TSA PreCheck / Global Entry QR Code Scam: What It Is and What to Do
You received a text, email, mailer, or saw an ad with a QR code to renew your TSA PreCheck or Global Entry membership. Before you scan: neither TSA nor U.S. Customs and Border Protection sends QR codes for enrollment or renewal. Here's how this high-stakes identity theft scam works and what to do if you already submitted your information.
TSA and CBP do not send renewal QR codes
The most important thing to know: the Transportation Security Administration and U.S. Customs and Border Protection never send QR codes in texts, emails, or physical mail to initiate or complete PreCheck or Global Entry renewals. Legitimate renewals are managed entirely through ttp.cbp.dhs.gov — a .gov domain you navigate to yourself. No government agency will send you a QR code and ask you to scan it to access an official enrollment portal.
This scam is particularly dangerous because of what victims willingly hand over: full legal name, date of birth, passport number, known traveler number, and payment card details. That combination is enough to commit full identity theft — far more damaging than a stolen credit card number alone.
How the scam works
Fake renewal notices by mail or email. Scammers send physical mailers or emails that look nearly identical to official CBP or TSA communications — complete with government seals and professional formatting. The notice warns that your PreCheck or Global Entry membership is expiring and includes a QR code to "complete your renewal quickly." Scanning opens a copycat enrollment site built on a non-.gov domain. The page collects your passport data and charges a fee that goes directly to the scammer.
Social media and search ads. Fraudulent ads on Facebook, Instagram, and even Google search results impersonate official enrollment service providers. They display official-looking logos and urgency language, then display a QR code or link to a fake enrollment site. These ads are particularly effective because travelers often search for PreCheck renewal help and encounter these results before the official .gov site.
Airport signage. Less common but documented: sticker QR codes placed over legitimate airport kiosk signage near trusted traveler enrollment centers, or fake flyers near Global Entry kiosks directing travelers to a fraudulent "expedited renewal" page.
This is the same core technique used in quishing attacks — embedding a QR code instead of a plain link to bypass spam filters and make the URL harder to inspect before scanning.
Red flags to spot a fake enrollment notice
- Non-.gov URL. The only legitimate sites for PreCheck and Global Entry enrollment are ttp.cbp.dhs.gov and the official TSA-authorized providers (IDEMIA at identogo.com and Telos at tsaenrollmentbyidemia.tsa.dhs.gov). Any URL behind the QR code that does not end in .gov or one of these exact domains is a scam.
- Unsolicited contact via text or email. TSA and CBP do not initiate outreach by text or email with QR codes or payment links. If you did not recently initiate a renewal on the official site, any such message is fraudulent.
- Urgent or threatening language. Phrases like "renew now to avoid losing your status" or "your PreCheck expires in 48 hours" are pressure tactics designed to make you scan before thinking. Real government notices are matter-of-fact and never threaten immediate loss of benefits.
- Fee amounts that differ from the official fee. As of 2025, the Global Entry renewal fee is $100 and TSA PreCheck renewal is $78. A site charging a different amount — or a suspiciously low "processing fee" — is not legitimate.
What to do if you submitted your information
If you only scanned and did not enter any information, your risk is low — close the page and do not return to it.
If you entered personal or financial information, act immediately:
- Contact your bank or card issuer. Report any fraudulent charges and request a chargeback. Ask for a new card number — your existing number is compromised.
- Place a credit freeze with all three bureaus. Because passport numbers and dates of birth are sufficient to open new credit accounts, a freeze at Equifax, Experian, and TransUnion is the most effective protection. One call to any bureau initiates alerts at all three; a freeze must be placed separately with each.
- File an identity theft report. Go to identitytheft.gov to create an FTC identity theft report — this document helps you dispute fraudulent accounts and is required by many banks and credit bureaus.
- Report the scam to the FTC. File at reportfraud.ftc.gov. The FTC uses these reports to pursue fraud operations.
- Verify your actual enrollment status. Navigate directly to ttp.cbp.dhs.gov — type the URL yourself, do not use any link from the suspicious message — to check your real PreCheck or Global Entry status and confirm no changes were made to your profile.
Frequently asked questions
Does TSA or CBP send QR codes for PreCheck or Global Entry renewal?
No. TSA and CBP do not send QR codes in texts, emails, or physical mailers to initiate renewals. All legitimate renewal activity happens at ttp.cbp.dhs.gov, which you navigate to yourself. Any QR code claiming to be for PreCheck or Global Entry enrollment is a scam.
What do fake TSA PreCheck or Global Entry renewal QR codes look like?
They arrive as official-looking mailers, emails, or social media ads bearing DHS or CBP branding. The QR code leads to a near-perfect copy of the real enrollment site hosted on a non-.gov domain. The page asks for your full name, date of birth, passport number, known traveler number, and payment details — all of which go to the scammer.
What should I do if I submitted personal information to a fake site?
Act immediately: contact your bank to dispute charges and get a new card, place a credit freeze at all three bureaus (Equifax, Experian, TransUnion), file an identity theft report at identitytheft.gov, and report the scam to the FTC at reportfraud.ftc.gov. Verify your actual enrollment status only at ttp.cbp.dhs.gov — typed directly into your browser.
Check any QR code before it opens
QRsafer scans a QR code and shows you whether the destination is safe before your browser loads it. Free on iOS and Android.