Fake WhatsApp QR Code Account Hijack Scam
Scammers share malicious QR codes in emails, printed materials, or WhatsApp messages that mimic WhatsApp's legitimate 'Linked Devices' QR code process to silently hijack a victim's WhatsApp account.
Part of: Quishing: Physical Payment Point QR Code Scams
Last reviewed: 8 June 2026
WhatsApp allows users to connect their account to additional devices — including WhatsApp Web — by scanning a QR code displayed at web.whatsapp.com. This is a genuine and widely used feature. Criminals exploit familiarity with this QR-based linking process to trick victims into scanning a QR code that authorises a new device belonging to the attacker.
The scam QR code may arrive as a printed flyer claiming to be a WhatsApp promotion, in an email that mimics a WhatsApp notification, or even within a WhatsApp message from a contact whose account has already been compromised. Because users have been trained to scan QR codes to link devices, the action feels routine.
Once scanned, the attacker's device is added as a linked device, giving them read access to the victim's ongoing chats, contact list, and the ability to send messages appearing to come from the victim's account.
How this scam works on the WhatsApp brand
WhatsApp's real QR-code linking flow is accessed only from web.whatsapp.com or from the WhatsApp Desktop application. You initiate the process yourself by going to WhatsApp on your phone > Linked Devices > Link a Device. No external prompt, email, or message from WhatsApp ever instructs you to scan a QR code.
The scam creates a sense of necessity around scanning. A printed QR code on a poster might claim it is needed to 'verify your WhatsApp number after a system update'. An email version might say your account needs re-verification by scanning the enclosed code. A message from a compromised contact might say the code unlocks a group invite or special feature.
When the victim opens WhatsApp > Linked Devices > Link a Device and scans the fake QR code, they are unknowingly authorising the attacker's device. The attacker then has a live mirror of the WhatsApp account.
Common red flags
- An email, printed material, or WhatsApp message instructs you to scan a QR code to verify, update, or access your WhatsApp account.
- WhatsApp never sends emails or messages asking you to scan QR codes — the linked device process is always self-initiated in the app.
- A new linked device appears in your WhatsApp settings that you did not add.
- Contacts report receiving unexpected messages from you that you did not send.
- The QR code appears in an unsolicited context — a poster, a cold email, or a message from someone you rarely talk to.
- The message creates urgency: 'Scan within 24 hours or your WhatsApp account will be deactivated.'
How to protect yourself
- Regularly review your linked devices at WhatsApp > Settings > Linked Devices and remove any you do not recognise.
- Only scan WhatsApp QR codes when you have personally navigated to web.whatsapp.com or opened the WhatsApp Desktop app yourself.
- Enable WhatsApp two-step verification at Settings > Account > Two-step verification to add a PIN layer.
- If an unknown device appears in your Linked Devices list, tap it and select 'Log out' immediately.
- Treat any external prompt to scan a WhatsApp QR code — via email, poster, or DM — as a scam.
- Alert your contacts if your account was compromised, so they do not respond to messages sent by the attacker.
How to report it
- Report the scam message or email to WhatsApp at whatsapp.com/contact/forms — select 'Report a scam or spam'.
- If your account was compromised via QR hijack, report it to Action Fraud actionfraud.police.uk (UK) or the FTC at ReportFraud.ftc.gov (US).
- Forward the phishing email to the sender's email provider's abuse address (e.g., [email protected]).
- Warn your contacts by posting a public message from a secure channel so they know to ignore unusual messages from your WhatsApp.
Frequently asked questions
Can scanning a QR code in WhatsApp give an attacker access to my account?
Yes, if you scan it through the 'Link a Device' function in WhatsApp. The QR code generated by the attacker at web.whatsapp.com on their device authorises their browser or computer as a linked device on your account, giving them read access to your chats.
How do I remove a hijacked linked device from my WhatsApp?
Go to WhatsApp > Settings > Linked Devices, tap the unfamiliar device, and select 'Log out'. This immediately revokes the attacker's access. Then enable two-step verification if you have not already done so.
Does removing the linked device undo any messages the attacker sent?
Removing the device stops future access, but messages already sent by the attacker cannot be unsent by you unless your recipients delete them. Alert your contacts about the compromise so they know to disregard suspicious messages.