Are QR Codes Safe? (Risks & Prevention)
Understand QR code security risks, how to preview links safely, and how businesses can protect customers from scams.
If you want to try it right away, use our Free URL QR Code Generator. For deeper tips, read QR Code for Airbnb WiFi (Guest-Friendly).
Create your QR code now
Generate instantly and download PNG or SVG for free.
QR codes have a reputation problem. Every few months a news story warns that scanning the wrong square could drain your bank account, and people start eyeing every menu and parking meter with suspicion. The honest answer is more useful: a QR code is only as safe as the place it sends you. The dots can’t run code or move money by themselves.
A QR code is a link, not a weapon
Under the pattern, a QR code holds a short string of text. Usually a web address, but it can also be Wi-Fi credentials, a phone number, or a contact card. Your phone reads the string and offers to act on it. Nothing happens automatically. The risk lives in the destination, not in the code.
So when someone asks “are QR codes dangerous,” the accurate reframe is: “is the website this code opens trying to scam me?” A code made with a plain URL QR code generator that points to your own site is no riskier than typing that address by hand. A code stuck on a lamppost by a stranger is a different story, because you have no idea where it goes.
Quishing: phishing with a square
Attackers have noticed that people who would never click a suspicious email link will happily scan a code. The technique has a name now: quishing, short for QR phishing. The playbook is familiar:
- A code arrives in a letter, email, or poster claiming to be from your bank, a delivery company, or the tax office.
- Scanning it opens a page that looks like the real login screen.
- You type your password or card details, and hand them straight to the attacker.
Why does the code help the scammer? On a phone you can’t hover over a link to inspect it the way you would on a laptop, so the real address is easier to hide. And a printed code in an official-looking envelope carries a legitimacy a raw email link doesn’t.
The sticker-overlay trick
The most physical version needs no email at all. Someone prints a malicious QR code as a sticker and pastes it over a legitimate one. Parking meters are a favorite target: the real code goes to the city’s payment portal, the fake one to a convincing clone that collects your card number. The same trick shows up on restaurant table tents, event posters, and shop-window flyers.
What makes it effective is that everything around the code is real, and only the little square has been swapped. A quick habit defeats most of these: run a fingernail over the code. If it’s a sticker sitting on another sticker, or the edges lift, treat it as suspect and pay another way.
Reading the URL before you tap
Nearly every scam falls apart the moment you look at where the code points. Camera apps on iPhone and Android show the destination URL as a banner before you open it, and that preview is your best defense. Here’s what to check before you tap:
- The real domain. The important part is the words right before the first single slash. In
secure-login.yourbank.co.evil.com, the actual domain isevil.com, not your bank. - Lookalike spellings.
paypa1.comandamaz0n-billing.netpretend to be someone reputable. - Shorteners you don’t recognize. A
bit.lyor unfamiliar short link hides the destination entirely.
If the preview and the context don’t match, close it. A poster about a charity walk should not open a page asking for your banking password.
Red flags that a destination is a trap
Once a page loads, a few signals should make you leave:
| Red flag | Why it’s suspicious |
|---|---|
| An unexpected login screen | Real “scan to view menu” codes don’t need your password |
| A request for payment or card details | Especially on public codes you didn’t seek out |
| Pressure and urgency | ”Your account will be closed in 24 hours” is manufactured panic |
| A prompt to install an app or profile | Sideloaded apps and configuration profiles can do real harm |
None of these mean the QR code attacked you. They mean the website is trying to. The code was only the doorway.
Safe scanning habits worth keeping
You don’t need to stop scanning codes, just keep a quick routine:
- Read the URL preview before opening anything.
- Be extra careful with codes in unsolicited mail, on public fixtures, and anywhere money is involved.
- Never type a password or card number into a page you reached only by scanning a random code. Go to the site yourself.
- Feel the code for a stuck-on overlay when it’s on a meter, table, or poster.
If a code won’t open at all, that’s usually a scanning problem rather than an attack, and our troubleshooting guide covers the fixes.
What businesses owe their customers
If you print codes for the public, you’re a target too, because your customers’ trust is what gets stolen. A few practices make you a harder mark:
- Print the destination domain next to the code so people can confirm the preview matches. This alone defeats most overlay attacks.
- Use your own recognizable domain, not a generic shortener. When you build the code with the URL QR code generator, point it at
yourshop.com, not a link no customer can vouch for. - Make placement tamper-evident. Laminate table codes, use security stickers on outdoor fixtures, and put codes behind glass rather than loose stickers.
- Walk your public codes regularly and scan them yourself to confirm they still land where they should.
For contact and connection use cases, prefer formats that don’t send anyone to a web page. A vCard QR code shares details directly, and a Wi-Fi QR code joins a network with no login page to spoof. If your codes carry payment links, read our payment-link guide first.
FAQ
Can a QR code itself give my phone a virus?
Not on its own. A QR code is just an encoded link or piece of text, so the danger only starts if the site it opens tricks you into downloading a file, entering a password, or granting a permission.
How do I check where a QR code leads before I open it?
Point your phone camera at the code and read the URL preview that pops up before tapping it. Look at the real domain, and if it uses an unfamiliar shortener or a lookalike spelling, don’t open it.
Someone stuck a QR sticker over the one on a parking meter. Is that a scam?
Very possibly. Overlay stickers are a known trick to redirect you to a fake payment page, so peel-and-replace codes on meters, tables, and posters are a red flag. Pay through the official app or printed short code instead.
Related guides
Create an Airbnb Wi-Fi QR code that helps guests connect quickly while keeping your main network secure.
QR Code for Nonprofit Donations (Trust & Security)Use donation QR codes safely with clear context, trusted domains, campaign pages, and donor-friendly placement.
QR Code for Payment Links (Stripe/PayPal)Create QR codes for payment links while improving trust, reducing mistakes, and making the payment context clear.