USAA QR Code Scam: What It Is and What to Do

How the USAA QR code scam works

USAA is one of the most-impersonated financial brands targeting the military community. Its members — active duty service members, veterans, and their families — are high-value targets because USAA manages banking, insurance, and investments all in one place. Scammers exploit the brand's deep trust through four main variants:

• Smishing texts impersonating fraud alerts: A text arrives with USAA's branding and language like “A suspicious transaction has been flagged on your USAA account. Scan the code below to verify your identity or your card will be suspended.” The QR code leads to a pixel-perfect USAA login clone. This is a well-documented QR code scam text message pattern.
• Fake member-appreciation or military-discount QR codes: Emails or flyers at or near military installations offer “exclusive USAA member appreciation rewards” or “military discount activation” via a QR code. The code leads to a harvesting page requesting USAA login credentials and payment details to “claim” the offer.
• ATM sticker scams near military installations: Fraudulent QR code stickers are placed over legitimate codes on ATMs near bases and military housing areas — locations with a high concentration of USAA cardholders. Victims scanning them land on a credential-harvesting login page. See the full guide to ATM QR code scams for more.
• Fake “new app setup” or account-migration QR codes: Service members during a PCS (Permanent Change of Station) move are especially vulnerable — they're actively managing their finances across locations and may expect communications from USAA. Scammers send fake “mandatory account migration” or “new app setup” QR codes timed to appear during moves or deployments, harvesting login credentials when the victim's guard is lowest.

Scammers use QR codes instead of plain links because QR codes bypass email security filters that would catch a suspicious URL — and they push you onto your phone, where the fake login page fills the screen and the address bar is easy to miss. This technique is called quishing, and it is rising because mobile browsers make URLs harder to inspect.

What USAA actually does — and never does — with QR codes

USAA does use QR codes in limited, controlled ways:

• Inside the USAA Mobile App itself for certain features
• Controlled marketing materials linking to specific USAA product pages
• Promotional events run directly by USAA at official venues

USAA will never send you a QR code to:

• Verify your identity or log you into your account
• Respond to a fraud alert or confirm a suspicious transaction
• Unlock a restricted or suspended account
• Set up or migrate to a new app version
• Claim a member benefit, discount, or reward

Every legitimate USAA security action happens inside the USAA Mobile App or at usaa.com — not through an unsolicited QR code in a text, email, or physical mailer. If a code claims to require your credentials to fix something urgent, that urgency is the scam.

For more context on how bank QR code scams work across all financial institutions, see our full guide.

What to do right now

Your response depends on what you did after scanning.

If you only scanned and didn't enter anything: Your risk is low. Close the page, do not return to it, and monitor your USAA accounts closely for the next 48 hours.

If you entered your login credentials, card number, or a one-time passcode, act immediately:

1. Call USAA fraud support now. The number is 1-800-531-8722. Do not use any phone number provided in the suspicious message.
2. Ask them to freeze your online banking access. This blocks the attacker from draining your account or making transfers while you work through recovery.
3. Change your USAA password and PIN from a trusted device on a trusted network — not the device or connection you used when you scanned the code.
4. Enable login notifications in the USAA Mobile App security settings so every future login triggers an alert to your phone.
5. Review recent transactions for any charges, transfers, or payee additions you didn't authorize. Report each one to USAA as unauthorized.
6. File a report with the FTC at reportfraud.ftc.gov and with the CFPB at consumerfinance.gov/complaint.

For a complete recovery checklist that covers every type of financial QR scam, what to do if you scanned a suspicious QR code walks through each step in order.

How to protect yourself before you scan

The scam works because the fake USAA page looks right. You can't rely on design — you need to check the URL before your browser opens anything.

• Scan with QRsafer first. It analyzes the destination URL against threat intelligence sources and returns a verdict before your browser loads anything. A cloned USAA login page will not pass a threat check.
• Verify the domain before entering anything. USAA's real domain is always usaa.com — nothing else. Attackers use lookalikes like usaa-secure-verify.com or usaa-fraud-alert.net. Check the full URL, not just the page design.
• Never log in to USAA through a QR code. If a code claims to require your banking credentials, open the USAA Mobile App directly instead. Ten extra seconds is worth it.
• Call USAA to verify unexpected messages. Got a text or mailer with a QR code from USAA? Call 1-800-531-8722 and ask if they sent it. If they didn't, you just avoided the scam entirely.

For a broader guide to identifying suspicious codes in real time, how to spot a malicious QR code before you scan covers visual and contextual signals across every type of QR scam.

Frequently asked questions