Skip to main content
Education··7 min read

QR Code Safety: How to Avoid Scam QR Codes

QR codes are everywhere now, and scammers have noticed. Here is how to tell the difference between a legitimate code and one designed to steal your information.

Rachel parked in a downtown garage last October and walked to the payment kiosk. There was a QR code sticker on the machine with a label that said 'Pay Here — Scan to Pay Parking.' She scanned it, and it opened what looked like a normal payment page. She entered her credit card number, tapped submit, and walked to her meeting. Two days later, her bank called. Someone had charged $1,400 to her card at an electronics store 300 miles away. The QR code she scanned was not from the parking garage. Someone had printed a sticker and placed it directly over the legitimate one.

Rachel's story is not unusual. As QR codes have become part of daily life — on restaurant tables, parking meters, event tickets, and product packaging — criminals have found ways to exploit the trust people place in those little squares. The attack even has a name: quishing. And it is growing fast.

What Is Quishing (QR Code Phishing)?

Quishing is phishing delivered through a QR code instead of a link in an email. The concept is identical to traditional phishing: a scammer creates a fake webpage that looks like a legitimate service, then tricks you into entering sensitive information like passwords, credit card numbers, or login credentials. The difference is the delivery method. Instead of clicking a suspicious link, you scan a QR code that takes you to the fake page.

What makes quishing particularly effective is that QR codes are opaque. When you see a link in an email, you can hover over it and check the URL before clicking. But when you scan a QR code, you often do not see where it leads until your phone has already opened the page. That moment of blind trust is exactly what scammers exploit.

How Scam QR Codes Work in Practice

Scammers deploy fake QR codes in several ways, and understanding the common tactics makes them much easier to spot.

  • Sticker overlays: The most common physical attack. A scammer prints a sticker with their malicious QR code and places it directly over a legitimate QR code on a parking meter, restaurant table, or public sign. To the casual observer, it looks like the original code.
  • Fake flyers and posters: Scammers post official-looking flyers in public places — 'Free WiFi,' 'Win a Gift Card,' 'Special Discount' — with a QR code that leads to a phishing site or downloads malware.
  • Email and mail quishing: Instead of including a clickable link in a phishing email, scammers embed a QR code image. This bypasses many email security filters that scan links but do not analyze QR code images.
  • Tampered receipts and tickets: Fake QR codes printed on counterfeit parking tickets, receipts, or fine notices left on car windshields. The code leads to a payment page that captures your card information.

How to Spot a Fake QR Code

You do not need to be a security expert to protect yourself. A few seconds of attention before scanning can prevent most attacks.

  • Check for sticker overlays: Before scanning a QR code in a public place, look closely at whether the code is printed directly on the surface or stuck on top of it. Run your finger over the edge. If you feel a sticker layered over another code, do not scan it.
  • Preview the URL before opening: Most modern phones show a URL preview when you scan a QR code. Read it before tapping. A legitimate parking service will have a recognizable domain, not something like 'parkng-pay-now.xyz.' Look for misspellings, unusual domain extensions, and overly long URLs.
  • Check for HTTPS: Legitimate payment and login pages use HTTPS. If the URL starts with plain HTTP, treat it with suspicion. However, keep in mind that HTTPS alone does not guarantee legitimacy — scammers can get SSL certificates too.
  • Be wary of urgency: If a QR code leads to a page that pressures you to act immediately — 'Your account will be locked!' or 'Claim your prize now!' — step back. Legitimate services do not create panic to get you to enter personal information.
  • Verify with the source: If you scan a QR code at a restaurant and the page looks strange, ask the staff. If a QR code appears on a parking meter and the design looks different from other meters on the same street, pay inside or use the official app instead.

On iPhone, the camera app shows the URL before opening it. On Android, Google Lens does the same. Always read the URL preview before tapping. If something looks off, do not proceed.

Safety Tips for Consumers

As someone who scans QR codes in daily life, you can protect yourself with a few simple habits.

1

Use your phone's built-in scanner

The default camera app on iPhone and Android provides a URL preview before navigating. Avoid downloading third-party QR scanner apps, as some of them are themselves malware disguised as useful tools.

2

Never enter sensitive information impulsively

If a QR code leads you to a page asking for your credit card, social security number, or login credentials, pause. Ask yourself: did I expect this? Would this organization normally ask for this information this way?

3

Keep your phone updated

Operating system updates include security patches that protect against new threats. An up-to-date phone is better equipped to warn you about malicious websites and prevent unauthorized downloads.

4

Report suspicious QR codes

If you find a QR code sticker that appears to be covering a legitimate one, report it to the business or property owner. Peel off the fake sticker if you can do so safely. You may save the next person from a scam.

Safety Tips for Businesses

If your business uses QR codes — on tables, signage, packaging, or marketing materials — you have a responsibility to make your codes trustworthy and tamper-resistant.

  • Print QR codes directly on materials: Whenever possible, print QR codes directly onto menus, signage, or packaging instead of using stickers that can be covered by a scammer's sticker. Printed codes are much harder to tamper with.
  • Inspect your QR codes regularly: Make it part of your opening routine. Walk through the space and check that your QR codes have not been covered or replaced. For outdoor placements like parking meters or event signage, check more frequently.
  • Use a recognizable landing page: When customers scan your QR code, they should land on a page with your branding, your domain name, and a clear explanation of what they are looking at. A branded landing page builds trust and makes fakes easier to identify.
  • Use your own domain: Avoid generic URL shorteners that obscure the destination. A code that leads to 'yourbusiness.com/menu' is far more trustworthy than one that leads to 'bit.ly/3xK9z2.' Customers have learned to be suspicious of shortened URLs.
  • Educate your staff: Make sure your employees know what your QR codes should look like and where they are placed. If a team member notices a code that looks different or a sticker that was not there yesterday, they should flag it immediately.

What to Do If You Scanned a Suspicious QR Code

If you scanned a QR code and something feels wrong — the page looked suspicious, you entered information you now regret, or your phone started behaving oddly — take action immediately.

  1. Close the page and clear your browser history and cache.
  2. If you entered a password, change it immediately on the legitimate site. If you use that password anywhere else, change it there too.
  3. If you entered credit card information, call your bank or card issuer right away. They can freeze the card and reverse fraudulent charges.
  4. Run a security scan on your phone. Both iOS and Android have built-in security features, and reputable antivirus apps can check for malware.
  5. Monitor your accounts for the next several weeks. Set up transaction alerts on your bank and credit card accounts so you are notified of any unusual activity.

The Bigger Picture: QR Codes Are Still Safe When Used Wisely

None of this means you should stop scanning QR codes. The technology itself is not dangerous — the risk comes from where the code sends you, just like any link on the internet. A QR code is simply a way to encode a URL. The same caution you apply to clicking links in emails should apply to scanning codes in the real world.

The overwhelming majority of QR codes you encounter are legitimate. Restaurant menus, WiFi passwords, event tickets, business cards — these are all safe, useful applications. The key is awareness. Take two seconds to check the URL before tapping, look for signs of tampering on physical codes, and trust your instincts. If something feels off, it probably is.

Frequently Asked Questions

Can a QR code give my phone a virus?
A QR code itself cannot contain a virus. It is simply a way to encode text, usually a URL. However, scanning a malicious QR code can take you to a website that attempts to download malware onto your phone. Modern phones have built-in protections that prevent automatic downloads, but you should still avoid visiting suspicious URLs. Keep your phone's operating system updated and never install apps or files from untrusted websites.
Are QR codes on restaurant menus safe to scan?
Yes, restaurant menu QR codes are generally very safe. They are placed there by the restaurant to link you to their menu. The main risk would be if someone placed a fake sticker over the restaurant's legitimate code, which is uncommon but possible. If you want to be cautious, check that the URL matches the restaurant's name or domain when your phone shows the preview.
What is the difference between quishing and regular phishing?
The only difference is the delivery method. Regular phishing uses clickable links in emails, text messages, or social media to direct you to a fake website. Quishing uses QR codes to do the same thing. The goal is identical: to trick you into entering sensitive information on a page that looks legitimate but is controlled by a scammer. QR-based phishing is harder for security software to detect because the malicious URL is hidden inside an image rather than appearing as scannable text.
Should I use a special QR code scanner app for safety?
No. Your phone's built-in camera app is the safest option. It shows you a URL preview before navigating, and it does not include ads or unwanted features. Many third-party QR scanner apps in app stores are themselves low-quality software that may collect your data or display intrusive ads. Stick with the camera app that came with your phone.
How can I tell if a QR code sticker has been tampered with?
Look for physical signs: a sticker placed on top of another sticker, edges that are peeling or misaligned, a code that looks like a different size or print quality compared to surrounding signage, or a code that does not match the style of the business. If the QR code is on a parking meter, payment kiosk, or public sign, compare it with similar codes on nearby machines. If one looks different, do not scan it and report it to the property owner.

Ready to Create Your QR Code?

Free forever. No sign up, no watermark, no limits.

Get Started