GuideNacho G.8 min read

Are QR Codes Safe to Scan? Honest Risks

Are qr codes safe? The code itself can't harm you, but where it sends you can. Learn the actual risks, the myths, and how to scan safely.

Are QR Codes Safe to Scan? Honest Risks

This article was written by the QR Nova team. We build QR code software, which may inform our perspective.

Articles about QR code safety split into two camps: paranoid warnings that suggest never scanning anything, and breezy reassurances that QR codes are "just links." Both miss the point. QR codes are safe to scan in the same way that clicking a link is safe to click, the code itself cannot harm your device, but what it directs you to can. The actual threat model is specific, the risks are real in defined contexts, and avoiding them takes about 10 seconds of judgment per scan.

TL;DR

  • Scanning a QR code cannot by itself install malware or steal data, it's equivalent to typing a URL.
  • The risk is the destination: phishing sites, malicious downloads, and credential theft via fake payment pages.
  • QR code phishing (quishing) is a documented, growing attack vector, the FBI warned about it formally in January 2024.
  • Physical tampering (stickers over legitimate codes) is the most common real-world attack; digital QR codes in emails are the most common spam/phishing vector. Learn more about how QR codes can be hacked.
  • Most QR code scans, restaurant menus, product packaging, business cards, carry negligible real-world risk.

Are QR codes safe?

Generate your first QR code — free

Get started

A QR code is a machine-readable pattern encoding text, usually a URL, but potentially any short string of data. When your phone scans it, the camera decodes the pattern and presents the text. At this point, nothing harmful has happened. The QR code itself has no executable component, no payload, no ability to run code on your device.

The risk begins when your phone acts on that decoded text. If the QR code encodes a URL and your phone opens it automatically, you've navigated to that URL, and everything that can go wrong with visiting a malicious URL can now go wrong. This is equivalent to clicking a link in an email from an unknown sender.

Understanding this distinction determines the right response. You're not protecting yourself from QR codes. You're protecting yourself from what they link to.

The real threat: quishing (QR code phishing)

Quishing, QR code phishing, is the primary documented attack vector involving QR codes, and it's growing. The FBI Cyber Division issued a formal public service announcement in January 2024 warning that cybercriminals are "tampering with both digital and physical QR codes to redirect victims to malicious sites."

The mechanics are straightforward. Attackers know that most email security gateways scan hyperlinks for known malicious domains but don't analyze embedded images. By placing a QR code in a phishing email instead of a hyperlink, they bypass link-scanning defenses. The victim scans with their phone, often a personal device not covered by corporate security software, and lands on a credential-theft page.

According to a 2024 Hoxhunt threat intelligence report, QR code phishing attacks increased 587% in the first half of 2024 compared to the same period in 2023. This isn't theoretical. It's an active, documented attack pattern.

The parking meter scam: real-world physical quishing

Physical quishing targets high-traffic, low-supervision locations. The most documented pattern in 2023–2024 was fake parking payment QR codes. Attackers placed stickers over legitimate payment QR codes on parking meters in cities including Austin, San Antonio, and Houston (reported by the Austin Police Department in February 2023). Victims scanned the sticker code, entered their credit card details on a convincing fake payment page, and paid nothing while their card data was stolen.

This attack works because parking meters are outdoor infrastructure most people don't inspect closely before scanning. Distinguishing a sticker applied over an existing code from the original requires you to physically check whether the code is raised or has visible edges. Most people don't.

How to tell if a QR code is safe to scan

You cannot definitively verify a QR code's safety before scanning it, that's the fundamental challenge. But you can substantially reduce risk with a few habits.

Use a QR scanner that previews the URL

Knowing how to scan a QR code safely starts with your scanner app. The default camera apps on iOS and Android open URLs automatically after a brief display. Most users don't read the preview. A dedicated QR scanner app (Kaspersky QR Scanner, Trend Micro QR Scanner, or similar) shows you the full URL and asks you to confirm before opening it. That gives you a chance to read the domain before proceeding.

Red flags in the URL preview: unfamiliar domains, domains that misspell well-known brands (paypa1.com, arnazon.com), URL shorteners (bit.ly, tinyurl.com) that hide the actual destination, and HTTP URLs (non-HTTPS).

Inspect physical codes for tampering

For QR codes in public spaces, especially payment-related ones (parking, vending, transit), check whether the code is:

  • Part of the original printed material (integrated into the design, not added after)
  • Flat against the surface with no raised edges or sticker seam
  • Matching in style to the surrounding material

If any of these checks fail, treat the code as potentially compromised. For payment codes, look for an official website address or phone number on the meter/machine and use that to pay instead.

Context is the best predictor of risk

The risk profile of a QR code scan correlates heavily with how and where it appeared:

  • Low risk: Product packaging from a known brand, restaurant menus printed and laminated by the restaurant, business cards from a person you just met, event badges and tickets, QR codes in physical retail from established stores.
  • Medium risk: QR codes in email newsletters from companies you've opted into, QR codes on flyers in public spaces, codes on handwritten notes.
  • High risk: QR codes in unsolicited emails or text messages (especially claiming urgency), codes in emails impersonating your bank or employer, codes on parking meters or public payment kiosks with sticker overlays, codes promising free gifts or prizes.

What can't go wrong when you scan a QR code

Clarifying false threats is as useful as identifying real ones. Despite what some security articles imply, these things cannot happen from scanning a QR code:

  • Drive-by malware installation: Scanning the pattern and having your phone decode it to a URL cannot install malware. This requires a browser vulnerability, keeping your phone OS updated is the mitigation.
  • Bluetooth or NFC exploitation via QR code: QR codes cannot trigger Bluetooth pairing, NFC payments, or system-level actions without explicit user confirmation in modern iOS and Android.
  • Direct camera access or microphone activation: Reading a QR code does not grant the website permission to access your camera or microphone. Permission grants still require explicit user action.
  • SIM swap or account takeover purely from a scan: A QR code can take you to a phishing page that then tricks you into entering credentials or approving an action, but the QR code itself cannot execute these.

QR codes in emails: the most common risk vector

By volume, QR codes in emails are the highest-risk scanning context for most people. The pattern: an email appears to come from your bank, delivery service, or employer. It contains a QR code and asks you to "verify your account," "confirm a delivery," or "approve a sign-in request." The QR code leads to a convincing phishing page.

Here's the key thing to remember: legitimate services almost never require you to scan a QR code to take a routine account action. Banks send links, not QR codes, for login or verification. Delivery services send tracking links. If a QR code in an email creates urgency ("scan within 24 hours or your account will be suspended"), that's the attack pattern, not a legitimate service behavior.

The FTC's guidance on QR code scams (published February 2024) specifically flags this: "Scammers hide harmful links in QR codes to steal personal information." Their guidance mirrors this framework, the scan itself isn't the harm, the destination is.

When QR code safety isn't a concern

The vast majority of QR code scans in everyday life carry negligible risk. Scanning a QR code at a restaurant to see the menu, connecting to a business's WiFi via a QR code, getting contact details from a business card, or scanning a product for more information, these are low-risk contexts where the code creator is known (the restaurant, the business, the manufacturer) and the destination is predictable.

Contextual trust is the filter: do you know who created this QR code, and does the context make it plausible that their code goes somewhere legitimate? If yes, scan it. If the answer to either question is no, take a second to preview the URL before opening it.

Creating safe QR codes for others to scan

If you're creating QR codes for your business, events, or materials, the safety question runs in the other direction: how do you ensure the people scanning your codes trust them?

Three practical steps:

  1. Use static codes when possible: Static codes encode your destination directly, there's no redirect through a third-party server that could be compromised or taken over. A static QR code at your business's WiFi generator is as trustworthy as the physical material it's printed on.
  2. For dynamic codes, use a custom domain: If your QR code redirects through yourbrand.com/qr/abc rather than qr-platform.com/abc123, scanners can recognize your domain in the URL preview and trust it more readily.
  3. Don't use redirect chains: Every redirect hop between your QR code and the destination adds potential risk and reduces the transparency of where the scan is going.

QR codes created at QR Nova for static use cases are as safe as you can get, the destination is encoded directly, there's no third-party redirect, and there's nothing for an attacker to compromise between the code and your destination. Business card QR codes and WiFi codes generated here are static by definition.

The honest bottom line

QR codes are safe to scan when you know who created them and where you are. They are not inherently safe when they arrive unsolicited via email or when they appear on outdoor payment infrastructure where tampering is possible. This is the same risk calculus you apply to clicking links, QR codes just make the source slightly more opaque.

The appropriate response is not paranoia. Most QR code scans are completely benign. Apply the same situational judgment you apply to links: consider the source, preview before you act, and pause when something creates urgency.

Frequently asked questions

Can scanning a QR code give you a virus?

Scanning the QR code itself cannot install malware, your camera just reads a pattern and converts it to text. The risk is what happens next: if the decoded URL leads to a malicious website that exploits a browser vulnerability or tricks you into downloading something, that's where the harm occurs. The QR code is a delivery mechanism, not the threat itself.

What is QR code phishing (quishing)?

Quishing is a phishing attack using QR codes instead of hyperlinks. Attackers send emails, place stickers over legitimate QR codes, or print fake codes in public places, all leading to credential-stealing websites. The FBI issued a formal warning about quishing in January 2024, citing a significant increase in reports.

How can I tell if a QR code is safe before scanning?

You can't fully verify a QR code before scanning it without a QR code reader that shows you the URL before opening it. Most phone cameras open the URL immediately. Use a QR scanner app that shows you the URL first and lets you confirm before proceeding. If you're in a public space, inspect the QR code for signs of tampering, a sticker placed over an existing code is a red flag.

Is it safe to scan a QR code from a restaurant?

Generally yes, established restaurants with printed QR codes on their physical menus are low risk. The risk increases with stickers or handwritten additions to existing materials, codes in unsolicited email or mail, and codes in locations where tampering would be easy (parking meters, public notices). If the QR code is physically integrated into printed material, it's very unlikely to be tampered with.

Can a QR code steal my personal information?

A QR code itself cannot, it's just a pattern encoding text. But the website it leads to can attempt to steal information through phishing forms, session hijacking, or social engineering. Scanning a QR code is equivalent to clicking a link you received from an unknown source.

Are QR codes used for scams?

Yes, QR code scams are documented and growing. The FTC reported a notable increase in QR-code-related fraud complaints in 2024. Common patterns include fake parking payment meters, fraudulent cryptocurrency transfer codes, and phishing emails with QR codes substituted for hyperlinks (to evade email security filters that don't scan images).

Is it safe to scan QR codes with my banking app?

Only scan QR codes with your banking app when the source is unambiguous, the bank's own physical branch, official correspondence, or in-app instructions. Never scan a QR code from an email claiming to be your bank unless you initiated the interaction. Bank-related QR code scams are among the most common as of 2024.

Generate your first QR code — free

Get started