QR Code Icon Scan & Generate
· 8 min read

QR Code Safety: How to Spot Fake QR Codes & Stay Safe in 2026

Cybercriminals are increasingly using fake QR codes to steal credentials and hijack payments. Here's what you need to know to protect yourself.

The Rise of QR Code Phishing ("Quishing")

In 2024 and 2025, security researchers documented a sharp increase in attacks using malicious QR codes — a technique now widely called "quishing" (QR code phishing). By 2026, it's one of the most common social engineering vectors.

The reason is simple: most people have been trained to be suspicious of links in emails, but still instinctively scan physical QR codes without thinking. Attackers exploit this blind spot by placing fake QR codes in public spaces, sending them via mail, or embedding them in legitimate-looking PDFs and emails.

Real-World Quishing Attacks

Here are documented attack patterns to be aware of:

Parking Meter QR Code Scams

Attackers place fake "Pay Here" QR code stickers over legitimate ones on parking meters and kiosks. The fake code leads to a cloned payment page that steals your credit card details. This has been documented in cities across the US, UK, and Australia.

Restaurant Menu Replacement

A malicious actor places their own QR code on restaurant tables, directing diners to a fake menu page that captures credentials or installs malware.

Package Delivery Phishing

Fake "missed delivery" notices with QR codes arrive by mail. The code leads to a realistic delivery company login page that harvests account credentials.

Email-Based Quishing

Attackers embed QR codes in emails to bypass email security filters, which typically scan links but may not decode QR code images. The QR code leads to a phishing page.

How to Identify Suspicious QR Codes

Train yourself to check these warning signs before scanning any QR code:

Physical QR Codes

  • Check for stickers over stickers — lift the corner of any QR code sticker to see if it's covering another one underneath
  • Look for poor print quality or misalignment — legitimate business QR codes are usually professionally printed, not hastily applied stickers
  • Verify with staff — if a QR code is asking for payment, confirm with an employee that it's legitimate
  • Match the branding — does the QR code match the rest of the signage? An off-brand sticker is suspicious

Digital QR Codes (in emails/PDFs)

  • Unsolicited messages — treat QR codes in unexpected emails the same way you'd treat suspicious links
  • Urgency language — "Scan now or your account will be suspended" is a red flag
  • Sender mismatch — check that the email domain matches the claimed organization

Before You Scan: What to Check

A good QR scanner app will show you the destination URL before opening it. This is the single most important safety feature. Here's what to look for in the preview URL:

  • Domain mismatch — does the URL domain match where you expect to go? paypa1.com vs paypal.com
  • Shortened URLs — bit.ly, tinyurl, and similar services hide the real destination. Be cautious with shortened URLs from unexpected sources
  • HTTP vs HTTPS — legitimate sites use HTTPS. A QR code leading to a plain http:// URL for a financial or login page is suspicious
  • Random-looking domainsxk7f2.netlify.app is unlikely to be a legitimate business site
  • Unusual file types — a QR code that immediately triggers a file download (.apk, .exe, .zip) is almost certainly malicious

How Scan & Generate Protects You

Scan & Generate is designed with safety in mind:

  • URL preview before opening — the app shows you the full decoded URL and asks for confirmation before launching any link in a browser
  • Scan history — every scan is logged locally so you can review what you've scanned
  • No auto-navigation — the app never automatically follows URLs, preventing drive-by attacks
  • Local data storage — your scans stay on your device; they're not transmitted to any server

Compare this to your phone's built-in camera, which shows a brief URL preview but will navigate immediately if you tap the notification — and keeps no history of what you've scanned.

What to Do If You Scan a Malicious QR Code

  1. Don't enter any information — close the page immediately if it's asking for credentials or payment
  2. Don't tap "Install" — if a page prompts you to install an app, decline
  3. Check your accounts — if you did enter information, change passwords and enable 2FA immediately
  4. Report it — physical fake QR codes should be reported to the business or local authorities; email quishing attempts should be reported to your IT team or the Anti-Phishing Working Group (APWG)
  5. Run a security scan — if your device accessed a suspicious URL, run a mobile security scan

Summary: Safe QR Scanning Practices

  • Always preview the URL before opening it
  • Be skeptical of QR codes in unexpected places or messages
  • Check physical QR codes for signs of tampering
  • Use a scanner app that shows the destination before navigating
  • Never scan a QR code that a stranger asked you to scan
  • Keep your scan history so you can audit what you've accessed

Scan Safely with URL Preview

Scan & Generate shows you the full destination URL before opening any link — protecting you from QR code phishing attacks.

▶ Download on Google Play Download on App Store