QR Code Scams on WhatsApp
Fraudsters send WhatsApp QR codes disguised as payment confirmations, parcel barcodes, or loyalty reward vouchers that redirect victims to phishing pages when scanned.
Part of: QR-Code Scams (Quishing)
Last reviewed: 1 June 2026
QR codes sent via WhatsApp exploit the trust recipients place in messages from known contacts or official-looking WhatsApp Business accounts. A QR code arriving alongside a familiar brand message appears legitimate, especially if the surrounding message text mimics a transaction confirmation or reward notification the victim was expecting.
Because the destination URL is hidden within the code's visual pattern, the recipient cannot easily identify where the scan will lead before committing to it.
How this scam works on WhatsApp
A WhatsApp message from a contact — whose account may have been compromised — or from a WhatsApp Business number styled as a retailer or bank shares a QR code described as a receipt, loyalty reward, or delivery tracking barcode. Scanning the code opens a phishing site requesting login credentials, card details, or directs the victim to a payment screen.
Some scammers time QR code distribution to follow up a legitimate purchase notification — the victim has just bought something and receives a 'receipt QR code' that actually harvests their card details again under the guise of confirming the order.
In peer-to-peer payment scams, a fake buyer sends a QR code claimed to represent a payment, but which instead initiates a withdrawal from the victim's mobile payment account when scanned.
Common red flags
- WhatsApp message from a contact or business including a QR code requesting a scan for verification or payment
- QR code framed as a receipt or tracking barcode for a recent transaction
- Payment QR code sent by a buyer in a marketplace transaction
- Destination URL visible after scanning that does not match the expected organisation's domain
- Request to scan again if the first scan did not 'register' — designed to get a second transaction
How to protect yourself
- Check the URL displayed after scanning a QR code before proceeding to the page
- Use legitimate payment apps' own QR generation features rather than accepting QR codes from buyers
- Verify any QR code from a WhatsApp Business account by checking the brand's official website for the same functionality
- Never scan a QR code to 'receive' a payment — payment QR codes initiate payments from the scanner, not to them
- Block and report the WhatsApp number immediately if a QR code led to an unexpected page
How to report it
- Report the WhatsApp message or number using the in-app 'Report' function
- Report any phishing URL to your national cybercrime authority
- Contact your bank immediately if card details were entered on a page reached via a QR scan
Frequently asked questions
Can scanning a WhatsApp QR code charge my bank account without me entering details?
Not through a standard browser page — a phishing page still requires you to enter card details. However, mobile payment app QR codes can initiate transactions when scanned without requiring additional card entry. Never scan a payment QR code received from an unknown party or buyer.