Phishing Scams on WeChat
WeChat's ecosystem of mini-programs, QR codes, and Official Accounts gives phishers multiple entry points to steal credentials and WeChat Pay balances.
Part of: Phishing
Last reviewed: 1 June 2026
WeChat functions as a super-app — messaging, payments, shopping, and business services all within one platform. This breadth of functionality means phishers can impersonate an Official Account for a bank, a delivery service, or a government agency, and victims may have no reason to distrust a message that arrives inside an app they use for everything.
QR code phishing is a distinct WeChat risk: malicious QR codes shared in group chats or printed materials redirect to credential-harvesting pages, or silently authorise third-party login to a victim's WeChat account.
How this scam works on WeChat
Phishers create WeChat Official Accounts with names and logos mimicking banks, courier services, or government services. They send bulk messages claiming account verification is required, with a link to a spoofed web page that captures credentials and payment details.
In group chats, phishers post QR codes that appear to link to payment requests, red-packet promotions, or mini-program invitations. Scanning the code either directs to a phishing page or grants the attacker OAuth access to the victim's WeChat account.
Moments (WeChat's social feed) is used to spread fake lottery wins, celebrity investment endorsements, and health product scams that funnel victims to external phishing sites via a convincing promotional image.
Common red flags
- Official Account message demanding urgent account verification with a link
- QR code shared in a group chat promising a red packet or cash reward
- Message asking you to log in to an external site using your WeChat credentials
- Moments post by an unfamiliar contact promoting an investment or lottery win
- Mini-program requesting access to payment information beyond its stated purpose
- Any link that redirects away from a .wechat.com or official partner domain
How to protect yourself
- Only scan QR codes from sources you completely trust — treat stranger QR codes as suspicious
- Verify Official Accounts by checking for the blue certification tick before interacting
- Enable WeChat Pay's additional PIN and spending limits
- Do not log in to external sites via WeChat unless you have independently verified the site
- Check your WeChat account's linked devices regularly and remove any you do not recognise
How to report it
- Report the suspicious Official Account or user via the three-dot menu in the conversation
- Report to WeChat's security team via the in-app feedback channel
- Report financial losses to your local police cybercrime unit
Frequently asked questions
How do fake WeChat QR codes steal money or credentials?
Scammers place fraudulent QR codes over legitimate ones that redirect to phishing pages or trigger unauthorized WeChat Pay transactions when scanned. Always check that a QR code hasn't been visibly tampered with or pasted over the original, and verify payment amounts before confirming.
I entered my WeChat Pay details on a fake Official Account page — what should I do?
Change your WeChat password immediately and check your WeChat Pay transaction history for unauthorized charges, contacting your linked bank if you find any. Report the fake Official Account to WeChat through its in-app reporting tool.
How can I tell a real WeChat Official Account from a phishing clone?
Verified Official Accounts display a verification badge and consistent follower history — check this before trusting a payment or login request, and be suspicious of accounts with a name nearly identical to a well-known brand but slight spelling differences. Navigate to sensitive pages through the account's official menu rather than links shared in chat.
Is WeChat Pay safe from phishing?
WeChat Pay itself uses strong encryption, but phishers do not attack the payment system directly — they trick you into entering your credentials on fake pages or authorising malicious mini-programs. Protecting your WeChat login is the key defence.