Are QR codes safe to scan?

QR codes are as safe as the destination they encode. The code itself is just data. The risk is that a malicious QR code can point to a phishing website or trigger an unwanted action. Always preview the URL before tapping 'Open' and be cautious of QR codes in unexpected locations like stickers placed over legitimate codes.

What is QR code phishing (quishing)?

Quishing (QR phishing) is when attackers place malicious QR codes in physical locations — parking meters, restaurant tables, public posters — to redirect victims to fake login pages or malware downloads. Because phones do not show a URL preview before scanning, users are more vulnerable than with a visible link.

How can businesses publish trustworthy QR codes?

Use a stable, branded domain for your QR destination URLs. Print QR codes on tamper-evident surfaces so stickers cannot easily be placed over them. Include a visible short URL below the QR code so users can verify the destination before scanning. Periodically check that codes at physical locations have not been replaced.

Are QR Codes Safe? Risks, Scam Patterns, and Best Practices

QR codes are not dangerous on their own. They can be used in scams for the same reason they are useful: a single camera tap turns a physical surface into a digital action. The pattern is just an encoded string. The risk is what that string points to and whether the person scanning has any way to know before they tap “Open.”

This guide covers the real risks, the scam patterns showing up in the wild, how to scan safely as a user, and what businesses should do so their printed codes do not become part of someone else’s con.

QR codes are only as safe as where they lead

A QR code can encode a normal HTTPS web link, a mailto: draft, a tel: phone number, a Wi-Fi join string, or an app deep link. None of those are dangerous in the abstract. The risk emerges when the destination is malicious or misleading and the user has no easy way to verify it before acting.

That is why “is this QR code safe?” almost always translates to “is this destination safe?” The same caution you apply to a clicked link in an email applies here, only with less context: you cannot read the URL until your camera reveals it, and even then you might only see a domain — not the full path.

Common scam patterns

Scammers use QR codes precisely because they bypass typing and obscure the destination. Five patterns dominate.

Sticker overlays

The classic real-world attack. A sticker carrying a malicious QR code is placed over a legitimate one — on a parking meter, a restaurant table tent, a payment terminal, a flyer in a coffee shop. Visually it looks identical to the surrounding signage. The victim scans, lands on a phishing page that mimics the real service, and enters credentials or payment details.

This is sometimes called quishing (QR phishing). It is most common in places where people expect to pay quickly and trust the surrounding context: parking, transit, ticketing, utility bills. The FBI issued a public service announcement on this exact pattern in 2022, and reports have grown every year since.

Look-alike domains

The QR code opens a site that looks legitimate, but the domain is slightly off. A scammer registers pay-parking-examp1e.com (with a numeral one) instead of pay-parking-example.com. Or fastqr-app.com with a hyphen instead of fast-qr.app. On a phone screen, in a hurry, the difference is invisible.

The page design is usually a copy of the real one. Login forms, payment fields, and trust badges all behave normally. Credentials go straight to the attacker.

Credential harvesting

The destination prompts for an email and password, a bank login, or a one-time code “to continue.” Because legitimate services do require sign-in, scams that imitate that flow feel ordinary. The defense is the same as with email phishing: verify the domain and the context before entering anything.

Fake app installs

The QR code redirects to a download page for an APK, a “system update,” or a malicious listing on a sideload store. Modern iOS and Android protections catch a lot of this, but social engineering still works on people who are walked through the steps by an attacker on the phone.

Payment diversion

A QR code on what looks like an invoice, a parking sign, or a charity donation card sends the payment to the wrong account. The page may look perfectly legitimate. Some payment QR formats encode the recipient directly, so a swapped sticker can route money straight to a scammer without needing a fake page at all.

How to scan safely

A few habits cut almost all the risk.

Read the URL before tapping open

Every modern phone camera shows a preview of the URL after it scans a QR code. Take the extra second. Ask:

Is the domain the brand I expect?
Is it served over HTTPS?
Is the spelling right? Hyphens, ones-versus-ells, extra subdomains?

If the preview shows a link shortener (bit.ly, t.co), be more cautious. Shorteners are not inherently malicious, but they hide the real destination until after the redirect.

If you scanned a parking sign and the page asks you to log in to your bank, stop. Ask why this action would need those credentials. If you genuinely need to pay, type the known company URL into your browser yourself and start there.

Do not install apps from a QR scan you were not expecting

If a code you scanned tells you to install something, close the page. Search the app store directly. Use the company’s official website. The legitimate version will be in the same place; the scam version will not.

For payments, double-check the recipient

Before confirming any payment from a QR scan:

Check the business name on the payment page matches the signage.
Compare the domain to printed materials and brand assets.
Skip codes that look freshly stickered onto a different background.

If a sticker peels at the corner, or the QR code on a parking meter sits crooked over an older one, that is a sign to type the URL manually.

How businesses can publish trustworthy QR codes

Safety is not only a user problem. Whoever publishes a code is in the best position to make it harder to spoof. Five habits help.

Use a brand-owned domain

The strongest trust signal is consistency. Always send users to a URL on a domain customers recognize: yourbrand.com/menu, yourbrand.com/pay. Avoid:

random platform subdomains the customer has never seen,
third-party link shorteners,
vendor-controlled redirect domains that could change or expire.

If you need redirect flexibility, host the redirect on your own subdomain. The trade-off is covered in static vs dynamic QR codes.

Add visible context next to the code

A QR code by itself invites suspicion because no one can read it. Add a short, readable line of microcopy:

“Scan to view the menu at yourbrand.com”
“Scan to pay your invoice at yourbrand.com/pay”
“Scan to join guest Wi-Fi”

That sets expectations. It also gives a customer a way to spot a mismatch between the printed promise and where they actually land.

Make sticker overlays harder

For fixed signage and high-traffic surfaces:

Place the QR code inside a printed frame or design element so a stuck-on sticker is visually obvious.
Use tamper-evident materials — laminated edges, frangible labels, security seals.
Audit physical placements on a regular schedule. A monthly walk-through of every parking sign or payment terminal catches most overlay attacks within weeks.

For payment surfaces, consider keeping the QR code behind glass or under a permanent label that cannot be peeled and replaced quickly.

Keep destinations focused and fast

A safe destination loads quickly, displays clear branding, and asks for one thing. Confusing pages — slow loads, multiple pop-ups, unexpected logins — train customers to dismiss warnings, which makes the next scam easier. For ideas on what good destinations look like by use case, see the use-case playbooks or specific guides like restaurant menu and payment links.

Do not collect more than you need

If you must authenticate users after a scan, use standard SSO flows, send users to your unmistakable primary domain, and never ask for unusual information (full Social Security numbers, passwords for unrelated services). The fewer credentials your QR flow asks for, the smaller the prize for a scammer who imitates it.

Operational hygiene matters as much as design

A QR code that is safe today can become risky in six months. Three patterns to watch:

The destination domain expires. If you stop renewing your-promo.com, an attacker can buy it and inherit every printed code that points there. Keep promotional domains under your main brand registration with auto-renew on.
The landing page gets repurposed without updating signage. A code printed on packaging that originally pointed to a winter campaign now lands on a 404 or worse. Set a calendar reminder before any campaign URL is taken down.
Redirect rules drift. If you use a redirect layer, treat it like production infrastructure. Document who owns it, monitor uptime, and review the rules every quarter.

Print is durable. Whoever signs off on a printed QR code should also sign off on keeping its destination alive for as long as that print is in circulation. For more on tracking the operational side, see how to track QR code scans.

What to do if you suspect a scam

If you scanned a code and something felt off:

Do not enter any information.
Close the page and clear the recently visited history if you are concerned.
Report the location to the business that owns the surface (parking authority, restaurant, retailer). They often do not know an overlay is there.
For payment fraud, contact your bank immediately and file a report with local consumer protection or, in the US, the FBI’s Internet Crime Complaint Center.

Most scams rely on speed and trust. Slowing down for two seconds before tapping is the cheapest defense available.

Sources

Wikipedia — QR code (Risks) — Documented attack patterns including QR-code phishing (“quishing”).
FBI Internet Crime Complaint Center — QR code PSA — Official US public service announcement on cybercriminals tampering with QR codes.