Are QR Codes Safe? Security Guide
QR codes are inherently neutral. They are a data format, like a hyperlink printed in a visual pattern rather than typed as text. The code itself cannot install malware or steal information. However, the destination a QR code points to absolutely can. As QR code usage has expanded into payments, authentication, and access control, so have the attacks that exploit the trust people place in them. This guide covers how QR codes can be misused, how to protect yourself when scanning, and how businesses should approach security when deploying codes for their customers.
How QR Codes Can Be Exploited
The core vulnerability of QR codes is that humans cannot read them. When you see a printed URL, you can inspect it before clicking. When you see a QR code, you have no idea what it contains until your phone decodes it. Attackers exploit this opacity in several ways.
Quishing: QR Code Phishing
Quishing is the term for phishing attacks delivered through QR codes. The attacker creates a QR code that links to a convincing fake login page for a bank, email provider, or corporate system. The code is distributed through email, printed flyers, or physical stickers placed over legitimate codes. When the victim scans and enters their credentials on the fake page, the attacker captures them.
Quishing has become particularly effective in email-based attacks because QR codes bypass many email security filters. Traditional phishing detection analyzes URLs in the email body, but a URL embedded in a QR code image is invisible to most scanners. The recipient is instructed to scan the code with their phone, which moves the interaction off the protected corporate network and onto a personal device that may lack security software.
Sticker Overlay Attacks
One of the simplest and most effective physical attacks is placing a malicious QR code sticker over a legitimate one. Parking meters, restaurant table cards, public advertisements, and transit signs are all targets. The victim believes they are scanning the original code but are actually hitting the attacker's URL. These attacks have been documented in multiple cities, with attackers placing stickers on parking payment kiosks that redirect to fake payment pages.
Malicious Redirects and Drive-By Downloads
A QR code can link to a page that attempts to download a malicious app or file. On most modern phones, the operating system will prompt the user before installing anything, but social engineering can persuade people to approve the installation, especially if the landing page mimics a trusted brand and claims the download is a required update or a special app.
Data Harvesting
Some malicious QR codes link to pages that request personal information under a pretext, such as a fake survey, a prize claim, or an account verification form. The page may look professional and branded, making it difficult to distinguish from a legitimate request. The information collected, which can include names, emails, phone numbers, and even financial details, is then used for identity theft or sold.
Real-World Incidents
In 2022, the FBI issued a public advisory warning about criminals placing malicious QR codes on parking meters across several US cities. Drivers who scanned the codes expecting to pay for parking were directed to fraudulent payment sites that harvested credit card data. The attack was effective because the context was completely plausible: a QR code on a parking meter is exactly where you would expect one.
Corporate quishing campaigns have also escalated. Security firms have reported a sharp increase in phishing emails that include QR codes instead of clickable links, specifically to evade email filtering. These emails often impersonate IT departments, asking employees to scan a code to re-authenticate their accounts or review a document. Because the scan happens on a personal phone outside the corporate security perimeter, the attack bypasses network-level protections.
How to Verify QR Codes Before Trusting Them
Staying safe does not require avoiding QR codes entirely. It requires the same skepticism you would apply to any link. Here are concrete steps you can take.
Preview the URL Before Opening
Both iOS and Android show a preview of the decoded URL when you point your camera at a QR code. Before tapping the link, read the URL carefully. Check the domain name. A legitimate bank URL will be at the bank's actual domain, not a lookalike with extra characters or a different top-level domain. If the URL looks suspicious or unfamiliar, do not open it.
Inspect Physical Codes for Tampering
Before scanning a QR code in a public place, look at it closely. Is it a sticker placed on top of another code? Is the material different from the rest of the sign? Are the edges peeling or misaligned? If a code looks like it was added after the fact rather than printed as part of the original material, treat it with suspicion. When in doubt, type the URL manually from the text printed nearby rather than scanning the code.
Be Wary of Unsolicited QR Codes
QR codes received via email, text message, or social media from unknown senders should be treated with the same caution as unknown links. A legitimate organization that needs you to take action will provide multiple ways to do so, not just a QR code. If an email from your "bank" contains only a QR code and urgent language, go directly to the bank's website by typing the URL yourself.
Use a Scanner That Shows Details
The built-in camera apps on modern iOS and Android devices show URL previews, which is usually sufficient. Some dedicated QR scanner apps offer additional features like checking URLs against known phishing databases. Avoid using obscure third-party scanner apps that request unnecessary permissions, as the scanner itself could be a privacy risk.
Safe Scanning Practices
Never enter credentials immediately after scanning. If a QR code takes you to a login page, stop. Close the page and navigate to the service directly through your browser or app. Legitimate services do not require you to log in through a QR code link.
Check for HTTPS. While HTTPS alone does not guarantee a site is safe, the absence of HTTPS on a page requesting personal information is a clear warning sign. Attackers can obtain HTTPS certificates, so this is a necessary but not sufficient check.
Keep your phone updated. Operating system updates patch vulnerabilities that could be exploited by malicious pages. Scanning a QR code on a fully updated phone is significantly safer than on one running outdated software.
Do not download apps from QR codes. If a QR code prompts you to install an application, go to the official app store and search for the app by name instead. A legitimate app will always be available through the standard distribution channel.
Creating Secure QR Codes
If you are generating QR codes for your own use, there are steps you can take to make them as trustworthy as possible. Use a reputable generator like our free QR code generator, which creates codes client-side without storing your data on a server. Encode the full URL including https:// so scanners display a complete, verifiable domain to the user.
When choosing between static and dynamic codes, consider that static codes are inherently more transparent because the destination URL is encoded directly in the code. Dynamic codes route through a redirect server, which adds a layer of opacity for the scanner. Both approaches are valid, but static codes give the end user more ability to verify where the code will take them before they tap.
For Businesses: Protecting Your Customers
If you deploy QR codes for customer use, such as on menus, payment systems, marketing materials, or product packaging, you have a responsibility to make those codes trustworthy and to protect against tampering.
Print Codes as Part of the Material
Integrate the QR code into the printed design rather than applying it as a separate sticker. Codes that are clearly part of the original print are much harder for attackers to replace without it being obvious.
Use Your Own Domain
The URL in your QR code should be on a domain your customers recognize and trust. Linking to yourbrand.com/menu is far more trustworthy than a random short URL from a third-party redirect service. If you use dynamic QR codes, choose a provider that allows custom domains.
Monitor for Tampering
Regularly inspect your physical QR codes, especially in public-facing locations like storefronts, tables, and posters. Look for stickers placed over your codes. Train staff to check codes during routine cleaning or setup.
Educate Your Audience
Include a brief note near your QR codes that tells users what to expect. "Scan to view our menu at yourbrand.com" gives the scanner a way to verify the destination after decoding. If the URL does not match, they know something is wrong.
Register Similar Domains
If your business relies heavily on QR codes for payments or authentication, consider registering common misspellings and variations of your domain to prevent attackers from using lookalike URLs in overlay attacks.
The Bigger Picture
QR codes are as safe or as dangerous as the links they contain. The technology itself is not the risk; the risk is in blindly trusting any destination without verification. The same caution you apply to email links, shortened URLs, and pop-up prompts should extend to QR codes. Preview before you tap, verify the domain, and never enter sensitive information on a page you reached through an unverified code.
For practical guidance on using QR codes effectively and safely in your own projects, explore our guides on creating QR codes and real-world QR code use cases.