Learn about phishing scams, fake parking tickets, and malicious redirects — and the simple habits that keep you protected every time you scan.
Important: QR code phishing attacks (known as "quishing") increased significantly following the global adoption surge of 2020–2022. The FBI issued a public warning in 2022 about tampered QR codes in public spaces.
QR codes themselves are just data. The danger is what that data points to. Here are the most common attack vectors.
Attackers create convincing replicas of bank login pages, social media sign-ins, and email providers. The QR code redirects you to a fake site that captures your username and password.
Where it happens: Email attachments, WhatsApp messages, physical mailers that look official.
HIGH RISKScammers place fake QR code stickers over legitimate ones on parking meters and payment kiosks. The fake code sends you to a fraudulent payment page that steals card details.
Where it happens: Public parking meters, restaurant tables, charity donation boxes.
HIGH RISKQR codes can trigger automatic file downloads or exploit browser vulnerabilities. Some attack chains use multiple redirects to eventually deliver malware to your device.
Where it happens: Unsolicited codes in public, social media posts, unknown leaflets.
MEDIUM RISKCorporate emails with QR codes that bypass email security filters — since the QR image looks harmless. Employees scan and are redirected to credential-harvesting sites.
Where it happens: Work email inboxes, especially HR or finance-themed messages.
HIGH RISKCodes promising free gifts, prize redemptions, or loyalty rewards that route to phishing pages or subscription traps that charge monthly fees via SMS premium numbers.
Where it happens: Flyers, windshields, social media stories and ads.
MEDIUM RISKQR codes claiming to download a popular app but linking to a fake version that looks identical. The impersonation app requests excessive permissions and harvests data.
Where it happens: Non-official stores, flyers in tech-focused environments.
MEDIUM RISKNot all QR codes are equally risky. Context matters enormously.
Random QR codes on stickers, flyers in your letterbox, or from strangers. No established trust — verify before tapping.
Parking meters, vending machines, donation boxes. Check for signs of sticker tampering before scanning.
Unexpected emails with QR code images. Legitimate banks and services do not send login QR codes via email.
Even from known accounts — accounts can be compromised. Preview URL and check the domain carefully.
Anyone can print a flyer. Check that the brand is genuine and the URL matches the expected domain.
Generally safe — especially if the staff placed them. Still worth a quick URL glance before confirming payment.
In a professional context from a real person. Low risk, but verify the URL domain is what you'd expect.
Factory-printed codes on sealed products. Very low risk — tamper with these would be impractical at scale.
Codes you created yourself, or from a trusted colleague you can verify. No risk to the generator.
Five habits that dramatically reduce your risk without any technical expertise.
Most modern phone cameras show the link before you tap it. Take two seconds to read the full URL. Does it match the brand? Is it spelled correctly?
Look for https:// and verify the domain is exactly right. Watch for tricks like paypa1.com (number 1 instead of L) or amazon-secure.net.
The iPhone Camera and Google Lens both show URL previews before opening. Avoid third-party "QR scanner" apps — many contain malware themselves.
Before scanning a public QR code, look for signs of a sticker placed over the original — raised edges, misalignment, or bubbling are red flags.
If you're unsure about a code on a payment terminal or official document, open your browser and type the website address directly. It takes 15 seconds and eliminates all QR risk.
Camera Preview
Scanned URL
https://myrestaurant.co.ke/menu
Scanned URL
http://amaz0n-verify.xyz/login
DO preview the URL in your camera before opening it
DO verify the domain name is spelled correctly (no number substitutions)
DO look for HTTPS — no padlock means no encryption
DO physically inspect the code for sticker tampering in public places
DO use your phone's native camera, not a random scanner app
DON'T enter passwords or card details after scanning an unknown code
DON'T trust codes that promise prizes, discounts, or urgent action
DON'T assume a code is safe because it's in an official-looking email
DON'T allow automatic app downloads triggered by a scanned code
Create safe, static QR codes for your business or personal use — free, with no tracking or third-party redirects.
Create a Safe QR Code