QR Code Quishing Targeting Home Depot Shoppers
Fraudsters place counterfeit QR stickers on Home Depot in-store signage, paint-mixing stations, and pro-desk literature to redirect tradespeople and DIYers to phishing pages that harvest card numbers or Pro Xtra account credentials.
Part of: Quishing: Physical Payment Point QR Code Scams
Last reviewed: 8 June 2026
Home Depot increasingly uses QR codes to connect customers with product guides, installation videos, and Pro Xtra loyalty offers. Pro Xtra members — professional contractors who spend heavily and accumulate significant purchase-based rewards — are an especially attractive target for criminals because their accounts hold larger balances and their purchases involve frequent large transactions that may take longer to scrutinise.
Quishing attacks at Home Depot typically exploit the self-service culture of the store: customers are accustomed to scanning codes on shelf labels to get more product information, or scanning Pro Xtra QR codes at checkout. A criminal who places a fraudulent sticker in a high-traffic aisle or at a pro desk literature stand intercepts customers at a moment when they are in active purchasing mode and not expecting deception.
The payoff for a successful attack is access to a Pro Xtra account with accumulated reward dollars, stored payment cards for large purchases, and business identity information that can enable further fraud.
How this scam works on the Home Depot brand
A scammer enters a Home Depot store and places small fake QR stickers on Pro Xtra sign-up materials, in-aisle project-inspiration cards, or near paint-desk instruction sheets. The fake code is styled to match Home Depot's orange brand palette.
When scanned, the code links to a page that mimics homedepot.com and asks the visitor to log in to their Pro Xtra account or enter card details for a promotion. Credentials and card numbers entered here are captured by the attacker. Pro Xtra reward dollars can then be drained through online purchases shipped to a mule address.
Some campaigns are more specific: a fake QR sticker near the appliance section claims to offer an extended financing offer available only by scanning. Customers interested in a large purchase who scan and enter their details lose payment card information rather than receiving a discount.
Common red flags
- A QR sticker appears to be placed over an existing printed code with slightly raised edges or different paper quality
- Scanning the code opens a URL that is not homedepot.com
- The page asks for your Pro Xtra login or payment card details rather than presenting product information
- A sign promises a special discount or financing offer exclusively via QR code scan, without any official printed Home Depot promotion number
- The page design looks slightly inconsistent with the genuine Home Depot website — wrong orange shade, different fonts, or missing standard navigation
- The page requests information that Home Depot's standard checkout or loyalty sign-up would not normally ask for at that point
How to protect yourself
- Inspect in-store QR codes visually before scanning, looking for stickers placed over existing printed codes
- If a scanned code opens a non-homedepot.com URL, close it immediately without entering any data
- Use the Home Depot app for Pro Xtra access and loyalty scanning rather than relying on printed QR codes in store
- Report suspicious QR stickers to Home Depot store management for removal
- Enable two-factor authentication on your Pro Xtra account in the Home Depot app
- Monitor your Pro Xtra reward balance and saved payment methods regularly for unauthorised activity
How to report it
- Report tampered QR codes to Home Depot store management immediately
- Contact Home Depot Pro Xtra customer service at 1-800-466-3337 if your account shows fraudulent activity
- Report to the FTC at reportfraud.ftc.gov
- If payment card details were entered, contact your bank to freeze the card and dispute fraudulent charges
Frequently asked questions
Does Home Depot use QR codes legitimately?
Yes. Home Depot uses QR codes on shelf labels, in Pro Xtra promotions, and in its app for checkout and loyalty. Always check that a scanned QR code opens a URL beginning with homedepot.com.
Are Pro Xtra accounts more at risk than regular customer accounts?
Pro Xtra accounts tend to have larger reward dollar balances and higher transaction values, making them more attractive to attackers. Professionals who use the account heavily and may review statements less frequently are higher-value targets.
I entered my Pro Xtra credentials on a suspect page. What now?
Change your Pro Xtra password immediately and enable two-step verification. Review your reward balance and recent order history for fraudulent activity. Contact Home Depot Pro Xtra customer service to flag the account.