How to Scan QR Codes Safely: Protect Yourself From QR Phishing

The Rise of QR Phishing ("Quishing")

QR codes have become a trusted shortcut in everyday life — restaurant menus, parking meters, event tickets, and bank posters all use them. But that trust has created a new attack surface for cybercriminals. A technique called quishing (QR code phishing) has surged dramatically since 2022, with security firms reporting hundreds of percent increases in QR-based attacks year over year.

Unlike a suspicious link in an email — where you can hover to preview the URL — a QR code conceals its destination entirely within a pattern of black-and-white squares. Most people scan first and think second, which is exactly what attackers count on. The FBI's Internet Crime Complaint Center (IC3) and cybersecurity agencies across Europe have all issued formal warnings about QR phishing campaigns targeting consumers and businesses alike.

How QR Code Attacks Work

QR phishing attacks generally fall into three categories. The first is URL redirection: the QR code links to a convincing clone of a legitimate website — a bank login, a payment portal, or a parcel tracking page — designed to harvest your credentials or payment details. The second is malware delivery: scanning triggers an automatic download or deep-links into a vulnerable app, installing spyware or ransomware on your device. The third is physical tampering: criminals print and paste their own QR sticker on top of a legitimate one in public spaces — parking machines, charity collection boxes, and restaurant table-top signs are common targets.

What makes quishing especially dangerous is that corporate email filters, which are trained to detect malicious links in text, cannot read QR code images and simply let them through. Attackers have exploited this blind spot extensively in targeted spear-phishing campaigns against corporate employees.

Red Flags to Watch For Before Scanning

Before you raise your camera, take five seconds to assess the code and its surroundings. Physical signs of tampering — a sticker placed slightly off-centre, raised edges around the code, or a glossy patch over a matte background — are strong indicators that a code has been replaced. Codes printed on paper taped loosely to a surface are particularly suspect.

In digital contexts, be sceptical of QR codes sent via email or messaging apps from unknown senders, especially those that convey urgency ("Your account will be closed — scan now"). Legitimate organisations rarely ask you to take immediate action via a QR code in an unsolicited message.

How to Safely Preview a QR Code's Destination

Modern smartphone cameras and dedicated scanner apps display the decoded URL before opening it. Always read this preview carefully. Check for:

• The correct domain name (e.g. paypal.com, not paypal-secure-login.net)
• A valid HTTPS connection (look for the padlock, though note that HTTPS alone doesn't guarantee safety)
• Unusual subdomains that bury the real domain at the end of a long string
• URL shorteners (bit.ly, tinyurl) masking the true destination — use an unshortener tool before proceeding

Some security-focused scanner apps (such as Kaspersky QR Scanner or the built-in scanner in many Android phones) perform a reputation check on the URL in real time before navigation, adding an extra safety layer.

Safe Scanning Habits — A Practical Checklist

Use this checklist every time you're about to scan a QR code in a public or unfamiliar context:

• ✅ Inspect the physical code — look for stickers, bubbles, or misalignment that suggest tampering.
• ✅ Verify the source context — does it make sense for this business or location to use a QR code here?
• ✅ Read the URL preview — confirm the domain before tapping "Open".
• ✅ Don't scan codes from unexpected emails or texts — go directly to the website instead.
• ✅ Keep your OS and apps updated — patches close the vulnerabilities that malware-delivery QR codes exploit.
• ✅ Use a scanner with built-in URL reputation checking — not just the plain camera app.
• ✅ Never enter credentials after scanning a code — type the URL directly into your browser if the site asks for a password.
• ✅ Trust your instincts — if something feels off, don't scan it.

What Happens If You Scan a Malicious QR Code?

If you've already scanned a suspicious code, don't panic — but act quickly. If you were taken to a website but didn't enter any information, close the browser tab immediately and run a mobile security scan. If you entered a username and password, change those credentials at once from a different, trusted device, and enable two-factor authentication on the affected account. If a file was downloaded, do not open it; delete it and run a full antivirus scan. Report the incident to your IT department (if work-related) or to your country's cybercrime reporting authority.

How QRGenPlus Protects You

When you generate a QR code with QRGenPlus, every code is tied to a destination URL you control and verify. Our platform never uses opaque URL shorteners in your codes — you always know exactly where your QR code points. For businesses creating QR codes for customer-facing materials, this transparency is essential: your customers deserve to scan with confidence. We also recommend branding your QR codes with your logo and consistent colour palette so that customers can visually authenticate them as legitimate before scanning.

Conclusion

QR codes are genuinely useful tools — the answer is not to stop scanning them, but to scan smarter. A brief moment of inspection before you lift your camera is all it takes to sidestep the vast majority of quishing attacks. Check the physical code, read the URL preview, and never enter credentials prompted by an unsolicited QR scan. Stay aware, stay sceptical, and stay safe.

Ready to generate QR codes your audience can trust? Create a secure QR code with QRGenPlus →