threat level: human

~ / text and qr-code scams

man smishing-red-flags

Text and QR-Code Scams

Smishing texts and tampered QR codes, and the one rule that defuses both.

$470M reported losses to text scams in 2024 (FTC, 2025).

By the numbers

  • $470M reported losses to text scams in 2024 (FTC, 2025)
  • 5x rise in text-scam losses since 2020 (FTC, 2025)
  • 21 sec median time to click a phishing link (Verizon DBIR, 2024)

Spotting a scam text

  • A link in an unexpected text. A delivery, toll, or bank 'alert' urging you to tap a link right now.
  • A sender that does not fit. A personal mobile number claiming to be a company, or a shortened link.
  • Urgency over a small problem. A tiny unpaid fee or a held package, with a threat if you do not act.

QR-code (quishing) traps

  • A QR code placed over a real one. A sticker on a parking meter, menu, or invoice sending you to a fake site.
  • A code that asks you to log in or pay. Any QR that lands on a login or payment page deserves a hard stop.

Common text and QR lures

  • Delivery and toll 'fees'. A package or unpaid toll that needs a small payment through a link.
  • Bank and account 'alerts'. A fraud warning that wants you to log in or 'confirm' through a link.
  • Wrong-number and job texts. A friendly 'wrong number' or an easy-money job that warms you up for a scam.

Do and don't

Do

  • Open the company's app or a typed address and check the status there.
  • Delete and report unexpected texts, and block the sender.
  • Check where a QR code leads before you act, and beware stickers placed over real codes.
  • Use phishing-resistant MFA so a stolen password alone is not enough.

Don't

  • Do not tap links in unexpected texts.
  • Do not scan untrusted QR codes, especially in public places.
  • Do not enter logins or card details on a page reached from a text or a QR.
  • Do not reply to an obvious scam text. It confirms a live number.

The one move

Do not tap links in unexpected texts or scan untrusted QR codes. Go to the company yourself through its app or a typed address and check the real status there. The link is the trap.

If it happens

  1. Do not click further. If you entered details, change that password now.
  2. Call your bank if you shared card or login details.
  3. Report the text (forward to 7726 in the US) and to reportfraud.ftc.gov.
  4. Watch for follow-up scams that use the information you gave.

Go deeper

For the bigger picture, read what is social engineering and how to spot a phishing email. See these warning signs in real cases in the weekly briefings.

Frequently asked questions

// guides/smishing-red-flags --help
What are the red flags of text and qr-code scams?

Watch for a link in an unexpected text, a sender that does not fit, urgency over a small problem, a qr code placed over a real one, plus any pressure to act fast, skip a check, or keep it secret.

What is the one move that stops it?

Do not tap links in unexpected texts or scan untrusted QR codes. Go to the company yourself through its app or a typed address and check the real status there. The link is the trap.

What should I do if it already happened?

Do not click further. If you entered details, change that password now. Call your bank if you shared card or login details. Report the text (forward to 7726 in the US) and to reportfraud.ftc.gov. Watch for follow-up scams that use the information you gave.

get the weekly briefing watch the briefings see what your visit reveals ->