Are QR Codes Safe? How to Spot a Malicious One

By QR Base Team · May 1, 2025

QR codes themselves are safe — they're just a way of encoding data. But like any link, a QR code can point to a malicious website. And because most QR codes look identical, it's harder to tell a dangerous one from a safe one than it is with a visible URL.

QR phishing — called "quishing" — surged 587% in 2024 and now accounts for over 20% of online scams in some markets. This guide explains how it works, how to spot a suspicious QR code, and how to create QR codes that your own customers can trust.

How QR Code Phishing (Quishing) Works

QR phishing (quishing) works by replacing or overlaying legitimate QR codes with malicious ones that redirect to phishing sites. Common attack vectors:

  • Sticker replacement: Malicious stickers placed over legitimate QR codes in restaurants, parking meters, or public spaces
  • Fake delivery notifications: Emails or paper notices claiming a package is held, with a QR code linking to a credential-stealing site
  • Fake invoice QR codes: Business email compromise attacks embedding malicious QR codes in fake invoices sent to accounting teams
  • Malicious ads: QR codes in print ads or online that appear legitimate but redirect to phishing pages

The QR code itself isn't malicious — it's just a link. The danger is entirely in where it points.

Key Takeaways

  • Quishing attacks are specifically designed to bypass email link scanners
  • QR codes in unexpected contexts (parking meters, ATMs, door-to-door flyers) warrant extra scrutiny
  • Mobile devices are more vulnerable than desktop because preview URL display is smaller

How to Identify a Suspicious QR Code

Before tapping through from a QR code scan, check these signals:

  1. Preview the URL your camera shows. Modern iPhone and Android cameras display the URL before you tap through. Read it — does the domain match the expected source? Look for misspellings (paypa1.com, arnazon.com).
  2. Check for physical tampering. If a QR code looks like a sticker placed on top of another QR code, or appears to be an overlay, don't scan it. Report it to the venue.
  3. Context mismatch. A QR code on a parking meter in a city where meters don't use QR codes, a QR on a public ATM you didn't initiate, or an unsolicited mail piece with a QR are all higher-risk situations.
  4. Unsolicited QR codes in email. A legitimate business that you've contacted before may send a QR. But an email from an unknown sender with a QR and urgency language (your account will be suspended) is almost certainly phishing.

If in doubt, don't scan. Find the official website by typing it directly into your browser instead.

Key Takeaways

  • Always read the URL preview before tapping through on a QR scan
  • Look for sticker overlays on public QR codes — a common physical attack
  • Never enter credentials on a site you reached through an unsolicited QR code

How to Create QR Codes Your Customers Trust

If you're creating QR codes for your business, here's how to build trust signals that help customers feel confident scanning:

  1. Brand your QR codes. A QR code with your logo and brand colors visually signals it belongs to your organization — much harder to fake convincingly than a plain black-and-white code. QR Base makes this easy.
  2. Use a custom domain. If possible, use your own branded short domain for QR redirects instead of a generic qr-base.app URL. Customers who preview the URL see your brand name.
  3. Display the destination. On printed materials, include the URL below the QR code — "Scan or visit qr-base.com/menu". This lets skeptical users navigate directly.
  4. Secure your QR codes physically. On high-traffic physical placements, check periodically for sticker overlays. Laminated QR codes (common on restaurant tables) are harder to overlay than bare prints.
  5. Only redirect to HTTPS. Ensure every URL your QR codes point to uses HTTPS. Unencrypted HTTP destinations immediately look suspect to security-aware users.

Key Takeaways

  • Branded QR codes (with your logo) are harder to fake convincingly
  • Print the destination URL below the QR code — it builds trust
  • Check high-traffic physical QR placements monthly for overlays

Frequently Asked Questions

No. A QR code is just encoded data — it cannot execute code or contain a virus. However, it can link to a website that attempts to install malware or steal credentials. The QR is the delivery vehicle; the website is the threat.

Quishing (QR phishing) is a form of phishing attack that uses QR codes instead of traditional email links. Because QR codes bypass most email link-scanning security tools, they've become a preferred attack vector. Quishing attacks surged 587% in 2024.

You can't tell from looking at the code itself — all QR codes look similar. Rely on context: does it appear on trusted printed material? Was it unexpected? After scanning, check the URL your camera previews before tapping through.

Generally yes — restaurant QR codes are among the most common and legitimate uses. Risk increases at untended placements (self-service kiosks, parking meters). If a restaurant's QR code looks like a sticker overlay on existing material, verify with staff.

Brand the QR code with a recognizable logo, print the destination URL below it, use HTTPS for all destinations, and use a stable trusted QR platform. Physical lamination also prevents sticker overlay attacks.

Dynamic QR codes track aggregate scan analytics (device type, approximate location, timestamp). This is anonymous and does not identify individuals. QR Base does not collect personally identifiable information from scanners.

Close the browser immediately without entering any information. Clear your browser history and cookies. If you entered credentials, change those passwords immediately. Report the suspicious code to the venue where you scanned it.

Related Resources

What Is a QR Code? Everything You Need to Know (2025)

What is a QR code, how does it work, and why do businesses use them? A complete beginner's guide with use cases, history, and examples. Updated 2025.

Do QR Codes Expire? The Honest Answer (Static vs Dynamic)

Do QR codes expire? Static codes last forever. Dynamic codes depend on the platform. Learn which free QR code tools expire codes and which ones don't.

How to Create a QR Code in 4 Steps — Free Guide (2025)

How to create a QR code: step-by-step guide for URL, vCard, WiFi, and PDF types. Learn what makes QR codes scannable, branded, and effective. Free to start.

Dynamic vs Static QR Codes — 7 Key Differences (2025)

Dynamic vs static QR codes: 7 key differences, when to use each, and why 9 out of 10 businesses choose dynamic. Full 2025 comparison guide.

QR Code vs Barcode — Key Differences Explained (2025)

QR codes vs barcodes: data capacity, scan distance, consumer vs retail use, and which to use for marketing, logistics, and product labeling. 2025 guide.

URL QR Code

Create a URL QR code in 60 seconds. Change the destination anytime — no reprinting. Track scans by location & device. Free plan available.

vCard QR Code

Create a vCard QR code that saves your contact info in one tap. Name, phone, email, photo, company. Works on all iPhones and Android. Free to try.

WiFi QR Code

Create a WiFi QR code so guests connect without typing a password. Works on all iPhones (iOS 11+) and Android phones. Free to try — setup takes 30 seconds.

Put This Guide Into Action

Create professional QR codes in minutes with QR Base. Free to start, no credit card required.

Create Your QR Code