Are QR Codes Safe? (Risks & Prevention)

Understand QR code security risks, how to preview links safely, and how businesses can protect customers from scams.

If you want to try it right away, use our Free URL QR Code Generator. For deeper tips, read QR Code for Airbnb WiFi (Guest-Friendly).

Create your QR code now

Generate instantly and download PNG or SVG for free.

Free URL QR Generator Wi‑Fi QR Generator vCard QR Generator

QR codes have a reputation problem. Every few months a news story warns that scanning the wrong square could drain your bank account, and people start eyeing every menu and parking meter with suspicion. The honest answer is more useful: a QR code is only as safe as the place it sends you. The dots can’t run code or move money by themselves.

Under the pattern, a QR code holds a short string of text. Usually a web address, but it can also be Wi-Fi credentials, a phone number, or a contact card. Your phone reads the string and offers to act on it. Nothing happens automatically. The risk lives in the destination, not in the code.

So when someone asks “are QR codes dangerous,” the accurate reframe is: “is the website this code opens trying to scam me?” A code made with a plain URL QR code generator that points to your own site is no riskier than typing that address by hand. A code stuck on a lamppost by a stranger is a different story, because you have no idea where it goes.

Quishing: phishing with a square

Attackers have noticed that people who would never click a suspicious email link will happily scan a code. The technique has a name now: quishing, short for QR phishing. The playbook is familiar:

  • A code arrives in a letter, email, or poster claiming to be from your bank, a delivery company, or the tax office.
  • Scanning it opens a page that looks like the real login screen.
  • You type your password or card details, and hand them straight to the attacker.

Why does the code help the scammer? On a phone you can’t hover over a link to inspect it the way you would on a laptop, so the real address is easier to hide. And a printed code in an official-looking envelope carries a legitimacy a raw email link doesn’t.

The sticker-overlay trick

The most physical version needs no email at all. Someone prints a malicious QR code as a sticker and pastes it over a legitimate one. Parking meters are a favorite target: the real code goes to the city’s payment portal, the fake one to a convincing clone that collects your card number. The same trick shows up on restaurant table tents, event posters, and shop-window flyers.

What makes it effective is that everything around the code is real, and only the little square has been swapped. A quick habit defeats most of these: run a fingernail over the code. If it’s a sticker sitting on another sticker, or the edges lift, treat it as suspect and pay another way.

Reading the URL before you tap

Nearly every scam falls apart the moment you look at where the code points. Camera apps on iPhone and Android show the destination URL as a banner before you open it, and that preview is your best defense. Here’s what to check before you tap:

  • The real domain. The important part is the words right before the first single slash. In secure-login.yourbank.co.evil.com, the actual domain is evil.com, not your bank.
  • Lookalike spellings. paypa1.com and amaz0n-billing.net pretend to be someone reputable.
  • Shorteners you don’t recognize. A bit.ly or unfamiliar short link hides the destination entirely.

If the preview and the context don’t match, close it. A poster about a charity walk should not open a page asking for your banking password.

Red flags that a destination is a trap

Once a page loads, a few signals should make you leave:

Red flagWhy it’s suspicious
An unexpected login screenReal “scan to view menu” codes don’t need your password
A request for payment or card detailsEspecially on public codes you didn’t seek out
Pressure and urgency”Your account will be closed in 24 hours” is manufactured panic
A prompt to install an app or profileSideloaded apps and configuration profiles can do real harm

None of these mean the QR code attacked you. They mean the website is trying to. The code was only the doorway.

Safe scanning habits worth keeping

You don’t need to stop scanning codes, just keep a quick routine:

  1. Read the URL preview before opening anything.
  2. Be extra careful with codes in unsolicited mail, on public fixtures, and anywhere money is involved.
  3. Never type a password or card number into a page you reached only by scanning a random code. Go to the site yourself.
  4. Feel the code for a stuck-on overlay when it’s on a meter, table, or poster.

If a code won’t open at all, that’s usually a scanning problem rather than an attack, and our troubleshooting guide covers the fixes.

What businesses owe their customers

If you print codes for the public, you’re a target too, because your customers’ trust is what gets stolen. A few practices make you a harder mark:

  • Print the destination domain next to the code so people can confirm the preview matches. This alone defeats most overlay attacks.
  • Use your own recognizable domain, not a generic shortener. When you build the code with the URL QR code generator, point it at yourshop.com, not a link no customer can vouch for.
  • Make placement tamper-evident. Laminate table codes, use security stickers on outdoor fixtures, and put codes behind glass rather than loose stickers.
  • Walk your public codes regularly and scan them yourself to confirm they still land where they should.

For contact and connection use cases, prefer formats that don’t send anyone to a web page. A vCard QR code shares details directly, and a Wi-Fi QR code joins a network with no login page to spoof. If your codes carry payment links, read our payment-link guide first.

FAQ

Can a QR code itself give my phone a virus?

Not on its own. A QR code is just an encoded link or piece of text, so the danger only starts if the site it opens tricks you into downloading a file, entering a password, or granting a permission.

How do I check where a QR code leads before I open it?

Point your phone camera at the code and read the URL preview that pops up before tapping it. Look at the real domain, and if it uses an unfamiliar shortener or a lookalike spelling, don’t open it.

Someone stuck a QR sticker over the one on a parking meter. Is that a scam?

Very possibly. Overlay stickers are a known trick to redirect you to a fake payment page, so peel-and-replace codes on meters, tables, and posters are a red flag. Pay through the official app or printed short code instead.

Related guides

Try the tools