QR Code Security

QR codes are fundamentally neutral — the code itself is simply a pattern that encodes data, usually a URL. Security issues arise not from QR codes themselves, but from the destinations they point to. Understanding how QR code attacks work and how to spot them gives you the knowledge to scan confidently while staying safe.


How QR Code Attacks Work

The most common QR code security threat is a technique sometimes called "quishing" — QR code phishing. In a quishing attack, a legitimate-looking QR code is placed or distributed in a context where the victim trusts it: an email from a bank asking to "verify your account", a sticker placed over the payment QR code in a restaurant, a poster at a train station, or a package delivery notification. When scanned, the QR code opens a phishing site that mimics a legitimate service and harvests login credentials, payment card details, or personal data.

Quishing is effective because most email and SMS security filters do not analyse QR codes — only text and HTML links. A phishing URL embedded in a QR code bypasses many corporate email gateways and spam filters that would otherwise block the same link if sent as plain text.

Common QR Code Threat Scenarios

Sticker tampering: A fraudulent QR code sticker is placed over a legitimate one. This has been reported at parking meters, restaurant menus, and retail payment terminals. Always check whether a QR code sticker appears to be placed on top of another label, is slightly off-centre, or has a different material or print quality than the surrounding surface.

Email phishing (quishing): An email claiming to be from your bank, email provider, or a delivery company contains a QR code instead of a hyperlink. Scanning it takes you to a fake login page. Legitimate institutions rarely send QR codes by email and never require you to scan one to access your account or confirm a delivery.

Malware download: A QR code initiates a file download automatically when scanned. On Android devices, this can result in a malicious APK being downloaded. Most modern smartphone cameras and browsers add a confirmation step before downloading files, but users who click through quickly can be caught out. Never approve a file download initiated by scanning an unknown QR code.

Tracking without consent: Some QR codes are used to log scan activity — device type, IP address, approximate location, and scan time — without the user's knowledge. Dynamic QR codes always log scan data at the server side. This is normal for first-party use (a business tracking scans on their own marketing materials) but can be a privacy concern when QR codes are placed in public spaces by unknown parties.

How to Scan QR Codes Safely

The most important habit is previewing the URL before opening it. Every major smartphone camera app — iOS Camera, Google Lens, Samsung Camera — displays the URL destination in a preview banner before the browser opens. Take 2 seconds to read this URL. Ask yourself: does this domain look legitimate? Does it match what I expect from this QR code? Is it HTTPS? Red flags include misspelled domains ("paypa1.com", "amaz0n.com"), unfamiliar domains, unusually long URL strings, and short redirect services you can't see through (bit.ly, t.co) when you have no reason to trust the source.

Check the physical context. A QR code in a national park information board is low risk. A QR code on a sticker on a parking meter, or sent in an unexpected email, is higher risk. The physical condition of the QR code also matters — is it a clean, professional print, or does it look like a sticker placed on top of something?

Use a QR scanner with URL preview and reputation checking. Most native camera apps show the URL before opening. Dedicated scanner apps often add additional safety checks — scanning the destination URL against known phishing databases before opening the page.

Do not approve unexpected permissions. If a QR code scan leads to a page that immediately requests camera access, microphone access, location, or asks you to install a certificate or enable an accessibility service, close the browser immediately.

QR Code Security for Businesses

Businesses deploying QR codes have an obligation to their customers to ensure those codes remain secure. For physical QR codes (menus, signs, payment terminals), conduct regular visual inspections to check for tampering — particularly sticker overlays. Use permanent, tamper-evident materials for payment QR codes, or use a digital display rather than a printed code for payment applications.

For marketing QR codes, use dynamic QR codes with analytics so you can detect unexpected changes in scan patterns that might indicate a third party has reproduced your QR code on a fraudulent site. Always point QR codes to HTTPS URLs — a QR code pointing to HTTP is a warning sign that may cause modern browsers to display security warnings and deter scans.

Consider adding visible branding to your QR codes — a logo in the centre or a branded colour scheme makes tampering more obvious, because a counterfeit sticker will not match your brand accurately. Educate your customers: a brief note near your QR code ("Our WiFi QR code is printed on the back of the menu — do not scan QR codes sent by text message") can prevent customers from falling for social engineering attacks that use your brand.

Secure QR Code Generation

Using a trustworthy QR code generator is the foundation of QR code security for businesses. All QR codes generated on OnlineQRCodeGen run entirely in your browser — the URL or data you enter is never sent to our servers, and no tracking is embedded in the generated QR code. The QR codes we generate are static, transparent, and encode exactly the data you enter — no hidden redirects or third-party tracking parameters.

Check all Learning Topics Generate QR Code Now

Frequently Asked Questions

Are QR codes safe to scan?

QR codes from trusted sources in a physical context you recognise are safe to scan. The risk comes from the destination — a QR code can point to a phishing site, trigger a file download, or collect tracking data. Always preview the URL before opening it, and be more cautious with QR codes received in emails, texts, or placed on stickers in public locations.

Can a QR code install malware on my phone?

Scanning a QR code alone cannot install malware. The risk comes from what happens after the scan: if the QR code opens a website that attempts to download a file, and you approve the download and install the file, malware could be installed. Modern smartphones have multiple safeguards against this. Never approve file downloads from QR codes you don't trust.

What is QR code phishing (quishing)?

QR code phishing (quishing) is an attack where a fraudulent QR code is used in place of a legitimate one to direct the victim to a fake website that steals credentials or personal data. It is used in email phishing campaigns and physical tampering attacks (fake stickers placed over real QR codes). Previewing the URL before opening it is the main defence.

How can I check where a QR code links to before opening it?

Most smartphone camera apps display the destination URL in a preview banner before opening the browser. Read this URL carefully before tapping. Alternatively, use a dedicated QR scanner app that shows the URL and checks it against phishing databases before loading the page. You can also use our online QR code image scanner to decode a QR code from a screenshot without visiting the URL.

Do QR codes track my location?

Static QR codes (which encode data directly) do not track anything. Dynamic QR codes that use a redirect URL may log your IP address, device type, and scan time at the server side — this is standard practice for businesses tracking campaign performance. Your exact GPS location is not accessible to a QR code unless you explicitly grant location permission to the website it opens.

How do I protect my business QR codes from tampering?

Use tamper-evident materials for payment QR codes, or display them on digital screens rather than printed stickers. Conduct regular visual inspections of public-facing QR codes to check for sticker overlays. Add visible branding (logo, specific colour scheme) to make tampering obvious. For high-value payment applications, use QR codes generated directly by your bank or payment provider rather than third-party generators.

Related Learning