QR Code Security: How to Stay Safe from QR Scams

The Rise of QR Code Scams

QR codes are trusted. People scan them without thinking — at restaurants, parking meters, transit stations, and package deliveries. That trust is exactly what scammers exploit. QR code phishing, known as quishing, has surged since 2023. Attackers place malicious QR codes over legitimate ones, print fake parking tickets with fraudulent payment links, or send phishing emails with QR codes that bypass traditional email security filters.

The FBI, FTC, and cybersecurity agencies worldwide have issued warnings about QR code scams. The attack is simple but effective: the victim scans a QR code expecting one thing, but gets redirected to a phishing site that steals credentials, installs malware, or initiates unauthorized payments. Because QR codes are opaque — you cannot read the URL just by looking at the code — they are an ideal vector for social engineering.

How Malicious QR Codes Work

A QR code is just a container for data. It can hold a URL, plain text, WiFi credentials, a phone number, or other information. There is nothing inherently dangerous about the code itself — the danger is in what it links to. A malicious QR code typically encodes a URL that points to a fake login page, a malware download, or a payment gateway controlled by the attacker.

Physical QR code attacks often involve stickers. An attacker prints a QR code sticker and places it over a legitimate code — on a parking meter, a restaurant table, a store window, or a public notice board. The victim sees the context (a parking meter, a restaurant) and assumes the code is legitimate. Sticker overlays are nearly impossible to detect at a glance.

Digital quishing works through email or messaging. An attacker sends an email that contains a QR code image instead of a clickable link. Many email security tools scan links for malicious URLs, but they do not decode QR code images. The recipient scans the code with their phone, bypassing the email security entirely, and lands on a phishing page.

How to Spot a Suspicious QR Code

Check for sticker overlays. If a QR code at a restaurant, parking meter, or store looks like a sticker placed on top of something else, be cautious. Look at the edges — is it aligned properly? Does it match the design of the surrounding material? Legitimate businesses usually print QR codes directly on their materials, not as separate stickers.

Preview the URL before opening. Both iPhone and Android show a URL preview when you point your camera at a QR code. Read the URL carefully before tapping. Look for misspelled domain names (like g00gle.com instead of google.com), suspicious subdomains, or unfamiliar domains. If the URL uses a generic URL shortener and you were not expecting that, treat it with caution.

Be skeptical of urgency. Scam QR codes often come with urgent messaging: Your package will be returned! or Pay your parking fine within 24 hours. Legitimate organizations rarely create urgency around QR code scans. If the context feels pressured, verify through an official channel before scanning.

Protecting Yourself When Scanning QR Codes

Use your phone's built-in camera app to scan QR codes. Both iOS and Android show a preview of the URL before you open it. Do not use third-party scanner apps that auto-open URLs without preview — this eliminates your chance to inspect the destination.

Never enter passwords, credit card numbers, or personal information on a page you reached via a QR code unless you have independently verified the URL. If a QR code at a parking meter sends you to a payment page, compare the URL with the one listed on the city's official website. If a QR code in an email asks you to log in, navigate to the service directly through your browser instead.

Keep your phone's operating system and browser up to date. Modern phones have built-in protections against known phishing sites and malicious downloads. These protections only work if your software is current. Enable Safe Browsing in your phone's browser settings if it is not already on.

Creating Safe QR Codes for Your Business

If you create QR codes for your business, you have a responsibility to make them trustworthy. Use your own domain for destination URLs instead of generic URL shorteners. A QR code that points to yourbrand.com/menu is far more trustworthy than one pointing to bit.ly/x7k9q2. Customers can verify the domain at a glance before opening.

Add context around your QR codes. Print a brief label like Scan to view our menu at yourbrand.com or Scan to connect to our WiFi. This sets the expectation for what the code does and gives the scanner a way to verify the destination. A naked QR code with no explanation looks suspicious in 2026.

Use HTTPS for all QR code destinations. An HTTP URL triggers a Not Secure warning in modern browsers, which erodes trust immediately. Ensure your website has a valid SSL certificate and all QR code URLs use the https:// prefix.

Monitor your physical QR codes periodically. Check that no one has placed a sticker over your codes. If you use QR codes on outdoor signage, public menus, or shared surfaces, inspect them regularly. Some businesses print QR codes with a branded frame or custom design that makes overlay stickers more obvious.

What to Do If You Scanned a Malicious QR Code

If you scanned a QR code and suspect it was malicious, act quickly. If you entered login credentials on the page, change your password immediately for that service and any other service where you use the same password. Enable two-factor authentication if you have not already.

If you entered payment information, contact your bank or credit card company to report potential fraud. They can freeze the card and monitor for unauthorized charges. If you downloaded a file after scanning, delete it immediately and run a security scan on your device.

Report the malicious QR code. If it was a physical code in a public place, alert the business or property owner so they can remove it. Report phishing URLs to your browser vendor (Google Safe Browsing, Microsoft SmartScreen) so the page gets flagged for other users. In the US, you can report QR code scams to the FTC at reportfraud.ftc.gov.