QR Code Security: How to Stay Safe When Scanning
QR codes are convenient, but they have a fundamental security limitation: you can't tell what's inside a QR code just by looking at it. A QR code on a parking meter might link to the city's payment page — or it might redirect you to a phishing site that steals your credit card number. As QR code usage has grown, so have the scams targeting people who scan without thinking. Here's what you need to know to stay safe.
Why QR Codes Are a Security Risk
Unlike a printed URL that you can read before visiting, a QR code is opaque. The encoded data is invisible until it's scanned and decoded. This makes QR codes an attractive tool for attackers because the victim has to interact with the code before they can evaluate whether it's safe. Attackers exploit this by placing malicious QR codes in places where people expect to find legitimate ones — on parking meters, restaurant tables, transit stations, and shared bulletin boards.
Common QR Code Scams
Quishing (QR Code Phishing)
Quishing is the most widespread QR code scam. Attackers create QR codes that redirect to convincing fake versions of legitimate websites — banks, payment processors, delivery services, or email providers. The goal is to trick you into entering your login credentials, credit card details, or personal information on the fake site. Quishing attacks often arrive through email, where the QR code bypasses traditional link-scanning security tools that can't read image content.
Sticker Scams
This involves placing a fraudulent QR code sticker over a legitimate one. It's common on parking meters, shared bike stations, public transit information boards, and restaurant table ordering systems. The victim thinks they're scanning the official code, but they're actually being redirected to the attacker's site. These scams are effective because the physical context — a QR code on an official-looking meter or sign — creates trust.
Malware Distribution
Some QR codes link to malicious app downloads or websites that attempt to exploit browser vulnerabilities. On Android devices, this might mean downloading a fake app that requests broad permissions. On any device, it could mean landing on a page that tries to install malware or trick you into allowing push notifications from a malicious source.
Payment Fraud
Attackers tamper with QR codes on payment terminals, donation boxes, or invoices to redirect payments to their own accounts. This is particularly common with cryptocurrency QR codes, where wallet addresses are long strings that most people don't verify character by character.
How to Protect Yourself
Preview Before Visiting
The single most effective protection is to see the URL before you open it. Use a tool like our QR Code Decoder to reveal the encoded content without automatically navigating to it. This lets you inspect the URL, check the domain name, and decide whether it looks legitimate before your browser ever connects to the site.
Check the URL Carefully
After decoding a QR code, examine the URL closely. Watch for misspellings of well-known domains (like "paypa1.com" instead of "paypal.com"), unusual subdomains (like "login.bank-secure.attackersite.com"), and URL shorteners that mask the true destination. Legitimate businesses typically use their official domain for QR code links.
Look for Physical Tampering
Before scanning a QR code in a public place, check whether it looks like a sticker placed over another code. Look for raised edges, misaligned placement, or differences in print quality compared to the surrounding material. If a QR code on a parking meter looks like it was added after the fact, it probably was.
Be Cautious with Payments
Never enter credit card details or login credentials on a website you reached through a QR code without first verifying the domain. If a QR code is supposed to take you to a payment page, consider navigating to the payment site directly through your browser instead of trusting the QR code link.
Keep Your Device Updated
Modern smartphones and browsers include security features that warn you about known phishing sites and malicious downloads. These protections only work if your operating system and browser are up to date. Enable automatic updates to stay protected against the latest threats.
Use HTTPS as a Signal
Legitimate websites almost universally use HTTPS (indicated by a padlock icon in the browser). If a QR code takes you to an HTTP site — especially one asking for personal information — treat it as a warning sign. While HTTPS alone doesn't guarantee a site is legitimate, the absence of it is a strong red flag.
When QR Codes Are Safe
It's important not to overreact — the vast majority of QR codes are perfectly safe. QR codes from trusted sources are reliable: official product packaging from recognized brands, menus printed by the restaurant you're sitting in, QR codes you generated yourself, boarding passes from airlines, and codes displayed on verified business websites. The risk comes primarily from QR codes in uncontrolled public spaces where anyone could place a sticker, and from unsolicited QR codes received via email or messaging.
Frequently Asked Questions
Can scanning a QR code install a virus?
Are QR codes on restaurant menus safe?
How can I report a malicious QR code?
Decode QR Codes From Any Image
Upload a screenshot, photo, or PDF to extract the QR code contents instantly.
Open QR Decoder →