-855-456-7634 and ask if they sent it. If they didn't, you just avoided the scam entirely.

For a broader guide to identifying suspicious codes before you scan, how to check if a QR code is safe covers visual and contextual signals across every type of QR scam.

Frequently asked questions