QR-Code Quishing Scam Impersonating Zelle
Fraudsters place fake QR codes — on stickers, fake invoices, or in community groups — that appear to link to Zelle payment requests but instead lead to phishing pages or fraudulent payment flows that drain money or harvest banking credentials.
Part of: Quishing: Physical Payment Point QR Code Scams
Last reviewed: 8 June 2026
Zelle is deeply embedded in US banking apps and is commonly used for peer-to-peer payments triggered by QR codes. This familiarity makes it a prime candidate for quishing — QR-code phishing — where a criminal replaces or overlays a legitimate QR code with one pointing to a malicious destination.
The attack appears in a range of contexts: stickers placed over legitimate QR codes at farmers' markets or garage sales where Zelle is advertised, fake invoices sent via email or text to small-business owners that include a 'scan to pay' code, and community Facebook posts or Nextdoor messages claiming a 'Zelle payment request' is waiting.
Unlike a URL you can hover over and inspect, a QR code reveals nothing until you scan it. By then, you may be on a convincing fake banking portal asking you to 'confirm your identity' before the payment clears — and your credentials are gone.
How this scam works on the Zelle brand
Real Zelle payments are initiated inside your bank's own app or the Zelle app. A payment request from a legitimate seller or friend appears as a notification inside that app after they send it using your registered phone number or email — not via a QR code you scan from a poster or invoice.
The fake-Zelle quishing scenario works like this: a victim is selling or buying through a local marketplace. The buyer or seller sends a QR code claiming it is a Zelle payment link. Scanning it opens a site that closely resembles the victim's bank's online portal. The page asks for full login credentials to 'receive' or 'release' the payment. Once submitted, the attacker uses those credentials to log into the real bank account.
A variant involves stickers placed over QR codes at physical locations that previously accepted Zelle — car boot sales, craft fairs, food stalls. The sticker looks identical to the original; the code simply points elsewhere.
Common red flags
- A seller or buyer sends you a QR code to 'receive' a Zelle payment — real Zelle payments use your registered number or email, not a code you scan
- Scanning the code opens a page that is not your actual bank's domain
- The page asks you to enter your full banking username and password before funds are 'released'
- The QR code is on a paper sticker that looks like it could have been placed over an original
- The payment message came via social media, email, or text rather than appearing inside your bank app
- The site URL includes the word 'zelle' but is not on your bank's official domain
How to protect yourself
- Initiate or accept Zelle payments only inside your bank's official app — never via a QR code sent by a stranger
- Before scanning any QR code in a payment context, look for signs of tampering such as a sticker overlay
- If you must scan a QR code, check the resulting URL carefully before entering any information
- Never enter banking credentials on a page you reached via a QR code from an external source
- Use Zelle's in-app request feature to send or receive payment requests through known contacts only
- Enable transaction notifications from your bank so you are alerted to any payment immediately
How to report it
- Report to Zelle at zellepay.com/payment-protection and notify your bank's fraud team
- File a complaint with the FTC at reportfraud.ftc.gov
- Report the phishing URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- In the UK, report to Action Fraud at actionfraud.police.uk
- If a fake QR code sticker was placed at a physical business, alert the business owner and local police
Frequently asked questions
Is there a legitimate 'Zelle QR code' I can scan to receive money?
Zelle does support a personal QR code that you generate inside your bank's app to share your payment handle. What is fraudulent is receiving a QR code from someone else claiming it will send you money — that is not how Zelle payment requests work.
How can I check if a QR code is malicious before following it?
Most phone cameras will display the URL before you open it. Read the domain carefully. If it does not exactly match your bank's known domain, do not proceed.
Can my bank reverse a Zelle payment made from a phished account?
Zelle payments are typically instant and final, and fraud recovery is not guaranteed. However, if your bank credentials were stolen and used without your authorisation, report it immediately as an unauthorised transaction — banks may have more obligation to investigate than for authorised-push-payment fraud.