The Core Risk
QR codes are inherently opaque. Unlike a printed URL that a human can read and evaluate, a QR code is a machine-readable pattern that reveals its contents only after scanning.
This opacity is what makes QR codes convenient — and potentially dangerous. A malicious QR code looks identical to a legitimate one.
Threat Types
QRishing (QR Phishing)
QRishing is the QR equivalent of email phishing. Attackers place fake QR codes in public spaces — over parking meters, on restaurant tables, or on fake government notices. When scanned, the code redirects to a phishing site.
Real-world examples
- • Fake parking meter QR codes in Texas (2022) redirected to payment phishing sites
- • Counterfeit QR codes placed over legitimate ones in restaurant chains
- • Fake COVID-19 check-in QR codes harvesting personal data
- • QR codes in spam emails bypassing text-based email filters
Malicious Redirects
A QR code can redirect through multiple URLs before reaching the final destination, making it harder to detect malicious intent. The initial URL might pass basic safety checks while the final destination hosts malware.
Sticker Attacks
The simplest attack: placing a sticker with a malicious QR code over a legitimate one. Especially effective in public spaces where QR codes are trusted (parking, transit, government buildings).
WiFi Credential Theft
Malicious WiFi QR codes can connect the user to a rogue access point controlled by the attacker. Once connected, all unencrypted traffic can be intercepted (man-in-the-middle attack).
Key Insight
Safe Scanning Practices
For anyone scanning QR codes in the wild, follow these rules:
Always
- ✓ Preview the URL before opening
- ✓ Check that the domain matches the expected brand
- ✓ Look for HTTPS on the destination
- ✓ Be suspicious of QR codes in unexpected places
- ✓ Check for stickers placed over original codes
Never
- ✗ Scan QR codes from untrusted sources
- ✗ Enter credentials on a QR-opened page without verifying
- ✗ Download apps from QR codes (use app stores)
- ✗ Connect to WiFi via QR from unknown sources
- ✗ Ignore URL preview warnings from your phone
For QR Code Creators: Security Checklist
If you create QR codes for your business, protect your users:
- Use HTTPS — Always link to HTTPS URLs. HTTP links expose users to interception.
- Use your own domain — Branded URLs (yourbrand.com/menu) build trust. Avoid generic URL shorteners.
- Tamper-proof placement — Use engraved, printed-under-glass, or sealed QR codes to prevent sticker attacks.
- Monitor your URLs — Regularly check that destinations are still correct and haven't been compromised.
- Include context — Add text explaining where the code leads: "Scan to view our menu at restaurantname.com."
- Report abuse — If you find tampered QR codes, report them to the venue and local authorities.
Our generator: privacy-first
URL Preview: Your First Line of Defense
Modern smartphone cameras (iOS 11+ and Android 8+) show a URL preview banner before opening any QR-scanned link. This is the single most important security feature.
- Read the preview URL carefully before tapping
- Check the domain name (not just the page path)
- Look for suspicious character substitutions (e.g.,
g00gle.cominstead ofgoogle.com) - Cancel if the domain is unfamiliar or suspicious
Enterprise Security Considerations
For organizations deploying QR codes at scale:
- Centralized QR management — Track all QR codes created. Know what each code links to.
- Regular auditing — Periodically scan your deployed QR codes to verify destinations.
- Employee training — Educate staff about QRishing risks, especially finance and customer-facing roles.
- Incident response — Have a plan for compromised codes (remove, notify users, redirect).
Create secure QR codes
Our generator runs entirely in your browser — no server uploads, no tracking, complete privacy.