QR.technology Free · Private · No sign-up
// learn · safety

Are QR codes safe?

The code itself can't harm you — but where it sends you can. A QR code is a neutral pointer. The risk is the destination, and scammers exploit exactly that with "quishing" and sticker swaps. Here's how the attacks work and how to scan safely.

Reading time ~6 minSafety

A QR code is just a pointer

Scanning a QR code cannot, by itself, install malware or take over your phone. The code contains text — usually a link — and your phone shows you that link before doing anything. Every risk comes from what happens after you choose to act on it: visiting a malicious site, entering credentials, or making a payment. Treat a QR code exactly like a link someone hands you: harmless to look at, risky to trust blindly.

Quishing: QR phishing

Quishing is phishing delivered by QR code. An attacker puts a code on a flyer, email, parking sign, or fake notice that leads to a convincing copy of a real login or payment page. Because the destination is hidden inside the pattern, you can't eyeball it the way you'd scrutinize a typed link — which is precisely why it works. Common lures include fake parking fines, package-redelivery notices, bank "security alerts," and account-verification prompts.

The tell: it asks for credentials or payment

A legitimate QR code rarely needs you to log in or pay on a page you reached by surprise. If a scanned link demands your password, card, or banking details — especially with urgency — stop. Navigate to the real service yourself instead.

The sticker-swap scam

A low-tech but effective attack: criminals print a malicious code on a sticker and stick it over a legitimate one — on parking meters, restaurant tables, e-scooters, or payment terminals. The surrounding sign looks official, so victims trust the code. If a QR code looks like a sticker applied on top of other printing, or the edges are peeling, don't scan it.

How to scan defensively

  • Preview the URL. Most phone cameras show the link before opening it. Read the domain — does it actually match the brand? Our QR code reader decodes a code and shows its full destination, with scam-signal checks, without opening anything.
  • Watch for look-alike domains. paypa1.com or bank-verify.example are not the real thing.
  • Be wary of shorteners on physical codes from untrusted sources — they hide the true destination.
  • Never enter passwords or payment details on a page you reached unexpectedly via a code. Open the official app or type the address yourself.
  • Inspect the physical code. Peeling stickers or codes pasted over signage are red flags.
  • Keep your phone updated so the browser's own phishing protections are current.

A quick pre-scan checklist

When you encounter a code in the wild, run through this in a couple of seconds before acting on it:

  • Is the physical code intact? No sticker pasted over another, no peeling edges.
  • Does the previewed domain match the brand? Read it before tapping; watch for look-alikes and shorteners.
  • Is it asking for something sensitive? Unexpected login or payment requests are the biggest red flag.
  • Did you expect a code here at all? An unsolicited code in an email or letter deserves extra suspicion.

None of these guarantee safety, but together they catch the overwhelming majority of malicious codes — which almost always rely on you scanning first and thinking later.

If you create QR codes

You can build trust into your codes: link to your real, recognizable domain (short and on-brand), avoid unnecessary shorteners so people can verify the destination, and protect physical codes from tampering. For payment codes especially, place them where they can't be covered and check them regularly — see payment QR codes. Generating your codes with a private, client-side tool like this one also means your data is never exposed in the first place.

Generate codes people can trust

Build static codes that point to your real domain — generated privately in your browser, never uploaded.

Open the generator

Frequently asked questions

Can scanning a QR code hack my phone?

Not by itself. The code only delivers text, usually a link, which your phone shows before acting. The danger is what you do next — visiting a malicious site or entering sensitive details.

What is quishing?

Phishing carried out via QR codes. A code leads to a fake login or payment page designed to steal credentials. The hidden destination is what makes it effective.

How can I tell if a QR code is safe?

Preview the URL before opening it and check the domain matches the real brand. Be suspicious of codes that demand logins or payment, use look-alike domains, or appear to be stickers placed over other codes.

Is it safe to scan a restaurant or parking QR code?

Usually, but check for tampering — scammers cover real codes with malicious stickers. If a code looks pasted on or peeling, don't scan it, and never enter payment details on an unexpected page.

Related guides

Tool
Read a QR code safely
Decode and inspect a link before opening it.
Learn
How to scan a QR code
Preview links before you open them.
Use case
Payment QR code
Protect payment codes from tampering.
Hub
The complete guide to QR codes
Every format and the tech behind them.