Phishing Scams on WeChat
WeChat's ecosystem of mini-programs, QR codes, and Official Accounts gives phishers multiple entry points to steal credentials and WeChat Pay balances.
Part of: Phishing
Last reviewed: 1 June 2026
WeChat functions as a super-app — messaging, payments, shopping, and business services all within one platform. This breadth of functionality means phishers can impersonate an Official Account for a bank, a delivery service, or a government agency, and victims may have no reason to distrust a message that arrives inside an app they use for everything.
QR code phishing is a distinct WeChat risk: malicious QR codes shared in group chats or printed materials redirect to credential-harvesting pages, or silently authorise third-party login to a victim's WeChat account.
How this scam works on WeChat
Phishers create WeChat Official Accounts with names and logos mimicking banks, courier services, or government services. They send bulk messages claiming account verification is required, with a link to a spoofed web page that captures credentials and payment details.
In group chats, phishers post QR codes that appear to link to payment requests, red-packet promotions, or mini-program invitations. Scanning the code either directs to a phishing page or grants the attacker OAuth access to the victim's WeChat account.
Moments (WeChat's social feed) is used to spread fake lottery wins, celebrity investment endorsements, and health product scams that funnel victims to external phishing sites via a convincing promotional image.
Common red flags
- Official Account message demanding urgent account verification with a link
- QR code shared in a group chat promising a red packet or cash reward
- Message asking you to log in to an external site using your WeChat credentials
- Moments post by an unfamiliar contact promoting an investment or lottery win
- Mini-program requesting access to payment information beyond its stated purpose
- Any link that redirects away from a .wechat.com or official partner domain
How to protect yourself
- Only scan QR codes from sources you completely trust — treat stranger QR codes as suspicious
- Verify Official Accounts by checking for the blue certification tick before interacting
- Enable WeChat Pay's additional PIN and spending limits
- Do not log in to external sites via WeChat unless you have independently verified the site
- Check your WeChat account's linked devices regularly and remove any you do not recognise
How to report it
- Report the suspicious Official Account or user via the three-dot menu in the conversation
- Report to WeChat's security team via the in-app feedback channel
- Report financial losses to your local police cybercrime unit
Frequently asked questions
Is WeChat Pay safe from phishing?
WeChat Pay itself uses strong encryption, but phishers do not attack the payment system directly — they trick you into entering your credentials on fake pages or authorising malicious mini-programs. Protecting your WeChat login is the key defence.