Phishing on WeChat
Phishing attacks on WeChat steal account credentials, WeChat Pay details, and linked bank information through malicious mini-programs, fake login pages, and impersonation of official service accounts.
Part of: Phishing
Last reviewed: 1 June 2026
WeChat phishing is particularly dangerous because the platform is deeply integrated with payments, identity verification, and everyday commerce. A compromised WeChat account can expose bank details, ID documents, and transaction history stored or linked through the platform.
Fraudsters exploit WeChat's Official Account and mini-program ecosystem to create convincing impersonations of government services, banks, and popular brands.
How this scam works on WeChat
Fake Official Accounts impersonating government agencies, banks, or popular services send mass messages alerting users to account anomalies, pending deliveries, or required updates, with links to convincing phishing pages that harvest WeChat credentials or bank details.
Malicious mini-programs mimic legitimate services — delivery tracking, healthcare bookings, or utility payments — and request WeChat login or payment authorisation during the interaction, which is captured by the fraudster.
QR code phishing distributes codes in public spaces or via messages that, when scanned, open a fake WeChat login page or trigger an automatic payment authorisation request.
Common red flags
- Official Account message creating urgency about account suspension or package delivery
- Mini-program requesting WeChat login when you did not initiate a transaction
- QR code from an unfamiliar source requiring WeChat scan
- Payment confirmation request arriving without you initiating a purchase
- URL in a WeChat message that does not match the official brand domain
- Message referencing personal details in a way that seems designed to establish false trust
How to protect yourself
- Verify official communications by accessing the service directly through its official mini-program or website
- Enable WeChat Pay's payment password and biometric confirmation
- Be sceptical of QR codes in physical spaces or sent unsolicited via messages
- Review linked bank accounts and payment permissions in WeChat settings regularly
- Enable login notifications so you are alerted to unexpected account access
How to report it
- Report the phishing account or mini-program via WeChat's in-app complaint function
- Report to the relevant bank if payment credentials were compromised
- File a report with your national cybercrime authority if financial loss occurred
Frequently asked questions
How can I tell a real WeChat Official Account from a fake one?
Verified Official Accounts display a blue verification tick. Check the account's verification details by tapping the account name — genuine government or financial service accounts are registered under the institution's official legal name.