U.S. Bank QR Code Scam: What It Is and What to Do

The four ways this scam reaches U.S. Bank customers

Scammers impersonate U.S. Bank because it is one of the top-10 largest banks in the United States — a trusted name that customers respond to quickly, especially when the message hints at account trouble or a reward that's about to expire.

1. Smishing texts impersonating U.S. Bank security alerts

The most common variant arrives as a text message mimicking a U.S. Bank fraud alert: a suspicious charge was detected, your account has been restricted, or a large transfer needs your approval. A QR code is embedded with instructions to "scan to confirm your identity and restore access." The code opens a fake U.S. Bank login page that captures your username, password, and often the one-time passcode that the real bank sends to your phone. QR codes appear in these texts because plain URLs are increasingly caught by carrier spam filters. QR code scam text messages have become one of the fastest-growing phishing vectors for exactly this reason.

2. Fake U.S. Bank Altitude or FlexPerks reward QR codes

U.S. Bank cardholders frequently receive emails or direct-mail pieces claiming they have unclaimed Altitude Reserve or FlexPerks points that are about to expire. A QR code is included to "activate your bonus" or "redeem your reward now." These pages look nearly identical to the real U.S. Bank rewards portal and are designed to harvest login credentials or payment card details under the guise of confirming identity for redemption. Reward phishing is especially effective because the offer feels positive rather than threatening.

3. QR sticker swaps on U.S. Bank ATMs and branch materials

Scammers physically place QR code stickers over legitimate codes on U.S. Bank ATM screens, lobby kiosks, and printed branch materials. A customer who scans what looks like the bank's own code is redirected to a fake login portal. This attack works because the physical context — at or inside a real U.S. Bank branch — creates an automatic sense of legitimacy. If a QR code at a bank location looks like it was applied with a sticker rather than printed directly on the surface, do not scan it.

4. Fake "mandatory online banking update" emails

A growing variant uses email with convincing U.S. Bank branding — the bank's red-and-white logo, matching fonts, and official-sounding language — to claim that customers must "re-enroll in online banking" or "complete a mandatory security update" by scanning a QR code. These messages typically include a deadline to create urgency. The destination is a phishing page designed to steal login credentials and sometimes trigger a fake two-factor authentication flow to capture the real OTP.

What U.S. Bank will never ask you to scan

U.S. Bank uses QR codes in limited, low-risk contexts: in-branch marketing, mobile app download links, and some customer-service materials. The bank will never send you an unsolicited QR code asking you to:

• Verify your identity or confirm your login credentials
• Unlock, unfreeze, or restore access to your account
• Authorize, approve, or cancel a pending transaction
• Activate or redeem Altitude Reserve or FlexPerks points
• Re-enroll in online banking or complete a security update
• Provide your Social Security Number, account PIN, or one-time passcode

If a QR code — in any format — claims to be from U.S. Bank and asks you to do any of those things, it is a scam. The real U.S. Bank directs customers to log in through the official U.S. Bank Mobile App or usbank.com directly. For a broader look at how these attacks work across every major institution, see the bank QR code scam guide.

What to do right now

Your response depends on whether you entered any information after scanning.

If you only scanned and didn't enter anything: Your risk is low. Close the page, do not return to it, and monitor your U.S. Bank accounts for unusual activity over the next 48 hours.

If you entered your username, password, PIN, or a one-time code, act immediately:

1. Call U.S. Bank fraud now. Use the number on the back of your card or call 1-877-595-6256. Do not use any phone number in the suspicious message.
2. Ask them to freeze your online and mobile banking access. This prevents unauthorized transfers while you work through the remaining steps.
3. Change your U.S. Bank username and password from a clean, trusted device — not the same device or Wi-Fi network you used when you scanned the code.
4. Review your account for unauthorized transactions, new payees, or changes to your contact information. Report anything you didn't authorize immediately.
5. Enable two-step verification on your U.S. Bank account through the app or usbank.com if you haven't already.
6. Report the phishing attempt. Forward suspicious texts to 7726 (SPAM). Report phishing emails to fraud_help@usbank.com. File a report with the FTC at reportfraud.ftc.gov.

How to protect yourself before the next scan

A fake U.S. Bank login page is designed to be visually indistinguishable from the real one. What exposes the scam is the URL — not the design.

• Use QRsafer to check the destination first. QRsafer analyzes the URL a QR code encodes and flags phishing domains, lookalikes, and malicious redirects before your browser loads anything. A fake U.S. Bank login page will not clear a threat check.
• Verify the domain before entering credentials. The real U.S. Bank domain is usbank.com — nothing else. Attackers use variants like usbank-secure.com, usb4nk.com, or verification-usbank.net. Always check the full URL bar before typing a single character.
• Treat urgency as a red flag. Legitimate banks give you time to act through official channels. Any message that demands you scan a QR code immediately to avoid account suspension or forfeit a reward is using urgency as a manipulation tactic.
• Call the bank to verify before you scan. If you receive any communication with a QR code claiming to be from U.S. Bank, call 1-877-595-6256 and ask if they sent it. This one step eliminates the scam entirely.

Frequently asked questions