Yes, QR codes embedded in fake unclaimed money letters can install malware directly on your phone. According to both the FBI and FTC, scammers use these codes to distribute ransomware, trojans, and data-stealing software that can compromise your entire device once scanned. A typical attack works like this: you receive an official-looking letter claiming you have unclaimed funds from a state treasury or class action settlement, complete with a QR code that supposedly takes you to claim your money. When you scan it with your phone camera, the code either redirects you to a spoofed website where you unknowingly enter your Social Security number and bank details, or it silently installs malicious software that runs in the background, stealing passwords, financial information, and personal data without your knowledge. The threat is accelerating.
In the first quarter of 2026 alone, Microsoft detected 8.3 billion phishing threats globally, with QR code phishing attacks surging 146% compared to the previous year. Security researchers at Kaspersky documented a fivefold increase in QR code phishing attacks during the second half of 2025, and ZenSec identified 1.7 million unique malicious QR codes in email attachments during that same period. These numbers make clear that scammers have shifted tactics away from traditional links and email addresses toward QR codes specifically because they bypass many of the security filters that catch other phishing attempts. People searching for unclaimed money are especially vulnerable targets. You’re often anxious about potentially missing out on funds, eager to act quickly, and more likely to trust official-looking documents than to verify them independently. Scammers exploit that urgency by making their fake letters look nearly identical to genuine government communications, complete with official seals, logos, and convincing language about settlement funds or state refunds waiting for you.
Table of Contents
- How Are QR Codes Used in Fake Unclaimed Money Scams?
- What Types of Malware Can QR Codes Actually Install?
- Why Are Fake Unclaimed Money Letters Such Effective Targets for QR Code Scams?
- How Can You Tell If an Unclaimed Money Letter With a QR Code Is Fake?
- What Should You Do If You’ve Already Scanned a Suspicious QR Code?
- How Widespread Is the QR Code Unclaimed Money Scam Right Now?
- The Future of QR Code Scams and Evolving Threats
- Conclusion
How Are QR Codes Used in Fake Unclaimed Money Scams?
Scammers have discovered that QR codes are far more effective than hyperlinks in phishing attacks because most people trust them more and because they’re harder for email filters to detect. A letter claiming you have unclaimed money from a class action settlement or state treasury program will include a prominent QR code alongside text urging you to “verify your claim immediately” or “confirm your eligibility.” The code looks professional and legitimate, and because it’s not a clickable link, it doesn’t trigger the same warning flags that suspicious URLs might. When you scan the QR code with your phone, one of two things typically happens. First, you might be redirected to a fraudulent website that looks nearly identical to the real IRS, state treasury department, or settlement administrator site. These spoofed websites are sophisticated enough that victims unknowingly enter their full Social Security numbers, bank account information, routing numbers, and login credentials. The scammer captures this information in real-time and uses it to commit identity theft, drain bank accounts, or file fraudulent tax returns in your name.
Second, and more dangerously, the QR code can be programmed to download and install malware directly onto your phone without any warning or user confirmation. This malware then operates silently, stealing data, intercepting messages, capturing keystrokes, and giving criminals complete access to your device. The sophistication of these attacks varies. Some QR codes lead to basic credential-harvesting pages. Others deploy trojans designed to intercept banking apps and steal two-factor authentication codes as you use your legitimate financial apps. The most advanced attacks install ransomware that locks you out of your device until you pay a ransom, or spyware that monitors everything you do on your phone for months. By the time you realize something is wrong—usually when you notice unauthorized charges on your bank account or credit report problems—the damage is already done.
What Types of Malware Can QR Codes Actually Install?
The malware installed through fraudulent QR codes includes trojans, ransomware, spyware, and credential stealers. Trojans disguise themselves as legitimate apps and then perform harmful functions in the background, such as stealing data or giving hackers remote access to your device. Ransomware locks your phone and encrypts your files, making them inaccessible until you pay a ransom—which you shouldn’t do, as there’s no guarantee you’ll regain access even if you pay. Spyware monitors your activity, captures screenshots, records calls, and logs your banking information as you enter it into legitimate apps. Credential stealers specifically target login information for banking apps, email accounts, investment platforms, and social media, which criminals then use to gain further access to your financial accounts and identity. One important limitation to understand: not all QR code malware behaves the same way. Some malware is designed to activate immediately, while other variants lie dormant for weeks or months, waiting for you to use a banking app or make an online purchase before it springs into action.
Some only target Android devices and won’t affect iPhone users, while others are cross-platform. This unpredictability makes it harder to know whether you’ve been compromised even after scanning a suspicious code. You might scan a QR code, see what appears to be a legitimate website, enter no information, and think you’re safe—only to discover months later that malware was silently installed and has been stealing your data the entire time. The risk is particularly acute for mobile devices because they typically have less sophisticated malware detection than computers. According to cybersecurity researchers, mobile devices were specifically targeted in 68% of QR code phishing attacks during 2025. Your phone is also where you store highly sensitive information: banking apps, email with password recovery links, health records, and photos containing sensitive documents. Unlike a computer, where you might notice unusual activity or pop-ups, malware on your phone can operate almost invisibly because you’re used to background activity from legitimate apps.
Why Are Fake Unclaimed Money Letters Such Effective Targets for QR Code Scams?
Unclaimed money and unclaimed property represent a genuine service—millions of dollars in legitimate funds are held by state treasuries and class action settlement administrators every year. This legitimacy makes it easy for scammers to craft convincing fake letters. A scammer can claim the QR code links to a real settlement process, and because such settlements do exist, your natural instinct is to believe the letter. The urgency component is powerful: unclaimed money has holding periods, settlement deadlines, and claims that can expire, so you feel pressure to act immediately rather than verify the letter’s authenticity independently. The scam also exploits trust in official communications. You expect legitimate letters from government agencies and settlement administrators to look professional and include official information.
Scammers replicate this appearance with impressive accuracy, using real state seals, genuine-looking letterheads, and official language. They often include partial information that’s publicly available—your address, for example—to establish credibility. A letter that says “We have located unclaimed funds associated with your address” feels specific and believable, even if the scammer obtained your address from a data breach or public property records. This type of scam is particularly effective because it doesn’t require you to give up information in a moment of panic or fear. You’re not receiving a threatening email about compromised accounts or urgent security issues. Instead, you’re receiving what appears to be good news—money is waiting for you. That positive framing makes you far more likely to let your guard down and take action without careful verification.
How Can You Tell If an Unclaimed Money Letter With a QR Code Is Fake?
Legitimate government agencies and settlement administrators rarely initiate contact via unsolicited mail with QR codes requiring immediate action. The FBI specifically warned in July 2025 about unsolicited packages containing QR codes prompting recipients to provide personal or financial information or download software. If you receive a letter claiming you have unclaimed funds and it includes a QR code with urgent language, treat it as suspicious until proven otherwise. Legitimate entities typically direct you to their official website or customer service phone number, not to codes that hide the destination URL until you scan them. Check the sender’s actual name and address. Legitimate letters from state treasury departments or settlement administrators include specific contact information and specific language about what claim or settlement you’re eligible for. Fake letters often use vague language like “unclaimed funds associated with your account” without specifying what account, settlement, or claim program. Real settlement letters include case numbers, claim details, and information about the specific lawsuit or program.
Look for red flags like generic greetings (“Dear Valued Customer” instead of your name), spelling and grammar errors, or unusual urgency (“Claim within 48 hours or funds will be forfeited”). Government agencies don’t typically create artificial deadlines for claiming legitimate funds—scammers do. Verify independently by contacting the agency directly. If a letter claims to be from your state’s treasury department, call or visit the official government website and ask about that specific claim or settlement. Don’t use contact information from the letter itself—look up the agency’s phone number through your state’s official website. If the settlement or claim is legitimate, the agency will have a record of it and can tell you exactly how to claim your funds through their verified process. This extra step takes just a few minutes and can prevent thousands of dollars in fraud. Most importantly, never scan a QR code from an unsolicited letter, especially one creating urgency. The comparison is straightforward: if you wouldn’t click a suspicious link from an email, you shouldn’t scan a suspicious QR code either.
What Should You Do If You’ve Already Scanned a Suspicious QR Code?
If you scanned a QR code from a suspicious unclaimed money letter and were redirected to a website where you entered information, act immediately. Change the passwords for any accounts you access from that device, especially banking, email, and investment apps. Contact your bank and credit card companies directly (using the phone number on the back of your card, not from the fraudulent website) and report that you may have compromised your account information. Place a fraud alert with the three major credit bureaus (Equifax, Experian, and TransUnion) and consider freezing your credit to prevent criminals from opening accounts in your name. If you scanned the QR code but didn’t enter any information and don’t believe malware was installed, the risk is lower but not zero. Run a full malware scan on your phone using a reputable mobile security app. For Android users, download an antivirus app from a legitimate publisher and perform a complete system scan.
For iPhone users, note that iOS is more resistant to malware from QR codes alone, but you should still monitor your device for unusual activity—unexpected battery drain, overheating, unfamiliar apps, or slow performance. Change your passwords for sensitive accounts just to be safe. Then monitor your credit reports and bank statements for fraudulent activity over the next several months. The limitation of security software is important to understand: no antivirus or malware detection tool catches 100% of threats. According to ZenSec’s research, only 36% of QR code phishing incidents are accurately identified and reported as such, meaning many attacks go undetected by standard security tools. This is why consistent monitoring of your accounts is crucial. Even if a malware scan says your phone is clean, criminals may have installed sophisticated malware designed to evade detection, so watch for signs of compromise: unauthorized transactions, unexpected password reset emails, credit inquiries you didn’t make, or familiar apps behaving unusually. If you suspect your phone is infected but can’t determine what’s wrong, consider factory resetting it and restoring from a backup created before you scanned the QR code—though this is a drastic step that should be reserved for serious suspected compromises.
How Widespread Is the QR Code Unclaimed Money Scam Right Now?
The scale of QR code phishing has grown dramatically. As of 2025, QR codes appear in 12% of all phishing attacks globally, up from near-zero just a few years ago. That 146% surge in Q1 2026 alone shows how rapidly criminals are adopting this tactic. ZenSec identified 1.7 million unique malicious QR codes in email attachments during 2025, and email is just one vector—QR codes are also appearing in postal mail, as the FBI warned, making the actual volume of malicious codes far higher.
The unclaimed money and settlement claim vertical has become particularly attractive to these scammers because of the combination of legitimacy, urgency, and emotional motivation. Unlike most phishing attacks that rely on fear (compromised accounts, legal threats), unclaimed money scams promise something good. That psychological difference makes them more effective. Combine that with the fact that millions of people are searching for unclaimed funds every year, and scammers have found a highly profitable target. Reports to the FTC about QR code phishing scams have skyrocketed, though many incidents—possibly the majority—go unreported because victims don’t realize they’ve been compromised until damage is already done.
The Future of QR Code Scams and Evolving Threats
As antiphishing technology improves, scammers are continuously evolving their tactics. The shift from traditional email links to QR codes is just one example of this adaptation. Researchers predict that QR code attacks will continue to grow because they remain difficult for email filters and security systems to detect, they leverage human psychology effectively, and they bypass many technical controls that would catch traditional phishing links. The next evolution may involve AI-generated fake videos or documents, or QR codes embedded in unexpected places—on legitimate websites that have been hacked, on public bulletin boards in parking lots, or on counterfeit checkout receipt templates. The broader lesson is that no single security measure will protect you completely.
Email filters catch some phishing, antivirus software catches some malware, and user awareness catches some scams—but the most effective defense combines all three. Stay skeptical of unsolicited communications, especially those creating urgency around money. Verify independently before taking action. Monitor your financial accounts and credit reports regularly. And remember that scammers will always find new ways to exploit legitimate services like unclaimed property claims, so remaining vigilant is an ongoing responsibility.
Conclusion
QR codes in fake unclaimed money letters represent a genuine and growing threat. The 146% surge in QR code phishing attacks in early 2026, combined with the ability of these codes to install malware directly on your phone, makes them one of the most dangerous phishing tactics scammers currently use. Unlike traditional links that you can hover over and inspect, QR codes hide their destination until you scan them, and once scanned, they can silently install malware that steals your data for months without your knowledge.
Protect yourself by remaining skeptical of unsolicited letters claiming you have unclaimed money, never scanning QR codes from unexpected sources, verifying claims independently through official channels, and monitoring your financial accounts and credit reports. If you’ve already scanned a suspicious code, change your passwords immediately, contact your financial institutions, and place a fraud alert on your credit. The few minutes you spend verifying a legitimate claim and rejecting a fraudulent one are far less costly than the months of work required to recover from identity theft or financial fraud.