← Back to QRForged

QR Code Security & Safety: How to Protect Yourself From QR Scams

Published April 6, 2026 · 8 min read

QR codes are genuinely useful. They're also an increasingly attractive target for scammers. As scanning has become second nature — restaurants, parking meters, event check-ins — attackers have followed the eyeballs. Here's what's actually going on, and what to do about it.

The Core Problem

At its heart, a QR code is just an encoded instruction — almost always a URL. Scan it, and your phone follows that instruction without asking questions. That's the design. And that's the problem.

You can't read a QR code with your eyes. A printed URL gives you a chance to evaluate it before clicking. A QR code hides its destination entirely until you've already scanned it. That single fact is what makes them such a useful tool for social engineering.

Common QR Code Attacks

1. Quishing (QR Phishing)

This is the big one right now. Scammers embed QR codes in emails, text messages, or physical mail, pointing victims toward fake login pages built to harvest credentials. The scenario is almost insultingly simple: an email that looks like it's from your bank, a QR code to "verify your account," and a convincing replica of your bank's login page waiting on the other side.

2. Sticker Overlays (Tampered Codes)

This one is low-tech and disturbingly effective. Someone prints their own QR code, slaps a sticker over a legitimate one at a parking meter, restaurant table, or transit station, and walks away. You scan what looks like an official code and land on a fake payment page instead.

It's not hypothetical. In 2022, police departments in San Antonio, Austin, and Houston all issued warnings after fake QR stickers appeared on hundreds of parking meters, funneling payments to fraudulent sites.

3. Malicious Wi-Fi Codes

A QR code can auto-connect your phone to a Wi-Fi network — no password required from you. If that network is attacker-controlled, you've just handed someone a front-row seat to your traffic. Man-in-the-middle attacks from there are straightforward.

4. Payment Fraud

In regions where QR payments are ubiquitous — China, India, much of Southeast Asia — replacing a merchant's payment code with your own is a real attack vector. Some scammers don't even bother with merchants; they post fake "charity donation" codes at events or in public spaces and collect money directly.

5. Malware Distribution

QR codes can link to app downloads or arbitrary files. Modern phones won't auto-install anything from a scan, but a well-designed landing page can pressure users into sideloading a malicious app — especially when it's dressed up as something urgent or official-looking.

How to Stay Safe When Scanning

For Consumers

1. Preview the URL before opening. Your phone's camera shows the destination before you tap through. Actually read it. Does the domain look right? Watch for character swaps — g00gle.com, paypa1.com, that kind of thing.
2. Be skeptical of codes in unexpected places. A QR sticker on a random lamppost. A flyer slid under your hotel room door. Treat these exactly like you'd treat a suspicious link from an unknown sender — because that's what they are.
3. Look for signs of tampering. Before scanning a code at a restaurant, meter, or transit stop, give it a quick look. Raised edges, misalignment, a slightly different material — those are signs someone stuck something over the original.
4. Ignore QR codes in unsolicited emails or texts. Legitimate organizations almost never send QR codes via email as a primary action. If your bank sends you one, call them using the number on the back of your card and ask what's going on.
5. Stick to your phone's built-in scanner. The native camera app on iOS and Android shows you the URL first. Third-party QR apps often skip that step entirely.
6. Never enter credentials after scanning a QR code unless you've verified the site independently. If a scan drops you on a login page, close it and navigate to the site yourself through your browser.
7. Keep your phone updated. Unglamorous advice, but OS updates ship security patches that close known exploits. Don't skip them.

For Businesses

1. Use your own domain. Your QR codes should point to URLs you control — not third-party link shorteners that could be repurposed or expire.
2. Physically check your codes. Make it a habit to scan your own printed QR codes periodically. It takes ten seconds and it's the only reliable way to catch a sticker overlay.
3. HTTPS only, no exceptions. Every URL in every QR code should be served over HTTPS. Still overlooked more than it should be.
4. Tell customers what to expect. If you use QR codes for payments or login, say so explicitly: "This code takes you to yourdomain.com/pay." Setting expectations makes it much harder for a fake to go unnoticed.
5. Print codes directly on branded materials. A QR code printed on your menu or packaging is significantly harder to tamper with than a standalone sticker affixed to a surface.
6. Use branded QR codes. Your logo and brand colors embedded in the code raise the bar for anyone trying to pass off a fake as the real thing.

QR Codes and Privacy

Security attacks get the headlines, but there's a quieter privacy dimension worth knowing about too.

• Dynamic QR codes track you. When a code redirects through a tracking service, that service logs your IP address, device type, approximate location, and scan time. That's the business model. Keep it in mind when scanning marketing materials.
• Wi-Fi QR codes share network credentials. Generate a Wi-Fi code for guests and anyone who photographs that code has your network password. Treat it accordingly.
• vCard QR codes broadcast your details. A business card QR with your full name, phone, email, and address hands all of that to anyone who points a camera at it. Decide deliberately what you want to share.

The Bottom Line

Here's the uncomfortable truth about QR code attacks: they don't exploit technical vulnerabilities. They exploit you. The code itself is just a data carrier — it can't install malware or access your accounts on its own. The damage happens in what you do after scanning: following a link to a fake page, typing in your password, connecting to a hostile network.

Give a QR code the same skepticism you'd give an unsolicited link. If something feels off — the URL looks wrong, the context doesn't make sense, the code looks like it's been stuck over something — trust that instinct. It's usually right.