QR codes themselves are neutral — they're just a way to encode text, usually a URL. The safety depends entirely on what's behind that URL. A QR code can lead to your restaurant's menu, or it can lead to a phishing page designed to steal your login credentials.
As QR code usage has exploded, so have QR-based scams. Here's what you need to know.
The Risks
Quishing (QR Phishing)
The most common QR code scam. Attackers create QR codes that link to fake websites that look like legitimate services — your bank, PayPal, a parking payment app, a company login page. The victim scans, sees a familiar-looking page, and enters their credentials.
Quishing is effective because QR codes obscure the URL. Unlike a link in an email where you can hover to see the destination, a QR code reveals nothing until you scan it. And on a small phone screen, a URL like paypa1-login.com (with a number 1) looks convincingly like paypal-login.com.
Fake QR Overlay Stickers
Attackers print fake QR code stickers and place them over legitimate ones. Common targets: parking meters, restaurant menus, payment terminals, and public signage. The victim thinks they're scanning the legitimate code but is redirected to a scam site.
This is particularly insidious because the victim is in a trusted context (a parking meter, a restaurant table) and has no reason to suspect the QR code isn't genuine.
Malicious Redirects
A QR code that redirects to a page attempting to download malware, or to a page that requests excessive permissions (camera, contacts, location). Modern phones have protections against most drive-by downloads, but social engineering attacks ("You need to update your phone — tap here") can still trick users.
Data Harvesting
A QR code leading to a page that requests personal information under false pretenses: "Verify your identity to continue," "Enter your email to claim your reward," or "Fill out this form to get WiFi access." The collected data is used for spam, phishing, or identity theft.
How to Scan Safely (For Consumers)
Preview the URL before opening. Most modern phones show a URL preview when you scan a QR code — a small banner with the destination URL. Read it before tapping. Look for: known domain names, HTTPS, and correct spelling.
Check for tampering. Before scanning a QR code in a public place, look for signs that a sticker has been placed over the original code. Raised edges, different paper texture, or a sticker that doesn't match the surrounding material are red flags.
Don't enter credentials immediately. If a QR code takes you to a login page, pause. Did you expect to log in? Is this a legitimate site? Check the URL carefully. When in doubt, navigate to the site manually through your browser instead of using the scanned link.
Be cautious with payment QR codes. If a QR code in a public place asks for payment, verify it's legitimate. At a parking meter, check that the QR code matches official signage. At a restaurant, confirm with staff if anything looks off.
Use a QR scanner with preview. Your phone's default camera usually shows a preview before opening the link. Some third-party QR scanner apps also show the full URL and flag suspicious domains.
Keep your phone updated. OS updates include security patches that protect against known threats, including some QR-related attack vectors.
How to Protect Your QR Codes (For Businesses)
If you create QR codes for your business, you also need to protect your customers from scams.
Brand your QR codes. Use custom colors, your brand palette, and if possible, your logo. A branded QR code is harder to replace with a generic fake. Customers learn to recognize your branded codes.
Use a custom domain. Instead of a generic short URL, use your own domain for redirects. menu.yourrestaurant.com/table5 is more trustworthy than a random short link.
Add context and branding around the QR. A QR code within a branded frame, with your company name and a clear label ("Official Restaurant Name — Scan for Menu"), is harder for scammers to replicate convincingly.
Inspect your QR codes regularly. Check physical QR codes in your locations for tampering. Are your stickers still in place? Has anyone placed something over them? Make this part of your opening routine.
Use tamper-evident materials. For high-security applications (payments, access control), print QR codes on tamper-evident stickers that show visible damage if someone tries to peel and replace them.
Educate your customers. For payment QR codes or any sensitive application, display a notice: "Our official QR codes are printed on [specific material] and link to [yourdomain.com]. If anything looks different, please alert our staff."
HTTPS always. Every URL behind your QR codes should use HTTPS. This is basic but important — browsers warn users about insecure HTTP connections, which erodes trust.
QR Code Safety by Context
Low risk: QR codes on products you purchased (the company has a business interest in not scamming you), QR codes on official printed materials from known organizations, QR codes you created yourself.
Medium risk: QR codes in restaurants and cafes (generally safe, but check for overlay stickers), QR codes at events and venues, QR codes in emails from known senders.
Higher risk: QR codes on public surfaces (parking meters, bus stops, public bulletin boards), QR codes received from unknown senders, QR codes found on random stickers or flyers.
The Bottom Line
QR codes are as safe as regular links — and carry the same risks. The difference is that QR codes obscure the URL until you scan, which requires slightly more caution. But with basic awareness (preview URLs, check for tampering, don't enter credentials hastily), QR codes are a safe and convenient technology.
Create Trusted QR Codes
At qree.app, create branded QR codes that customers recognize and trust. Custom colors and styles help differentiate your official codes from potential fakes.