Share
GUIDE · QUISHING

Is this QR code safe? How to check a QR code before you scan

A QR code is just a URL you cannot read with your eyes. Here is the exact check to run before you trust one.

SafeBrowz Threat Research How-to GuideJune 10, 20269 min read
The short answer. A QR code is safe only if the link it decodes to is safe, and you cannot see that link with your eyes. Before you act on any QR code, make your phone show you the decoded URL, read the real domain (the part right before the first single slash), and never enter a password, payment, or wallet connection until that domain matches the official site you expected. If the code is a sticker on a public surface, check that nobody pasted a fake one on top of the real one.

Why "is this QR code safe?" is the wrong question to stop at

A QR code does not carry malware. It carries a string of text, almost always a web address. When you scan it, your phone decodes that address and opens it. So the real question is never "is this square of pixels safe" - it is "is the website this square sends me to safe." That distinction matters because every defense you have for ordinary links breaks down at the QR layer.

With a normal link, you can read the destination before you tap. You see paypal.com versus a lookalike, and your brain has a chance to catch it. A QR code removes that chance. The destination is invisible until your camera resolves it, and on most phones, resolving the code and opening the page happen in nearly the same gesture. That is why QR-code phishing, known as quishing, has become one of the fastest-growing attack channels.

The scale is real. Email-security vendors that decode QR codes inside messages, including Keepnet, Abnormal Security, and Proofpoint, have reported across 2024 and 2025 that QR-based attacks now make up a large and rising share of credential-phishing emails, with some quarters seeing QR payloads in a double-digit percentage of inbox phishing. In 2026, consumer alerts from the US FTC, UK Action Fraud, and Gulf authorities all list QR-code fraud as a growing vector to watch.

How quishing actually works

Quishing is ordinary phishing with one swap: the malicious link is hidden inside an image instead of printed as text. The chain looks like this.

  1. The payload is a URL. The attacker encodes a link to a fake page into a QR code. The page mimics a bank, a parking operator, a delivery service, a crypto exchange, or a corporate login.
  2. The QR carries it past filters. Inside an email, a poster, a PDF, or a sticker, the link is now a picture. Tools that scan links as text cannot see a link that is drawn as pixels.
  3. Your camera opens it. You scan, the phone decodes, the browser loads the fake page in under a second, often behind a redirect that hides the final destination.
  4. The page harvests what you give it. Login, card number, one-time code, or a wallet-connect prompt. The data goes straight to the attacker, and a "success" screen sends you on your way.

Two design facts make this work in your blind spot, and you need to understand both before the checklist makes sense.

Your phone shows you a truncated or hidden URL preview

Modern iOS Camera and Android Google Lens do show a small preview banner with the destination after decoding, which is a genuine improvement. But that banner is short, often truncated, and dismissed in the same tap that opens the page. Worse, many QR links use a shortener or a redirect, so the preview shows a clean-looking short link while the real destination, three hops later, is the phishing page. The preview tells you where the first hop goes, not where you end up. That gap, between the link you see and the link you land on, is the entire attack surface.

The sticker-over-a-real-code attack

The most common physical version needs no email at all. The attacker prints a high-quality QR sticker and pastes it directly on top of a legitimate one, on a parking meter, a restaurant table, an EV charger, or a delivery locker. The surface looks official because the rest of it is. Only the code changed. US police departments in cities including Austin and Houston issued public advisories about fake parking-meter QR stickers across 2024 and 2025. You are not being asked to trust a stranger here. You are trusting a meter you have used before, and that trust is the weapon.

The red flags: what a malicious QR is trying to get you to do

You will rarely identify a bad QR from the code itself. You identify it from what the page on the other side asks for. These are the asks that should stop you cold.

  • Scan to pay. A QR on a meter, table, invoice, or charger that opens a payment form on a domain you do not recognize. Real operators use named apps (ParkMobile, PayByPhone, Passport) or their own clearly named domain, not a one-off link.
  • Scan to verify or confirm. "Scan to verify your account," "confirm your delivery," "validate your details." Legitimate services do not make you prove your identity by scanning a sticker or a code in an unexpected email.
  • Scan to download an app. A QR that pushes you to install an app from outside the official App Store or Google Play. Sideloaded apps are a common malware delivery route. Get apps from the store, not a poster.
  • Scan to sign in. A code in a PDF or email titled like a voicemail, invoice, or authenticator setup that asks you to log in to a work or cloud account. This is the corporate quishing pattern that bypasses email gateways.
  • Scan to connect your wallet. Any QR that ends in a "connect wallet" or "approve" prompt for crypto. Treat it the same way you would a phishing link sent by a stranger.
  • Urgency or a freebie. "Last day to pay," "free dessert," "claim your refund." Pressure and reward both exist to make you skip the URL check.

Where these QR scams show up

The same trick lands in different places. Knowing the settings helps you slow down at the right moment.

  • Parking meters and lots. A fake sticker over the real one opens a clone payment page, takes your card, and the meter never registers. You get a fraud charge and a parking ticket.
  • Restaurant menus. A sticker pasted over the table QR opens a "discount" or "menu" page that asks for a card to hold the offer. It can sit there for weeks.
  • Package and delivery notices. A QR on a "missed delivery" card or fake carrier email leads to a "redelivery fee" page that wants your card and address. This is the QR cousin of the USPS failed-delivery text scam.
  • EV chargers, WiFi posters, and printed invoices. Fake stickers near the real one route you to a clone payment page or a credential-harvesting portal, and a QR "for fast payment" on a utility or HOA bill leaves no URL or email trail to inspect.

How to check a QR code safely: the step-by-step

This is the decision procedure. Run it on any QR you did not generate yourself.

  1. Preview the decoded URL before you open it. On iPhone, point the Camera at the code and stop at the preview banner, do not tap through. On Android, use Google Lens, which shows the link and lets you copy it instead of opening it. The goal is to read the address first, not to land on the page first.
  2. Read the real domain, not the brand words. Find the part right before the first single slash. If you scanned a "Chase" code, the domain should be chase.com or a clearly Chase-owned subdomain. A link like chase-secure-verify.cc or parkmobile-pay.app is a scam no matter how official the surrounding words look. Be extra suspicious of unusual top-level domains (.cc, .xyz, .top, .click, .app) attached to a major brand.
  3. Inspect the physical code for a sticker over a sticker. Run a fingernail along the edges. A fake QR pasted on top of a real one has a raised lip or a color mismatch around the border. If a printed short URL sits next to the code, confirm the preview banner resolves to that same domain. If the code stands alone with no printed URL fallback, raise your guard.
  4. Never auto-open, never auto-fill. If your scanner app opens links instantly with no preview, switch to the built-in Camera or Lens. The whole defense depends on reading the URL before the page can render and before any form can ask you for anything.
  5. If anything is off, type the official site yourself. Do not trust the link in the code when in doubt. Open your browser and type the brand's domain by hand, or open the official app you already have. Real venues and real companies work fine when you reach them yourself.
  6. Check the destination before entering credentials or connecting a wallet. If you do open the page, verify the domain one more time in the address bar before you type a password, a card, a one-time code, or click any wallet-connect button. The address bar is the last honest signal you have.
🛡 LIVE CHECK

Paste the decoded URL here before you trust it

Copied the link from a QR preview and not sure? Click any red-dotted domain above, or paste the decoded URL. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

How SafeBrowz checks the QR destination the moment you open it

Most people will not stop at the preview banner to read a truncated URL, and even a careful reader cannot see past a redirect to the real landing page. That is the gap a browser-layer scanner closes.

When you choose to open a decoded QR link, the destination is just a URL like any other. SafeBrowz checks that URL at page load against the same rules it runs on every link: a blacklist of known malicious domains, lookalike-domain detection for brand impersonation, and free-hosting and redirect-chain rules that follow the link to where it actually ends up rather than where it first appears to go. Because most camera previews truncate or mask the real redirect target, this is exactly the step that catches the page your eyes could not. If the link resolves to a fake bank, parking, delivery, or wallet page on a non-official domain, SafeBrowz shows a full-screen warning before the form can render. On mobile, this runs inside Microsoft Edge for Android, so a code your camera decoded and you opened in Edge passes through the same checks as the desktop extension.

These checks are derived from threat-intelligence research and our internal brand database, not from your browsing data. SafeBrowz does not store per-user browsing history.

If you already scanned and entered information

Speed matters most in the first hour. Card-test charges often land within the first 20 to 90 minutes.

  1. Freeze the card. Most bank apps have a one-tap freeze. Order a replacement.
  2. Change any password you typed everywhere you reused it, and turn on two-factor authentication. The same advice applies if you handed credentials to a fake login reached from a scam website.
  3. If you connected a crypto wallet, revoke token approvals at a tool like revoke.cash and move funds to a fresh wallet if you signed anything.
  4. Report it. File with the US FTC at reportfraud.ftc.gov and the FBI at ic3.gov, or with actionfraud.police.uk in the UK. Tell the venue and photograph the tampered sticker so the next person is safe.

Frequently asked questions

Can a QR code itself give my phone a virus?

No. A QR code is just encoded text, almost always a web address. It cannot install anything on its own. The danger is entirely in what the link opens: a phishing page that asks for your data, or a prompt to download a malicious app from outside the official store. The code is the envelope, not the weapon.

How do I preview a QR code's link without opening it?

On iPhone, point the Camera at the code and read the preview banner that appears, but do not tap it. On Android, open Google Lens, point it at the code, and it shows the link with an option to copy it rather than open it. Reading or copying the URL first, then deciding, is the core of checking a QR safely.

The link preview looked fine. Why might it still be unsafe?

Because many QR links use a shortener or a redirect. The preview shows the first hop, which can look clean, while the real destination several hops later is the phishing page. If you cannot confirm the final domain, treat the link as untrusted, or paste the decoded URL into a scanner that follows the redirect to where it actually lands.

Is it safe to scan QR codes on parking meters and restaurant tables?

It can be, but these are top targets for the sticker-over-a-sticker attack. Run a fingernail along the QR edges to feel for a fake sticker pasted on top, confirm the preview resolves to a known operator or venue domain, and prefer a named app you typed in yourself. If the code stands alone with no printed URL and asks for a card, use a different meter or the operator's app directly.

What are the biggest red flags after scanning a QR code?

Any page that asks you to pay, verify your identity, sign in to a work or cloud account, download an app from outside the official store, or connect a crypto wallet, especially on a domain that does not match the brand. Urgency and free offers are pressure tactics meant to make you skip the URL check.

How common is QR-code phishing in 2026?

It is one of the faster-growing phishing channels. Email-security vendors that decode QR codes inside messages, including Keepnet, Abnormal Security, and Proofpoint, reported across 2024 and 2025 that QR payloads make up a large and rising share of credential-phishing emails. In 2026, advisories from the US FTC, UK Action Fraud, and Gulf authorities flag QR fraud as a growing vector, because the code slips a hostile link past filters that only read text.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. Catches the lookalike-domain and redirect-target templates behind malicious QR codes instantly.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs for known malicious domains.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel variants in seconds.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Install SafeBrowz free

Add the browser extension that checks every QR destination automatically, the moment a page tries to load, before it renders. Free forever.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge

Bottom line: A QR code is safe only when the link behind it is safe, and you cannot judge that from the square of pixels. Make your phone show you the decoded URL, read the real domain, watch for a sticker pasted over the real code, and never pay, sign in, or connect a wallet until the destination matches the official site you expected. When the check slips, a browser-layer scanner like SafeBrowz reads the destination for you, including the redirect target your camera preview hid, and stops the fake page before it can ask for anything.

Related reading