Wells Fargo QR Code Scam: What It Is and What to Do

The four ways this scam reaches Wells Fargo customers

Attackers impersonate Wells Fargo across multiple channels because Wells Fargo is one of the largest banks in the United States — a familiar name that customers are conditioned to trust and respond to quickly.

1. Smishing texts impersonating Wells Fargo fraud alerts

The most common variant arrives as a text message. It mimics a Wells Fargo fraud alert: a suspicious charge was detected, your account access has been restricted, or a large transfer is pending confirmation. A QR code is embedded — or a link to one — with instructions to "scan to confirm your identity and restore access." The QR opens a fake Wells Fargo login page that captures your username, password, and often a one-time passcode sent to your phone by the real bank.

QR codes appear in these texts because plain URLs are increasingly flagged by carrier spam filters. QR code scam text messages have become one of the fastest-growing phishing vectors for exactly this reason.

2. Fake paper mailings designed to look official

A growing number of victims receive physical letters that closely replicate Wells Fargo's branding — the red Wells Fargo stagecoach logo, matching fonts, and formal language about an account security review or a required identity verification. These letters include a QR code to "complete the process." Because the letter arrives by mail, many recipients assume it must be legitimate. The destination is a pixel-perfect Wells Fargo phishing page.

3. QR sticker swaps at Wells Fargo ATMs and branches

Scammers physically place QR code stickers over legitimate codes on ATM screens, lobby kiosks, and printed materials inside branches. A customer who scans what appears to be the bank's own code is redirected to a fake login portal. This attack works because the physical context — inside or outside a real Wells Fargo branch — creates an automatic sense of legitimacy.

4. Fake Zelle transfer confirmation QR codes

Because Wells Fargo is deeply integrated with Zelle, attackers send fake "Zelle transfer confirmation" messages to Wells Fargo customers. The message claims a Zelle payment was received or that a large outgoing transfer needs approval — scan the QR code to confirm or cancel. This variant exploits customers' familiarity with Zelle notifications. Learn more about Zelle QR code scams and how to recognize them.

What Wells Fargo will never ask you to scan

Wells Fargo does use QR codes in a narrow set of legitimate contexts: in-branch marketing, mobile app download links, and some customer-service kiosks. But the bank will never send you an unsolicited QR code asking you to:

• Verify your identity or confirm your login credentials
• Unlock, unfreeze, or restore access to your account
• Authorize, approve, or cancel a pending transaction
• Confirm a Zelle payment you didn't initiate
• Provide your Social Security Number or account PIN

If a QR code — in any format — claims to be from Wells Fargo and asks you to do any of those things, it is a scam. The real Wells Fargo directs customers to log in through the official Wells Fargo Mobile app or wellsfargo.com directly. They do not route security-sensitive actions through QR codes sent by text or mail.

This is the same principle that applies to all bank impersonation scams. For a broader look at how these attacks work across every major institution, see the bank QR code scam guide.

What to do right now

Your response depends on whether you entered any information after scanning.

If you only scanned and didn't enter anything: Your risk is low. Close the page, do not return to it, and monitor your Wells Fargo accounts for unusual activity over the next 48 hours.

If you entered your username, password, PIN, or a one-time code, act immediately:

1. Call Wells Fargo now. Use the number on the back of your card or call 1-800-869-3557. Do not use any phone number in the suspicious message.
2. Ask them to freeze your online and mobile banking access. This prevents unauthorized transfers while you work through the remaining steps.
3. Change your Wells Fargo username and password from a clean, trusted device. Do not use the same device or Wi-Fi network you used when you scanned the code.
4. Check your account for unauthorized transactions, new payees added to Zelle, or changes to your contact information. Report anything you didn't authorize immediately.
5. Enable two-step verification on your Wells Fargo account through the app or wellsfargo.com if you haven't already.
6. Report the phishing attempt. Forward suspicious texts to 7726 (SPAM). Report phishing emails to reportphish@wellsfargo.com. File a report with the FTC at reportfraud.ftc.gov.

How to protect yourself before the next scan

The design of a fake Wells Fargo login page is nearly indistinguishable from the real one. What exposes the scam is the URL — not the visual design.

• Use QRsafer to check the destination first. QRsafer analyzes the URL a QR code encodes and flags phishing domains, lookalikes, and malicious redirects before your browser loads anything. A fake Wells Fargo login page will not clear a threat check.
• Verify the domain before entering credentials. The real Wells Fargo domain is wellsfargo.com — nothing else. Attackers use variants like wellsfargo-secure.com, wellsf4rgo.com, or verification-wellsfargo.net. Always check the full URL bar before typing a single character.
• Treat urgency as a red flag. Legitimate banks give you time to act through official channels. Any message — text, email, or letter — that demands you scan a QR code immediately to avoid account suspension is using urgency as a manipulation tactic.
• Call the bank to verify before you scan. If you receive any communication with a QR code claiming to be from Wells Fargo, call 1-800-869-3557 and ask if they sent it. This one step eliminates the scam entirely.

Frequently asked questions