TD Bank QR Code Scam: What It Is and What to Do

Why TD Bank is impersonated in QR scams

TD Bank is one of the ten largest banks in the United States and the fifth-largest in Canada — which makes it a high-value impersonation target across the US Northeast and across Canada. Scammers exploit TD Bank's trusted brand to craft convincing fraud alerts and rewards offers, knowing a large share of recipients are real TD customers who will find the messages credible.

The scam arrives through four main channels:

• Smishing texts impersonating TD fraud alerts: A message arrives with TD Bank's branding and a line like “We detected suspicious activity on your account. Scan the code below to verify the transaction or your account will be restricted.” The QR code leads to a pixel-perfect TD Bank login clone designed to steal your credentials.
• Fake TD Rewards or TD Cash Back QR codes: Physical mailers or emails that mimic TD's reward program communications, promising bonus points or cash-back if you scan a code to “activate your reward” or “confirm your enrollment.” The link harvests your TD Bank login and personal details.
• QR sticker scams on TD Bank ATMs: Fraudulent QR code stickers placed over legitimate QR codes on TD Bank ATM screens or branch-lobby materials, redirecting you to a fake td.com login page when you try to access your account or use a self-service feature.
• Fake “account hold” or “security verification” emails: Emails with TD Bank branding claiming that your account has been placed on hold or that a mandatory security re-verification is required. A QR code is presented as the only way to restore access — it leads to a phishing page that collects your banking credentials.

Using a QR code instead of a plain link is deliberate. It bypasses email security filters that flag suspicious URLs, and forces you onto your phone — where the fake login page fills the screen and the URL bar is easy to miss. This technique is called quishing, and it is rising specifically because mobile browsers make URLs harder to inspect.

What TD Bank actually does — and never does — with QR codes

TD Bank does use QR codes in limited, controlled ways:

• In-branch marketing materials linking to the TD Bank Mobile app download
• Some in-branch self-service kiosk features
• Deep links embedded inside the TD Bank Mobile app itself

TD Bank will never send you an unsolicited QR code to:

• Verify your identity or log you into your account
• Respond to a fraud alert or confirm a suspicious transaction
• Unlock a restricted or suspended account
• Claim a reward, activate cash back, or enroll in a promotion
• Complete a mandatory security re-verification

Every legitimate TD Bank security action happens inside the TD Bank Mobile App or at tdbank.com — not through an unsolicited QR code sent by text, email, or mailer. If a code claims to require your banking credentials to resolve something urgent, that urgency is the scam.

For more on how bank QR code scams work across all financial institutions, see our full guide.

What to do right now

Your response depends on what you did after scanning.

If you only scanned and didn't enter anything: Your risk is low. Close the page, do not return to it, and monitor your TD Bank accounts closely for the next 48 hours.

If you entered your login credentials, card number, or a one-time passcode, act immediately:

1. Call TD Bank fraud support now. Call 1-888-751-9000 — TD Bank's dedicated fraud line is available 24/7. Do not use any phone number or contact info in the suspicious message.
2. Ask them to freeze your online banking access. This blocks the attacker from draining your account or making transfers while you work through recovery.
3. Change your TD Bank password from a trusted device on a trusted network — not the device or connection you used when you scanned the code.
4. Enable login alerts in the TD Bank Mobile App security settings so you receive immediate notifications for any account access going forward.
5. Review recent transactions for any charges, transfers, or payee changes you did not make. Report each one to TD Bank as unauthorized.
6. File a report with the FTC at reportfraud.ftc.gov and with the CFPB at consumerfinance.gov/complaint.

For a complete recovery checklist that covers every type of financial QR scam, what to do if you scanned a suspicious QR code walks through each step in order.

How to protect yourself before you scan

The scam works because the fake TD Bank page looks right. You cannot rely on the design — you need to check the URL before your browser opens anything.

• Scan with QRsafer first. It analyzes the destination URL against threat intelligence sources and returns a verdict before your browser loads anything. A cloned TD Bank login page will not pass a threat check.
• Verify the domain before entering anything. TD Bank's real domain is always tdbank.com — nothing else. Attackers use lookalikes like td-secure-verify.com or tdbank-alert.net. Check the full URL, not just the logo on the page.
• Never log in to TD Bank through a QR code. If a code claims to require your banking credentials, open the TD Bank Mobile App directly instead. Take ten seconds to do it the right way.
• Call TD Bank to verify unexpected messages. Got a text, email, or mailer with a QR code from TD Bank? Call 1-888-751-9000 and ask if they sent it. If they did not, you just avoided the scam entirely.

For a broader guide to identifying suspicious codes in real time, how to spot a malicious QR code before you scan covers visual and contextual signals across every type of QR scam.

Frequently asked questions