QR Code Scams on Instagram
Scammers share QR codes in Instagram posts, stories, and DMs that lead to phishing pages or malware, concealing the destination behind a scannable image.
Part of: QR-Code Scams (Quishing)
Last reviewed: 1 June 2026
Instagram's visual format makes QR codes feel native: a code in a story, a post, or a DM looks like a normal call to action. The image hides its destination, and scanning moves you to a browser where the real intent unfolds.
Instagram is a neutral platform; the danger is the concealed link. Scammers use QR codes in giveaway posts, 'verification' DMs, and shop promotions because the code evades the inspection a visible link invites and exploits the habit of scanning for rewards.
How this scam works on Instagram
A post, story, or DM presents a QR code to claim a prize, verify an account, access an exclusive drop, or pay for an item. You are nudged to scan it with your phone.
Scanning opens a phishing page imitating a login or checkout screen that captures your credentials or card details, or it triggers a malicious download. Hacked or impersonating accounts make the code appear to come from a trusted source.
The reward lure and the convenience of scanning are designed to bypass the caution you would apply to a typed link.
Common red flags
- An Instagram post, story, or DM presents a QR code to scan for a reward or login
- The code's destination is hidden behind the image
- You are promised a prize, exclusive access, or verification for scanning
- Scanning opens a login or checkout page requesting your details
- The code came from an unfamiliar or possibly hacked account
- You are urged to scan before a limited 'offer' ends
How to protect yourself
- Do not scan QR codes from Instagram posts, stories, or DMs
- Reach services by typing their official address rather than scanning
- Preview a code's URL before opening it if your scanner allows
- Never enter credentials or payment details on a page reached from a scanned code
- Verify separately if a code appears to come from someone you know
- Report and block the account within Instagram
How to report it
- Use Instagram's 'Report' option on the post, story, or DM
- Report the impersonation to the brand being spoofed via its official site
- File a report with your national fraud or cybercrime reporting centre
Frequently asked questions
An Instagram DM sent me a QR code to verify my account — is it real?
Treat it as suspect. Platforms do not verify accounts via a QR code sent in a DM. Scanning may open a phishing page that steals your login. Reach account settings by typing the official address yourself.