Warning icon overlaid on a QR code representing security threat

QR Code Security: How to Spot and Avoid Malicious QR Codes

Introduction

QR codes are everywhere — restaurant menus, parking meters, package deliveries, event tickets. Their convenience has made them a trusted shortcut for billions of people. But that same trust has attracted a growing wave of cybercriminals who use malicious QR codes to steal credentials, install malware, and hijack payment flows.

This guide explains how QR code attacks work and gives you concrete steps to scan safely.

What Is QR Phishing (“Quishing”)?

Quishing is a phishing attack delivered via QR code rather than a traditional email link. The attacker creates a QR code that encodes a malicious URL — a site designed to steal login credentials, install malware, or capture payment information.

Quishing is particularly effective because:

  • Email security filters scan URLs in plain text but often miss URLs embedded in images (QR codes)
  • People are conditioned to trust physical QR codes in public spaces
  • The step from scanning to clicking the URL is fast and reflexive
  • Mobile browsers display shorter URLs, making spoofed domains harder to notice

Common Attack Scenarios

1. Tampered physical QR codes A criminal prints a sticker with a malicious QR code and places it over a legitimate code on a parking meter, restaurant table, or public notice board. The victim scans the sticker without noticing the overlay.

2. Malicious QR codes in emails Security filters block known phishing URLs, so attackers embed the same URL inside a QR code image attached to an email. The victim is asked to “scan the code to verify your account.”

3. Fake QR code in documents PDFs, invoices, or contracts circulated in business email compromise (BEC) attacks contain QR codes linking to fake login portals mimicking Microsoft 365, Google Workspace, or banking portals.

4. Event and delivery notifications Fake package delivery notices or event check-in QR codes redirect to pages requesting personal information or payment details.

How to Inspect a QR Code Before Acting on It

The most important rule: always read the URL before visiting it.

Steps to apply every time you scan a code:

  1. Scan but do not tap — use a scanner that shows the decoded URL before opening it (Web QR Scan displays the full URL in a result box for you to review)
  2. Check the domain — does the domain match the organization it claims to be? amaz0n-delivery.com is not Amazon.
  3. Look for HTTPS — while HTTPS alone does not guarantee safety, an HTTP URL from a banking QR code is a red flag
  4. Watch for redirects — shortened URLs (bit.ly/, t.co/) hide the final destination; expand them with a URL preview tool before clicking
  5. Verify physical codes — if a QR code sticker looks freshly applied over another code, or is slightly crooked on a printed sign, peel the edge to check for an overlay

Red Flags That Indicate a Suspicious QR Code

  • Unsolicited QR codes arriving via email or SMS from unknown senders
  • QR codes on flyers dropped in public spaces or posted through letterboxes
  • QR codes on parking meters, ATMs, or payment kiosks (these are rarely legitimate — use the machine’s physical interface instead)
  • Any QR code that immediately asks for a password, payment, or personal data upon scanning
  • A decoded URL using an IP address instead of a domain name (e.g., http://192.168.1.1/login)

Using a Secure Scanner

Your choice of scanning tool matters for privacy even when the QR code itself is legitimate. A scanner that uploads images to a cloud server for processing exposes your content — including any sensitive document you scan — to a third party.

Web QR Scan processes all decoding locally in your browser using WebAssembly. The camera video stream and any uploaded images are analyzed in your browser’s memory only. Nothing is sent to our servers at any point. This means even if you scan a QR code containing sensitive information (a Wi-Fi password, a private URL, a personal contact card), that data stays on your device.

What to Do If You’ve Scanned a Malicious QR Code

If you suspect you scanned a phishing QR code:

  1. Do not enter any credentials on the page that opened
  2. Close the browser tab immediately
  3. If you entered credentials: change the password for the affected account immediately and enable two-factor authentication
  4. If you installed anything: scan your device with your OS’s built-in security tools or a reputable anti-malware tool
  5. Report the physical code (if applicable) to the venue or organization where you found it

Conclusion

QR codes are not inherently dangerous — but the unconditional trust most people place in them creates an exploitable gap. Taking three seconds to read the decoded URL before tapping it eliminates the majority of quishing attacks.

Scan smart: always preview the URL, verify the domain, and use a scanner that keeps your data local.