QR Code has become part of everyday life — menus, payments, Wi-Fi, login. And along with it came the natural question: is it safe to scan? Short answer: the QR itself isn't dangerous, but it can lead to dangerous places. There's even a name for the scam: quishing (QR Code phishing).

This article explains the real risk, how to recognize a malicious QR, and how to scan safely — without paranoia, but with care.

The QR isn't the danger — the destination is

Important to understand: a QR Code is just a link encoded in an image. Scanning installs nothing, doesn't hack your phone, doesn't steal data on its own. The risk is in where the link leads.

It's exactly like clicking a link received by message: the link itself does nothing, but it can take you to a fake site that tries to:

  • Steal your password (fake login page)
  • Ask for card details (fake payment)
  • Get you to download a malicious app
  • Run a payment scam

The QR is just the "envelope". The content is what matters.

What quishing is

Quishing = "QR" + "phishing". The scammer creates a QR that leads to a fake site, and lures you into scanning it. Common tactics:

🏷️ Fake sticker over the real one

The classic. In a parking lot, parking meter, payment poster, the scammer sticks a sticker with their QR over the official QR. You scan thinking it's the legitimate payment, but the money goes to their account.

📧 QR in a fake email/letter

"Your account will be blocked, scan the QR to verify." The QR leads to a fake bank page that steals your password.

🪧 Tampered QR in a public place

A "Free Wi-Fi" or promo poster with a QR that leads to a malicious page.

💸 Fake payment QR

A fake donation or charge QR, with the scammer's account. You pay thinking it's for one place, it goes to another.

How to recognize a suspicious QR

⚠️ Warning signs

  1. A sticker over another one — if the QR looks stuck over something, be suspicious. Especially on a parking meter, restaurant table, payment poster.

  2. A strange domain in the link — after scanning, the phone shows the link before opening. Look: does the domain match the company? secure-bank-payment.xyz is not your bank's site.

  3. A suspicious shortener — very short links (a generic bit.ly) hide the real destination. Not always a scam, but it calls for attention.

  4. Asks for unexpected login or payment — if you scanned a menu and it suddenly asks for your bank password, something is VERY wrong.

  5. Urgency and threat — "Act now or your account will be blocked" is a classic scam tactic.

  6. Spelling errors / shoddy design — a poorly made destination page, with errors, is a red flag.

How to scan safely (checklist)

✅ Before scanning

  • Is the QR in an official, trustworthy place? (not a suspicious loose sticker)
  • Does it look stuck over another QR? Don't scan.

✅ After scanning (before tapping the link)

  • Read the link that appears on screen. iPhone and Android show the address before opening.
  • Does the domain match who it should be?
  • Is it HTTPS (padlock)? (doesn't guarantee safety, but plain HTTP is worse)

✅ Never do via QR

  • Don't enter your bank password on a page opened by a QR you don't trust 100%.
  • Don't enter card details in a payment that arrived via an untrusted QR.
  • Don't download an app from an unknown source via QR.

✅ For payment QR

  • Check the recipient's name before confirming. The payment app shows who you're paying — if it's not who it should be, stop. See the payment QR guide.

For businesses: how to protect YOUR QR

If you use QR in your business, protect your customers:

  1. Tamper-resistant material — a QR engraved/printed in a way that can't be easily covered. On a parking meter/kiosk, use a fixed plate, not a sticker that's easy to cover.

  2. Dynamic QR with your own domain — if the redirector uses your domain (code2scan.com/q/...), the customer sees a recognizable link. Understand dynamic QR.

  3. Monitor the scans — a dynamic QR shows abnormal patterns. A strange spike in scans may indicate tampering.

  4. Educate the customer — "Check that the payment is to [YOUR BUSINESS] before confirming".

  5. Test your QRs regularly — scan them yourself to make sure they lead to the right place. Common mistakes.

The truth: can you use QR with peace of mind?

Yes. With common sense, QR Code is safe in everyday life. The quishing risk is real, but avoidable:

  • Scanned it? Look at the link before tapping.
  • Asked for an unexpected password/card/payment? Stop.
  • QR looks tampered with (sticker on top)? Don't use it.

It's the same caution you already have (or should have) with email and SMS links. QR didn't create a new danger — it's just one more channel for the same kind of scam that already exists.

Summary

  1. The QR isn't dangerous — its destination can be.
  2. Quishing = a scam that uses QR to take you to a fake site.
  3. Always read the link before opening (the phone shows it).
  4. Be suspicious of a sticker on top, a strange domain, an unexpected password/payment request.
  5. For payments, check the recipient before confirming.
  6. Businesses: use dynamic QR with your own domain and tamper-resistant material.

Create safe, trackable QR Codes — with a recognizable domain and monitoring.