Truist Bank QR Code Scam: What It Is and What to Do

The four Truist QR code scams you need to know

Truist is one of the most actively impersonated banks in the Southeast and Mid-Atlantic — and attackers have developed four distinct QR code scam patterns targeting its 15 million customers.

1. Smishing texts impersonating Truist fraud alerts

This is the most common variant. You receive a text that looks like a Truist fraud alert — "We detected a suspicious charge of $247.00 on your Truist debit card. Scan to verify or report this charge." The message includes a QR code. Scan it, and you land on a page designed to look exactly like the Truist online banking login. Enter your credentials, and the attacker now has access to your account. This pattern is especially prevalent in the Carolinas, Georgia, Virginia, and Florida — states where Truist has heavy retail banking concentration.

2. Fake Truist One Card rewards mailers

These arrive as physical mail — printed on glossy paper, often featuring the Truist purple logo — claiming you have bonus cash back or points waiting on your Truist One Card. A QR code on the mailer leads to a credential-harvesting page disguised as the Truist loyalty or rewards portal. Because printed mail feels more legitimate than a text, recipients are more likely to trust it and scan without verifying the URL first.

3. QR sticker scams on Truist ATMs

Attackers physically place QR code stickers on Truist ATMs, particularly at standalone kiosks and branch vestibules with less foot traffic and staff supervision. The sticker might say "Scan to report a problem with this ATM" or appear as part of a fake customer-service prompt on the machine. These codes lead to phishing pages or phone-number spoofing pages designed to capture banking credentials or initiate social-engineering calls.

4. Post-merger account migration scams

Truist was formed from the SunTrust and BB&T merger in 2019, and scammers continue to exploit lingering merger confusion. Former SunTrust or BB&T customers still receive emails claiming "Your account migration to Truist is incomplete — scan to verify your new login credentials" or "BB&T accounts not linked to Truist by [date] will be suspended." Because the merger was real and communicated through various channels, these messages can seem plausible. Truist has not sent any migration QR codes — and any message claiming otherwise is a scam.

What Truist never does with QR codes

Truist uses QR codes legitimately in narrow contexts: in-branch marketing, app download campaigns, and promotional materials that link to truist.com. That's it.

Truist will never send you an unsolicited QR code to:

• Verify a suspicious or flagged transaction
• Unlock or unfreeze a frozen account
• Activate, claim, or redeem a reward or cash-back offer
• Complete an account migration from SunTrust or BB&T
• Confirm your identity or re-enter your login credentials

If you need to act on a fraud alert, Truist will direct you to log in through the Truist Mobile app or at truist.com — not through a QR code sent by text or email. Any QR code claiming urgent action on your Truist account is a red flag.

What to do right now

Your response depends on what happened after you scanned.

If you scanned but didn't enter any information: Your risk is low. Close the page, don't return to it, and monitor your Truist account activity for the next 48 hours.

If you entered your Truist username, password, or a one-time passcode, act immediately:

1. Call Truist fraud at 1-844-4TRUIST (1-844-487-8478). This is Truist's dedicated fraud line. Tell them you believe your credentials were compromised through a phishing QR code and ask them to flag your account and freeze online banking access.
2. Change your Truist online banking password from a trusted device on a trusted network — not the device or network you used to scan. Use the Truist Mobile app or go directly to truist.com.
3. Enable login alerts in the Truist Mobile app. Go to Settings → Alerts to get notified of any login from a new device or location.
4. Review recent transactions for any unauthorized transfers, new payees, or bill-pay changes you didn't set up. Report anything suspicious to Truist fraud immediately.
5. File a report with the FTC at reportfraud.ftc.gov and submit a complaint to the CFPB at consumerfinance.gov/complaint.

For a complete step-by-step recovery guide after any suspicious scan, what to do if you scanned a suspicious QR code walks through each step in order.

How to protect yourself before you scan

Truist QR code scams are effective because the messages look legitimate — correct logo, correct tone, plausible urgency. Protection means checking the URL before your browser loads anything.

• Use QRsafer to preview the URL first. QRsafer checks the destination against threat intelligence sources and returns a Safe, Risky, or Dangerous verdict before anything loads in your browser. A phishing page impersonating Truist will not pass a URL check.
• Verify any QR code leads to truist.com. Truist's real domain is truist.com — nothing else. Attackers use lookalikes like truist-secure-verify.com, truist-fraud-alert.net, or truist-onecard-rewards.com. Check the full URL before entering anything.
• Never log in to Truist through a QR code in a text or email. Even if the message looks real, open the Truist Mobile app directly or go to truist.com in your browser. It takes ten extra seconds and completely eliminates the phishing risk.
• Call Truist to verify unexpected messages. If you receive a text or mailer with a Truist QR code, call 1-844-4TRUIST before scanning. Truist fraud support can confirm in seconds whether the message was legitimate.

Frequently asked questions