Are QR codes safe? Phishing risks and red flags

Are QR codes safe to scan? Mostly, yes. The QR format itself isn't dangerous — it's just a printed pattern of black and white squares that stores a URL or some text. Your phone's camera reads the pattern, shows you the URL, and asks before opening anything. The format isn't the problem. The problem is that a QR code is a URL no human can read with their eyes, printed on a surface anyone with a sticker printer can paste over in ten seconds. The risk is the same risk you face with any link you didn't type yourself: where does this actually go, and should I trust it.

This is the consumer-side version of the question. The business-side version — what brands and operators should do to harden their own printed codes against this — is covered in QR code security and quishing. This piece is for the person standing at the parking meter, the cafe table, or the conference badge, trying to decide whether to tap the prompt that just popped up on their screen. Honest answer, real red flags, and a small interactive that walks through the actual decision.

The short answer#

The QR code itself can't infect your phone. There's no malware living in printed pixels. What the QR encodes is data — usually a URL, sometimes a WiFi password or a contact card or a calendar event. When you scan it, your phone reads that data and asks what to do with it. iOS and modern Android both show the URL in a preview banner before opening anything. Tap, and the link opens in your browser. Don't tap, and nothing happens.

The risk lives entirely in step three: you tapped, and the URL you didn't read closely went somewhere you wouldn't have visited if you'd typed the address by hand. That's the same risk you face with a link in an email or a text message. The QR adds one wrinkle on top — you can't see the URL until after you scan, so you can't decide whether to scan based on what it points to. The decision has to happen in two beats: scan, then read the preview, then decide.

Three things make QR codes specifically more dangerous than a typed link: If you're building rather than defending, the Linked.Codes QR generator emits dynamic codes on a host you control — which fixes the first two of the three problems below before the design conversation starts.

• The URL is invisible. Two codes that look identical can resolve to wildly different destinations. You can't compare them by eye.
• The surface is unprotected. Most public QRs are printed on paper or vinyl with nothing stopping an attacker pasting their own sticker over the top.
• The context borrows trust. A QR on a parking meter inherits the city's authority. A QR on a restaurant table inherits the restaurant's. The destination behind the code didn't earn that trust — the surface gave it for free.

What "quishing" actually is#

The attack pattern has a name now: quishing, short for QR phishing. It's been tracked publicly since 2022, with the FBI's Internet Crime Complaint Center issuing a public service announcement in 2022 and the FTC publishing consumer guidance in 2023. The basics, for the consumer side:

An attacker prints a sticker with their own QR on it. They walk up to a parking meter, a restaurant menu, a poster on a coffee shop bulletin board, or an EV charging station and paste the sticker over the legitimate code. The next person who scans the surface — expecting to pay parking, see a menu, register for a giveaway — loads the attacker's URL instead. The page they land on typically imitates a real brand (the city's parking portal, the restaurant's online ordering, a delivery carrier's account login) and asks for whatever the attacker wants to steal: card details, login credentials, a one-time SMS code, an app install.

Three places the pattern has been documented at scale:

• Parking meters in US and European cities — covered by the FBI's 2022 advisory and subsequent local-news reporting. Cities including Austin, San Antonio, and several in the UK have run public-awareness campaigns after waves of meter-overlay incidents.
• Restaurant menu QRs — smaller scale, more localised, harder to spot because customers don't expect a menu to ask for card details. Attackers replace the table-tent QR with one that loads a fake "start a tab" page asking for a card on file.
• Parcel-locker and shipping QRs — several European postal services have run customer-education campaigns about overlay stickers on parcel-locker doors, prompting users to "re-authenticate" their carrier account.

The hardest version of this attack lives in QR codes that move money directly — payment URIs that the receiving app parses without a second confirmation step. A scanned Bitcoin QR encoding a BIP-21 URI hands the address straight to the wallet, and a swapped sticker on a donation card or tip jar routes funds to the attacker with no chargeback — the verify-the-address habit hardware wallets enforce is the only realistic defence once the QR has been substituted.

The format itself doesn't have a vulnerability. ISO/IEC 18004, the QR specification, doesn't include any executable instructions or malware vectors. The pixels are data. What changed between 2018 and 2024 isn't the QR — it's that enough people now scan QRs casually that the attack became economical for criminals to run at scale. Trend Micro's 2023 threat report flagged QR phishing as one of the fastest-growing email-attack vectors of the year, and KnowBe4's phishing-test data through 2024 showed QR-payload phishing climbing into double-digit percentages of their corpus, up from a negligible share two years earlier.

The actual red flags#

Forget the theory. Here are the things to actually look for when you're standing in front of a QR with your phone in hand.

1. The QR is on an unverified surface#

Some QR placements come with implied trust because the surface itself is verifiable. A QR printed directly onto a restaurant's menu card, embossed under glass on an installed parking meter, or printed inside the spine of a magazine alongside the brand's logo — these are surfaces that took effort to create and aren't easily tampered with. A QR on a paper flyer taped to a lamppost, a sticker stuck to the back of a public toilet door, or a "free WiFi" card someone left on a coffee shop counter is not a verified surface. The cost of producing it was effectively zero, and the cost of replacing it with a malicious version is the same.

The rule isn't "never scan unverified surfaces" — it's "never scan an unverified surface and then enter credentials or payment details on whatever it loads." If you scan an interesting-looking flyer and it opens a website, that's fine; if the website immediately asks for your password, close it.

2. The QR looks like a sticker on top of something else#

This is the highest-confidence red flag and the one most worth practicing. A genuine QR on a printed surface is part of the print run — same paper, same finish, same alignment to the surrounding artwork. A sticker pasted on top often gives itself away:

• The QR sticker has a raised or rounded edge while the surface around it is flat.
• The substrate doesn't match — vinyl over paper, glossy over matte, or visible tape edges.
• The QR is slightly off-grid relative to the surrounding design, or sits at a noticeable angle.
• There's residue or partial removal of an earlier sticker around or under the new one.
• The QR's size or proportions don't fit the surface's other elements.

None of these is conclusive on its own. Stickers are also used legitimately — a small business adding a QR to a printed menu after the fact, a hotel posting an updated WiFi card. But on a piece of public infrastructure like a parking meter, a transit display, or a parcel locker, the QR should be part of the manufacturer's printing, not a sticker. If it looks added-on, it probably was, and you can decide whether the surface owner was the one who added it. QR codes versus NFC tags covers why some operators are moving to NFC for outdoor placements specifically because NFC tags are much harder to overlay invisibly than a sticker on a sticker.

3. The URL preview doesn't match the surface#

This is the highest-impact habit you can build. Modern iOS and Android camera apps show the resolved URL in a preview banner before opening anything. Read it.

What you're looking for is whether the domain in the preview matches the brand or organisation that owns the surface you just scanned. A parking-meter QR for the City of Whatever should resolve to a city.gov address, or a payment partner the city has clearly labelled. A McDonald's tray-liner QR should resolve to mcdonalds.com or a clearly McDonald's-owned subdomain. A restaurant table-tent QR should resolve to a domain you can identify as belonging to that restaurant or a legitimate menu platform.

Three preview patterns to slow you down:

• A generic shortener you don't recognise — bit.ly/xyz, tinyurl.com/whatever, or any short domain with no brand context. Not automatically malicious, but offers zero signal about where you're actually going.
• A lookalike domain — mcdonalds-rewards.click, cityname-parking-pay.com, or domains with extra hyphens, unusual TLDs (.click, .zip, .top), or words bolted onto a real brand. These are the standard quishing tells.
• An unrelated brand entirely — a parking-meter QR resolving to a payment processor you've never heard of, or a menu QR resolving to a generic forms platform.

When the URL preview matches the surface, you've got the cleanest signal available. When it doesn't, you've also got the cleanest signal available — just in the other direction. Why the QR's domain matters goes deeper on the marketing case for branded domains, but the security case is identical: a recognisable redirector domain is the simplest trust check a consumer can do.

4. The page asks for credentials, payment, or a one-time code#

Legitimate printed QR codes rarely take you straight to a login screen or a card-entry form. A menu QR shows a menu. A wedding QR shows an RSVP form that doesn't need your password. A museum QR shows an exhibit description. Even payment QRs — for parking, transit, or restaurant tabs — usually take you to a portal entry first, not a card-on-file form.

If you scan a QR and the page that loads immediately asks for:

• A password to an account you didn't realise was involved
• A credit card number
• A one-time SMS or authenticator code
• App install permissions for a calendar, contacts, or accessibility service
• "Reauthentication" for a delivery account, postal service, or transit card

…stop and verify before entering anything. Open the brand's app directly. Type the brand's URL into your browser by hand. Call the number on the legitimate side of the surface. The legitimate flow rarely depends on you completing a sensitive task immediately after scanning a printed code; the malicious flow depends on it entirely.

5. The QR appeared somewhere it wasn't yesterday#

This applies to places you frequent. The cafe you go to every morning didn't have a QR on the menu, then suddenly does. The parking lot you use daily had a code at table height, and now there's a second one stuck just below it. The community noticeboard at your gym has new "scan to claim your free gift" cards taped at random intervals. New QRs in places that didn't have them before are not automatically malicious — surfaces get updated — but they're worth a second of context before you scan. Did the owner of the surface mention adding it? Does the surface look like the owner added it, or like someone else did?

How phones already protect you#

iOS and Android have both moved toward "show the URL, ask before opening" as the default camera-app behaviour. The relevant defences, in plain terms:

iOS Camera app. Since iOS 11 (released 2017), pointing the camera at a QR code surfaces a notification banner at the top of the screen showing the resolved URL and offering to open it. iOS also passes the URL through its content-filtering and known-bad-domain lists before showing the banner. If the URL is on a flagged list, iOS warns you explicitly. Apple's Safari has equivalent fraud-warning behaviour after the link opens.

Android Camera and Google Lens. Most post-2018 Android phones decode QRs through Google Lens, which surfaces the URL with a tap-to-open prompt. Google Safe Browsing — the same system that warns you about dangerous websites in Chrome — consults its block list before opening, and will show a "this site may be dangerous" interstitial if the URL is flagged. Safe Browsing flags compromised destinations within hours of a verified report, which means many quishing destinations are blocked before they reach widespread victims.

Banking and payment apps. Many banking apps, transit apps, and payment apps now include their own QR scanners that bypass the system browser and load destinations inside the app's secured webview. The defence here is that even if a QR resolves to a lookalike domain, the app refuses to render it as a payment confirmation page. Use the bank's own scanner when paying, not the generic camera, for the highest-trust path.

The one thing none of these systems can do is tell you whether the domain you're about to open is "the right one" for the surface you just scanned. That decision is yours. The phone can tell you what the URL is. You have to tell yourself whether it matches the place you scanned it from. The technical baseline of what a QR code is covers the format in detail — the short version is that the pixels are passive data, and every defence happens at the destination.

The QR format isn't dangerous. The URL behind it might be. The whole defence comes down to reading the preview before tapping — a one-second habit that closes most of the realistic attack surface.

Is this QR safe to scan?#

A decision-tree widget. Walk through the questions and get a verdict — not a generic warning, but the actual reasoning for your specific scan. State persists locally if you want to come back to it.

Run the same QR through this two or three times with different scenarios and the verdicts shift. The point isn't the score — it's noticing that none of these decisions need a security background. They're all visible to anyone paying attention for ten seconds.

What to do if you scanned a bad one#

If you scanned a QR and a few minutes later realised the URL preview was off, or the page asked for something it shouldn't have:

You didn't tap or enter anything. You're fine. The QR scan itself doesn't do anything besides show you a URL. Closing the preview banner without opening it leaves no trace on your phone.

You tapped but didn't enter anything. Almost certainly fine, but worth a moment. Some phishing pages try to auto-redirect to app-install prompts; if you see anything pop up asking you to install a profile, accept a calendar subscription, or grant permissions to an app you didn't choose, decline. Close the browser tab. Clear browsing data for that domain if you want to be thorough.

You entered credentials. Change the password on whatever account you entered it for, immediately. If the same password is used anywhere else, change it there too. Turn on two-factor on the affected account if it isn't already. Watch the account's activity log for the next week.

You entered card details. Call the card-issuer's fraud line and report the card as compromised. Most issuers will issue a replacement immediately and dispute any charges that hit the old card. Watch for unauthorised charges over the next 30 days.

You entered a one-time SMS code or authenticator code. This is the worst case. The attacker likely has full access to the account at that moment. Recover the account through the provider's account-recovery flow as soon as possible and change the password and the recovery contact. If it's a bank or payment account, call the bank.

In all of these, also consider reporting the scam to the FBI's Internet Crime Complaint Center (ic3.gov) in the US, or your national equivalent. The reports feed the block lists that protect the next victim.

The trust signal that makes consumer-side defence easier#

The single thing that makes the URL-preview habit work is whether the legitimate brand uses a recognisable domain. If the parking-meter operator's QR resolves to cityname-pay.gov, you can read that preview and trust it instantly. If it resolves to bit.ly/3xY9kQ, you have no signal — the attacker can use the same bit.ly format and you won't be able to tell which one is yours.

This is why branded short-link domains matter on the security side, not just the marketing side. We've covered the marketing angle in branded short links — why your domain beats bit.ly, and the broader case for owning the link infrastructure. The security case is simpler: a recognisable domain in the preview is the cheapest, highest-leverage defence a brand can give its customers, and the absence of one is the cheapest tell an attacker exploits.

For the consumer reading this: if a business prints QRs that resolve to a domain you can identify, they've done you a favour. If they print QRs that resolve to a generic shortener you can't verify, they've handed up the only signal you had. That's not the consumer's fault, but it's worth knowing where the missing defence sits.

For anyone running the business side: making your QRs dynamic by default and putting them on a domain you own is the version of the customer-protection story you can actually control. The consumer-side advice in this post stops working when the legitimate side ships generic-shortener QRs that look indistinguishable from quishing attempts. The static-versus-dynamic decision is upstream of all of it.

If you want the design and rollout side, the QR codes documentation covers how to set up a branded domain and revocable redirects from inside a Linked.Codes account.

When QR codes are genuinely the safest option#

A counter-balance, because the security framing can tip toward fear. QR codes solve real safety problems that earlier alternatives didn't.

Restaurant menus in the COVID era. QR menus replaced shared physical menus and removed a hygiene concern. The trade-off — phone-screen menus being harder for older customers to read — is real, but the original problem they solved was a legitimate one.

Public transit and parking payment. Scanning a QR at a transit gate or a parking meter is faster than typing the meter ID or transit zone manually. When the legitimate operator's QRs are well-defended, the convenience case stands.

Sharing WiFi without exposing the password. A printed WiFi QR lets guests join your network without you reading the password aloud or typing it on someone else's phone. The defence is that the QR is on your wall, in your space, with your verification.

Adding a contact to a phone. A vCard QR on a business card or conference badge moves the contact's name, number, and email straight into the phone with one scan — no typing, no mishearing the spelling, no email-address typos.

The pattern across these is that the QR isn't doing anything dangerous; it's replacing a worse manual flow. The risk only enters when the QR is on an unverified public surface with a destination you can't verify. Most of the QRs in your daily life — the menu at the restaurant you know, the badge at a conference, the WiFi card in your friend's kitchen — don't have that risk because the trust comes from context, not from the code.

Related reading#

• QR code security and quishing — what businesses should do — the operational-defence companion to this post
• What is a QR code — how they work, explained — the format itself, in plain English
• QR codes vs NFC tags — when to pick which — why some outdoor placements are moving to NFC for tamper resistance
• Branded short links — why your domain beats bit.ly — the trust signal that makes the URL preview readable
• QR code domain — why it matters as much as the design — branded redirector domains as a security feature
• Static vs dynamic QR codes — when to use which — the architecture that makes revocation possible
• Why every QR type should be dynamic by default — vCard, WiFi, calendar, and email all benefit from the same control
• QR codes documentation — the platform side of putting QRs on your own domain