QR Code Security Best Practices for Scanners and Brands in 2026

How quishing, sticker overlays, and hijacked redirects actually work — and the practical defenses that protect both the people scanning and the brand printing.

Rehan Haider
By Rehan Haider
May 9, 2026
QR Code Security Best Practices for Scanners and Brands in 2026

QR codeA 2D matrix barcode that encodes data in a square grid of black and white modulesA single black or white square in the QR grid. The number of modules per side scales with the QR versionThe size of a QR code, numbered 1 (21×21 modules) through 40 (177×177). Higher versions store more data but require more printed space. Read more →, from 21×21 modules for version 1 up to 177×177 for version 40. Read more →. Read more → security is two problems wearing the same costume. The first is the user holding a phone in a parking lot, deciding whether to scan a sticker on a meter. The second is the brand printing 50,000 menus, deciding how to make a real code recognizable and a fake one obvious. Both problems share a single underlying truth: the QR pattern is just a printed URL, and every defense lives in the destination, the substrate, or the operational habits around them. This post walks both sides — what scanners should do before tapping a link, and what brands should do before sending art to press — with attack mechanics specific enough that the practices stop feeling like generic security advice.

I have left the most-cited statistic — the “X% of QR scans are malicious” figure — out on purpose. Verifiable counts of in-the-wild quishing campaigns exist (the FBI’s IC3 alerts, KnowBe4’s quarterly phishing rollups, vendor research from Trend Micro and Sophos), but turning them into a single percentage requires assumptions that nobody publishes. The directional reality is enough: quishing is a real and rising vector, and the defense surface is well understood.

How quishing actually works

Quishing is a delivery-mechanism trick. The actual attack is a phishing page; the QR code only exists to move the victim from a hardened environment to an unhardened one.

A typical campaign looks like this:

  1. Initial delivery. The attacker sends an email — often spoofed as a Microsoft 365 password expiration notice, a DocuSign request, or a shared invoice. The body has a single QR code as an inline image, often inside a PDF attachment so the URL never appears as plain text in the message body.
  2. Filter evasion. Corporate mail filters scan text, links, and attachments. A QR rendered as an image, especially nested inside a PDF, is far harder to inspect. Many gateways pass the message through.
  3. Device pivot. The victim, sitting at a hardened laptop with corporate VPN, anti-phishing, and device-management tooling, scans the code with their personal phone. The personal phone has none of those defenses.
  4. Redirect chain. The QR points at a short-URL service (often a disposable redirector — see the next section), which forwards to a legitimate-looking domain, which serves a credential-harvesting page styled to look like the spoofed brand.
  5. Credential capture. The user enters their corporate password on a phone browser where the URL bar is shorter, the favicon is missing or fake, and TLS warnings are easier to ignore. Credentials post to the attacker, then the victim is forwarded to the real login page so the trip feels like a normal “session expired” loop.
Quishing attack flow — from scan to credential capture A four-stage flow showing a phone scanning a QR code, a redirect chain through a disposable short-URL domain, a fake login page that mimics a real brand, and the credentials posting to the attacker before forwarding the victim to the legitimate site. Quishing — what happens after the scan 1. Scan QR in PDF / sticker on personal phone 2. Redirect chain tinyXY.cc/a7 go-link.xyz/r login-ms.app 3 hops obscure final destination 3. Fake login login-ms.app M email •••••••• Sign in spoofed brand, short URL bar 4. Capture + bounce credentials → attacker (POST to webhook) forward to real site ("session expired") user feels nothing went wrong The QR code is the delivery — not the attack. Every step from hop 2 onward is a normal phishing kit, just with a smaller URL bar.
Quishing succeeds because it pivots the victim from a hardened laptop to an unhardened phone and from corporate filters to an open browser. Each defense lives at the destination URL, not the QR carrier itself.

The defense is not “stop scanning QR codes.” That ship sailed when restaurants put them on every table. The defense is to inspect the destination before authenticating, never enter corporate credentials on a personal phone reached via a QR link, and treat any sign-in prompt that appeared after a scan with the same suspicion you would treat one that appeared after an email link.

Physical sticker overlays on legitimate codes

A second attack class is the cheapest and most local: print a malicious QR sticker, walk into a coffee shop or parking lot, paste it over the real code. Cases reported in San Antonio, Atlanta, and several European cities involved overlays on parking-payment terminals routing drivers to fake payment pages. The tag-tampering surface is covered at a high level in the QR vs NFC comparison; here is what brands can actually do about it.

For the brand printing the codes:

  • Print directly onto the substrate. A code printed onto a menu, lacquered onto a parking sign, or screen-printed onto a counter mat cannot be cleanly overlaid without leaving an obvious raised edge.
  • Use a recognizable visual frame. A consistent border, brand color, or logo around every legitimate code teaches users what “real” looks like. A sticker overlay that lacks the frame is visibly different.
  • Inspect high-traffic surfaces on a schedule. Parking meters, payment terminals, and outdoor signage need a weekly walk-through. Service teams should be told what a tamper looks like and how to report one.
  • Print the destination domain in human-readable text below the code. A sticker overlay that points at a different domain becomes obvious when the user can compare the printed URL to the URL the camera resolves.

For the user scanning:

  • Look at the sticker. A code that lifts at the edge, sits proud of the surface, or has a paper finish different from the surrounding artwork is suspect.
  • Check the URL preview before tapping. iOS and modern Android show the destination URL as an overlay on the camera viewfinder before launching the browser. Read it. If a parking meter scan resolves to a domain you have never heard of, do not tap.
  • Pay through the parking app, not the QR. For payment use cases especially, the QR is a convenience, not the only path. Native apps, NFC, or hand-typed URLs all bypass the sticker-overlay risk.

HTTPS-only, and watch the redirect chain

Every QR destination you control should be HTTPS, no exceptions, including the short-URL hop if you use one. Modern browsers warn on plain HTTP, and a phone browser warning is exactly the friction you want a phishing page to hit. The catch: HTTPS only proves the certificate matches the hostname. It does not prove the hostname is yours.

This is where redirect chains matter. A printed code might point at qr.brand.com/menu, which 302s to track.partner.io/r/abc, which 302s to the actual menu. Each hop is an opportunity:

  • A compromised partner. If the redirector domain is owned by a third party (a tracking vendor, a short-URL service), a breach there repoints every code that traverses it.
  • A lapsed domain. If the redirector domain expires and is re-registered, every printed code is now driving traffic to whoever bought the domain. This has happened to multiple campaigns; the reprint cost dwarfs the renewal fee.
  • An MITM-friendly hop. Any HTTP hop in the chain is a place a hostile network can intercept and rewrite. Force HTTPS the whole way.

Audit the redirect chain for every printed code before launch. Curl the QR’s encoded URL with -L -v and read every Location header. You should know exactly which domains the user transits and you should own or trust each one. The static vs dynamic comparison covers how dynamic redirects work; this post is about why each hop is a security boundary.

Short URLs and disposable redirector domains

Short URLs are a paradox. They make printed QR payloads denser, easier to type as a fallback, and trivial to update — all wins. They also strip every visible domain signal that lets a user verify the destination, and they create a centralized choke point an attacker can exploit.

The pattern that goes wrong most often: a brand picks a generic disposable shortener for cost, ships printed assets, and a year later the shortener pivots its terms, raises its prices, or quietly shuts down. The links resolve to a parking page or 404. Worst case, the domain expires and is bought by a malicious operator who repoints every link to a phishing page. The brand cannot fix it without a reprint.

Practical defenses:

  • Use a branded short domain (go.yourbrand.com) you own and renew. The visible hostname becomes a trust signal and the kill switch stays in your hands.
  • Avoid short-URL services that allow user-provided redirects without verification. A free service that lets anyone create a bit.example/x link is also a service an attacker uses to launder the destination of a phishing campaign — and your printed codes share a brand reputation surface with them.
  • Renew the domain on auto-pay with a long horizon. Five-year registrations, expiry alerts to multiple inboxes, lock the domain at the registrar. The cost is trivial; the failure mode is catastrophic.

The QR vs short URL comparison covers when short URLs make sense for the QR payload itself; this section is about the trust posture of the redirector domain.

Hijacked dynamic codes — the platform-account problem

Dynamic QR codesA QR code that points to a short redirect URL controlled by a service. Read more → are editable: the printed pattern resolves to a fixed redirector URL, and the destination behind that URL can be updated through a dashboard. This is the feature that makes them survive campaign changes without a reprint. It is also a single point of failure.

If the dashboard account is compromised — phished password, reused password from a breach, no two-factor — an attacker can repoint every code the brand has ever printed at a phishing page or malware download in the time it takes to log in. The codes are still real, the certificate is still valid, the visual frame still matches. The destination is now hostile, and there is no way for a scanner to tell from the QR itself.

Mitigations are mundane but unevenly applied:

  • Two-factor on every dynamic-QR platform account. This is the single highest-leverage control. Hardware keys for the admin account, app-based 2FA at minimum for any user who can edit destinations.
  • Minimize the number of accounts that can edit destinations. A marketing team of twelve does not need twelve admin seats.
  • Enable change alerts. Most dynamic-QR platforms can email or webhook on every destination change. Pipe those to a security inbox and review them weekly. An anomalous change at 3 a.m. on a Sunday is the entire signal.
  • Rotate platform credentials when staff leave, and audit active sessions periodically.
  • Have a printed kill-switch plan. If the worst happens and codes are repointed, what do you do? The fastest answer is to revoke the platform’s redirector at the DNS level and serve a static “we are aware of an issue” page from your own infrastructure. Pre-write the runbook.

What to put on a “safe scan” sticker for customers

Brands that want to actively reduce scan-time hesitation can add a small adjacent label that teaches the user what to expect. The goal is two sentences of preview, not a paragraph of legal copy.

A workable pattern:

  • Scan goes to yourbrand.com/menu (printed in human-readable type, large enough to read at scan distance).
  • A short trust statement. “Direct link to our menu. We will never ask for payment on this page.” or “Wi-Fi only. We will never ask for your password.”
  • A reporting channel for tampered codes. “See a sticker over this code? Tell our staff.” A QR placed somewhere a user cannot easily flag a problem is one a sticker overlay survives longer on.

The safe-scan sticker is not security theater — it is the user’s only easy verification before the scan. A printed URL the user can compare to the URL the camera resolves catches sticker overlays, redirect hijacks, and platform-account compromises in a single glance.

When to print the URL under the code

Add visible URL text under the code when any of these are true:

  • Payment is involved. Anything that looks like a payment QR carries enough financial risk that the printed URL pays for itself the first time a user notices a mismatch.
  • The audience is non-technical or older. Users who are less comfortable with smartphone URL bars benefit most from a typed-out fallback.
  • The placement is hostile to scanning — backlit windows, deep shadow, glare-bright sun. A typed URL is the fallback when the camera cannot lock on. The print-ready checklist covers placement physics.
  • The code is on a high-tamper surface — parking meters, public-transit kiosks, outdoor posters in unattended locations.

Skip the printed URL when the placement is private (a hotel-room card, a sit-down menu staff hand to the guest), the destination is non-sensitive (Wi-Fi, a video link), and the layout is genuinely tight. The are QR codes safe explainer covers the broader user-facing trust question.

Domain monitoring for the printed surface

The last operational control is invisible to users but matters more than any single sticker design. Brands that print at scale should monitor:

  • Certificate expiry on every QR destination domain, including redirector hops. A 30-day-before-expiry alert is standard; piping it into the same channel as your printed campaign launches keeps the team aware of the link.
  • DNS changes to any QR destination zone. An unexpected NS change is a leading indicator of a registrar compromise.
  • WHOIS changes on partner-owned redirector domains. If the owner of a third-party shortener changes hands, your printed assets just inherited a new trust relationship.
  • Lookalike domain registrations on the brand. yourbrand-menu.com, yourbrand.app, IDN homograph variants. A monitoring service flags these as they register; you can act before a sticker campaign uses them.

None of this is QR-specific — it is standard brand-protection hygiene. The reason to call it out in a QR security post is that printed codes have a much longer half-life than a digital ad. A poster from 2023 is still on a wall in 2026, scanning the same domain. The monitoring needs to outlive the campaign.

A short closing

The honest summary is that QR codes are a printed link with a different attack surface, not a different threat model. Every defense reduces to three: control the destination, protect the platform account that controls the destination, and give the scanner enough visible signal to verify both before they tap. If you are a user, look at the URL preview before scanning anything you did not print yourself. If you are a brand, print the domain under the code where stakes are high, lock the dashboard with two-factor, and inspect your high-traffic surfaces on a schedule. The technology is fine. The operational hygiene is where security actually lives.

Sources

Ready to build your QR campaign?

Apply the same guidance from this article in the generator, then test on real devices before launch.

Open URL → PNG generator Read more guides