Twitter / X QR Code Scam: What It Is and What to Do

How QR code scams spread on X

Scammers use three main approaches on X (formerly Twitter):

1. Fake giveaway or exclusive-content posts. An account impersonating a well-known brand, celebrity, or crypto project posts a QR code promising free tokens, gift cards, or exclusive access. The QR code leads to a phishing page that harvests your login credentials or payment details. Because X now sells verified badges through its Premium subscription, these impersonator accounts frequently display a gold or blue checkmark — making them look official at a glance. The real tell is the username: scammers use lookalike handles with subtle misspellings or extra characters.
2. DM-based account-verification scam. A message arrives in your inbox — often from a fake "X Support" or "X Safety" account — claiming your blue checkmark is at risk, your account violated a policy, or your profile needs identity verification. It instructs you to scan an attached QR code to "restore" or "confirm" your account. The QR code leads to a convincing fake X login page. Once you enter your credentials, the attacker has full access to your account and can post scam content to all your followers. This tactic is known as quishing — using a QR code instead of a link to bypass spam filters.
3. QR codes in promoted ads. Scammers run paid ads on X for fake e-commerce storefronts, crypto investment platforms, or brand giveaways. These ads include a QR code directing users to a counterfeit site that collects payment information or login credentials. Because the ad appears in a normal feed position alongside legitimate content, many users extend it the same trust they would give an organic post.

Why verified badges don't guarantee safety

Before 2023, a blue checkmark on Twitter meant the account had been independently verified as authentic. That system changed: X now sells verified badges to anyone who pays for a Premium subscription. Scammers exploit this — a badge costs a few dollars a month and dramatically increases how trustworthy a fake account appears.

The safe habit: Before trusting any QR code on X, check the account's exact username (not just the display name), how long the account has been active, and whether the follower count and post history make sense for the organization it claims to represent. A brand with millions of customers is unlikely to have 200 followers and a three-week-old account.

Red flags to spot before you scan

• A QR code in any DM from "X Support" or "X Safety." X communicates account issues through in-app notifications and the official email on your account — never through a DM with a QR code.
• Urgency or account-loss threats. Phrases like "your account will be suspended in 24 hours" or "verify now to keep your checkmark" are pressure tactics meant to make you act before you think.
• A giveaway that requires scanning a QR code to claim. Legitimate brand promotions direct you to an official website or their own app — not a QR code that opens a third-party payment or login page.
• The URL behind the QR code isn't x.com or a recognized brand domain. A QR scanner (or QRsafer) will show you the destination URL before your browser opens it. If it isn't the official domain of the brand the account claims to represent, do not proceed.
• An ad that asks you to pay or log in via a QR code. Legitimate X advertisers send you to their real website — they don't need a QR code detour.

What to do if you already scanned

What you need to do depends on what happened after you scanned:

1. If you entered your X username and password: Go directly to x.com in your browser (type it yourself — do not use any link) and change your password immediately. Then navigate to Settings > Security and account access > Apps and sessions and revoke any unfamiliar active sessions. Enable two-factor authentication if it isn't already on.
2. If you reuse that password on other accounts: Change it everywhere, starting with your primary email and any financial accounts. A stolen X password is most dangerous when it unlocks other services through password reuse.
3. If you entered credit or debit card information: Call your bank or card issuer right away to report potential fraud and request a replacement card. See our guide on QR code credit card scams for a complete checklist.
4. If you only scanned and looked — but entered nothing: You are very likely fine. Scanning a QR code alone does not install malware or compromise your account; the risk comes from what you do after the page loads.
5. Report the scam. Report the account or post directly on X and file a complaint at reportfraud.ftc.gov.

For the full recovery checklist, see what happens if you scan a fake QR code.

Frequently asked questions