QR Code Scam UK: How to Spot and Avoid Fake QR Codes
A simple scan of a QR code could hand criminals your bank details, passwords, or install spyware on your phone—but you can protect yourself by learning the warning signs.
What is this scam?
A QR code scam uses a fake QR code to trick you into visiting a malicious website, downloading malware, or sending money to criminals. The scammer creates a QR code that looks legitimate and places it somewhere you'll find it—in an email, text message, on a poster, or even stuck over a genuine QR code at a shop or restaurant. When you scan it with your phone's camera, instead of going to the real website or service, you're redirected to a fake page designed to steal your login details, bank information, or credit card data.
Some scams go further and trick you into downloading an app that looks genuine but is actually malware designed to monitor everything you do on your phone. Unlike text-based links, QR codes are harder for people to read before scanning, making them particularly dangerous. The scam works because most of us trust QR codes and don't check where they're taking us.
Warning signs to look for
- QR codes placed over or near legitimate ones—check if a code has been stuck on top of a genuine poster, parking sign, or till receipt.
- Unexpected QR codes in emails or texts asking you to verify account details, confirm a delivery, or claim a prize.
- QR codes in unsolicited messages from 'banks', courier companies, or payment services you don't use.
- The URL or landing page looks slightly wrong—poor spelling, odd domain names like 'santander-verify.tk' instead of santander.co.uk.
- You're asked to log in, enter card details, or download an app immediately after scanning.
- QR codes in public places (bus stops, phone boxes, streets) offering free WiFi, discounts, or urgent messages.
- The QR code looks pixelated, blurry, or poorly printed—genuine business codes are always clear and professional.
How this scam works step by step
First, the scammer creates a QR code using a free online QR code generator. They point it towards a fake website designed to look like a legitimate business—a bank, delivery company, or payment service. The scammer then distributes the code as widely as possible. They might email it claiming your account has been locked, text it saying a parcel is ready for collection, or physically place it over a genuine QR code at a public location. When you scan the code using your phone's camera or a QR scanning app, it automatically opens the fake website in your browser.
The page looks convincing and asks you to log in, verify your identity, or enter personal information. If you comply, your username, password, or bank details are sent directly to the scammer. In more sophisticated scams, scanning the QR code triggers an automatic download of malware disguised as a legitimate app. This malware can steal your banking credentials, intercept text messages containing security codes, or allow the criminal to monitor your phone remotely. Within hours, money can be transferred from your account without your knowledge.
How to verify if it is genuine
Before scanning any QR code, pause and ask yourself: Did I expect this? If it's unexpected, don't scan it. For codes in emails or texts, never scan them. Instead, go directly to the official website by typing the URL into your browser or calling the organisation's publicly listed phone number. Check if the QR code looks professional—genuine business codes are always clear and cleanly printed. For delivery QR codes, contact the courier directly using the phone number on their official website, not any number provided in the message.
If you're unsure whether a website is real, use our guide on spotting fake websites at Is This Website a Scam? A Practical Checklist Before You Buy. Look for 'https://' in the address bar and a padlock icon—though scammers sometimes fake these. Ask yourself: would a real bank or delivery company send a QR code asking you to log in? Legitimate organisations almost never use QR codes for urgent security matters. When in doubt, contact the organisation directly using a phone number you find independently, never from the message containing the QR code.
What to do if you have already interacted
Act quickly. If you scanned a QR code and entered any login details or card information, you need to protect your accounts immediately. First, change the password for any account you entered details for—do this from a different device if possible. Contact your bank straight away on the number on the back of your card (not any number from the message) and explain what happened. Ask them to freeze your account and watch for suspicious transactions. If you entered card details, request a replacement card.
Check if you've downloaded any apps from the link—go to your phone's Settings, check Recently Installed Apps, and delete anything unfamiliar. Run a malware scan using a reputable antivirus app like Malwarebytes. Enable two-factor authentication on all your important accounts if you haven't already. If money has been taken from your account, your bank may be able to reverse the transaction if you report it within a few hours. Keep a record of everything you've done and the timeline of when you clicked the link.
Reporting this scam in the UK
Report QR code scams to Action Fraud, the UK's national fraud reporting service. You can report online at actionfraud.police.uk or call 0300 123 2040. They'll record the scam and help trace the criminals behind it. If the QR code was sent via email, report it to the NCSC Suspicious Email Reporting Service at report@phishing.gov.uk—this helps stop the emails reaching other people. If it arrived by text message, forward it to 7726 (spells SPAM). Your mobile network will investigate and block the sender. Report the fake website to the NCSC using their online form at ncsc.gov.uk/report.
If you've lost money, contact your bank immediately as they have specialist fraud teams who can sometimes recover funds if you act quickly. You can also contact Citizens Advice consumer helpline on 0808 223 1133 for free advice on what to do next. Keep all evidence—screenshots, the original message, and notes about what happened—as this helps investigators trace the scam. Don't delete anything, even if you feel embarrassed about falling for it.
Frequently asked questions
Are all QR codes dangerous? Is every QR code a scam?
No—most QR codes are completely safe. Legitimate businesses, restaurants, and services use QR codes daily to share WiFi, menus, and payment options. The key is context. A QR code on a professional printed menu in a restaurant is almost certainly genuine. An unexpected QR code in an email claiming your bank account is locked is almost certainly fake. Always use common sense: if a QR code arrives unexpectedly or asks you to do something urgent like verify your identity, it's likely a scam.
What should I do if I already sent money after scanning a QR code?
Contact your bank immediately on the number on the back of your card—don't wait. Tell them exactly what happened and when. Ask them to freeze your account and investigate the transaction. Your bank may be able to reverse the transfer or block payment if you act within a few hours. Also report the scam to Action Fraud on 0300 123 2040 so the police can investigate. The faster you act, the better your chances of recovering the money.
Can scanning a QR code infect my phone with a virus just by opening it?
Scanning a QR code itself won't automatically infect your phone—it just opens a web link. However, the fake website it takes you to can try to trick you into downloading malware by pretending to be a legitimate app. The danger comes if you then download and install an app from that page. To stay safe, never download apps from websites that appeared after scanning a QR code. Only download apps from the official App Store or Google Play Store.
How do I report a QR code scam I've found in a public place?
Take a photo of the QR code without scanning it, note the exact location (street name, shop, etc.), and report it to Action Fraud at actionfraud.police.uk or 0300 123 2040. If it's a sticker placed over a genuine code, report it to the business or organisation that owns the original code so they can remove it. For codes in your local area, you can also report it to your local police non-emergency line on 101. The quicker these codes are reported, the sooner they can be removed and others protected.