Understanding QR code security: the fundamentals

A QR code is fundamentally a data storage mechanism — a way to encode text, numbers, or binary data in a visual pattern that cameras can read. The QR code itself cannot execute code, install software, or access your phone's data. When you scan a QR code, your phone decodes the encoded data and presents it to you, typically as a URL with a prompt asking whether you want to open it. This is an important distinction: scanning a QR code is not inherently dangerous. The potential danger lies in what you do after scanning — specifically, visiting a malicious website, entering credentials on a phishing page, or downloading harmful software from a linked page.

This is exactly the same risk model as clicking a link in an email, a text message, or on a social media post. The QR code is simply a different delivery mechanism for a URL. The security principles that apply to links in emails apply equally to links in QR codes: verify the source, check the URL before clicking, and be cautious about entering personal information on unfamiliar websites. The difference with QR codes is that you cannot see the URL before scanning — it is encoded in the visual pattern. This opacity is what creates the unique security challenge of QR codes: you are essentially clicking a link you cannot preview until after you have scanned it.

Modern smartphones address this challenge by showing a URL preview after scanning but before opening the link. When you point your iPhone or Android camera at a QR code, the decoded URL appears on screen as a notification or banner. You can read the URL, assess whether it looks legitimate, and decide whether to tap through. This preview is your primary defense against malicious QR codes. If you make a habit of always reading the URL preview before tapping, you will catch the vast majority of QR code scams before they can affect you. The problem is that many people scan and tap automatically without reading the preview, just as many people click links in emails without checking the sender.

The overall security risk of QR codes should be kept in perspective. Billions of QR code scans happen every month, and the overwhelming majority are completely safe — legitimate business menus, WiFi credentials, website links, contact cards, and product information. The risk is real but proportional: you should be aware and cautious, not fearful. The same way you look both ways before crossing a street without being paralyzed by fear of traffic, you should check QR code URLs before opening them without avoiding QR codes entirely. They are a useful, efficient technology that simply requires the same basic digital hygiene you already practice with email links and website navigation.

How QR code scams work: quishing and other attacks

Quishing — QR code phishing — is the primary security threat associated with QR codes. In a quishing attack, a criminal creates a QR code that links to a fraudulent website designed to mimic a legitimate one. The goal is to trick the victim into entering login credentials, credit card numbers, personal information, or other sensitive data on the fake site. Quishing attacks have increased dramatically as QR code usage has grown, with the FBI, FTC, and cybersecurity firms all issuing warnings about the rising threat. Industry reports indicate a four hundred percent increase in quishing attacks between 2023 and 2025.

The most common quishing tactic is the overlay attack. The criminal prints a fraudulent QR code on a sticker and places it over a legitimate QR code in a public location. Parking meters are a frequent target: a fake QR code sticker is placed over the meter's legitimate payment QR code, redirecting the victim to a fake payment site that captures their credit card information. Restaurant table tents are another common target: a fake QR code is placed over the legitimate menu QR code, redirecting to a phishing page that may impersonate the restaurant or prompt the victim to enter information. Other targets include public transit signage, event posters, shared workspace bulletin boards, and building lobby directories — anywhere a QR code is displayed in a public or semi-public location.

Email-based quishing is a growing variation that exploits a gap in traditional email security. Most corporate email security systems scan URLs in email messages for known malicious domains, but they cannot scan QR codes embedded as images. An attacker sends an email containing a QR code image and a message urging the recipient to scan it (Your account requires verification, Scan to update your payment method, Confirm your delivery). Because the malicious URL is encoded in the QR code image rather than displayed as a clickable link, it bypasses the email security filter. The victim scans the QR code with their phone, which operates outside the corporate security environment, and enters credentials on a phishing page. This technique has been particularly effective in corporate attacks targeting employee credentials for Microsoft 365, Google Workspace, and other business platforms.

Payment fraud QR codes represent a direct financial theft vector. Criminals place QR codes at gas stations, vending machines, EV charging stations, or other payment terminals that link to personal payment accounts (Venmo, PayPal, Zelle) rather than the legitimate business account. The victim thinks they are paying the business but is actually sending money directly to the criminal. A variation involves QR codes on fake parking tickets placed on car windshields with a message like Pay your fine within 24 hours to avoid towing and a QR code linking to a fraudulent payment page. The urgency of the message pressures victims into paying without verifying the legitimacy.

WiFi phishing uses QR codes to connect victims to malicious WiFi networks. A criminal creates a QR code that connects the phone to an attacker-controlled WiFi hotspot (an evil twin network) rather than the legitimate business network. Once connected, the attacker can monitor unencrypted internet traffic, inject malicious content into web pages, and attempt man-in-the-middle attacks on supposedly secure connections. This is particularly insidious because the victim believes they are safely connected to the venue's WiFi while their traffic is being intercepted. The defense is to verify that the WiFi network name matches the one displayed by the business and to use a VPN for sensitive activities on public WiFi.

Cryptocurrency and investment scams use QR codes to direct victims to fake investment platforms or cryptocurrency wallets. The victim is promised high returns or free cryptocurrency and is directed to scan a QR code that links to a convincing but fraudulent trading platform. They create an account, deposit funds, and initially may even see fake profits. When they attempt to withdraw, the funds are gone. QR codes make these scams more effective because they can be placed in physical locations (posters, flyers, bathroom stalls) where they appear more legitimate than random internet ads, and the victim scans with their personal phone outside of any corporate security environment.

How to stay safe when scanning QR codes: consumer guide

The most important habit you can develop is always reading the URL preview before tapping. Every modern smartphone shows the decoded URL after scanning a QR code and before opening it in the browser. Take two seconds to read the domain name. Does it match the business you expect? A QR code at a Starbucks should link to starbucks.com, not starbvcks.com or starbucks-payment-secure.com. A QR code on a parking meter should link to the city's official parking domain or the known parking app, not to a generic or unfamiliar domain. If the URL looks suspicious, misspelled, or unrelated to the context, do not tap through. This single habit prevents the vast majority of QR code attacks.

Look for signs of tampering before scanning. Before scanning any QR code in a public place, check whether it appears to be a sticker placed over another QR code. Run your finger over the surface to feel for raised edges that indicate a sticker overlay. Check whether the QR code material and print quality match the rest of the signage or display. If a QR code on a professional parking meter is a cheap paper sticker while the rest of the meter has embedded graphics, that is a red flag. If a restaurant's laminated table tent has a peeling sticker with a QR code placed over the original design, be suspicious. Physical tampering is the most common quishing vector, and a quick visual and tactile inspection catches most attempts.

Be skeptical of QR codes that create urgency or request sensitive information. Legitimate businesses rarely demand immediate action through QR codes. If a QR code leads to a page that says Your account will be suspended in 24 hours or Enter your social security number to verify your identity, this is almost certainly a scam regardless of where you found the QR code. Legitimate parking meters do not ask for your social security number. Legitimate restaurants do not require credit card information to view a menu. Any page that creates panic, demands immediate action, or requests information disproportionate to the context is a scam. Close the page and, if applicable, report the suspicious QR code to the business or location where you found it.

Use your phone's built-in QR code scanner rather than third-party apps. The native camera app on iPhone and Android includes QR code scanning capability that is regularly updated with security improvements by Apple and Google. Third-party QR code scanning apps, especially free ones with advertisements, may themselves be security risks — some have been found to track user behavior, inject advertisements, or request excessive permissions. There is no functional advantage to using a third-party scanner over the built-in one, so the safest approach is to stick with your phone's native camera app. If your phone is older and does not have built-in QR scanning, Google Lens is a trusted alternative available on all Android devices and through the Google app on iPhone.

Keep your phone's operating system and browser updated. Software updates frequently include security patches that protect against newly discovered vulnerabilities, including those that could be exploited through malicious websites reached via QR codes. An up-to-date phone is significantly more resistant to browser-based exploits than one running an older operating system version. Enable automatic updates on your phone if you have not already, and never dismiss security update notifications. This general security hygiene protects you not only from QR code threats but from all web-based attacks.

Consider using a VPN when connecting to WiFi via QR codes in public places. Even if the WiFi QR code is legitimate, public WiFi networks are inherently less secure than private ones. A VPN encrypts your internet traffic between your phone and the VPN server, protecting your data even if the WiFi network itself is compromised. This is especially important for activities involving sensitive information: banking, email, shopping, or accessing work accounts. Many reputable VPN services offer affordable mobile plans, and the security benefit on public WiFi is substantial.

Best practices for businesses creating and deploying QR codes

As a business, you have a responsibility to your customers to deploy QR codes securely and to protect them from being tampered with. You also need to protect your brand reputation — if a customer scans a tampered QR code at your business and is scammed, they will associate the negative experience with your brand regardless of fault. Implementing security best practices for your business QR codes protects both your customers and your reputation.

Use branded QR codes with custom colors and your logo. A generic black-and-white QR code is easy to replicate and replace. A branded QR code with your company colors, logo, and a custom frame is significantly harder for an attacker to duplicate convincingly. When customers become familiar with your branded QR code design, they are more likely to notice when something looks different. This visual security layer does not prevent all attacks, but it raises the bar for attackers and makes overlay attacks more conspicuous.

Print QR codes directly on materials rather than using removable stickers whenever possible. A QR code printed as part of a laminated menu, embossed on a table, engraved on a sign, or printed on permanent signage cannot be easily covered with a fraudulent sticker. When stickers are the only option (such as on existing fixtures or equipment), use tamper-evident stickers that show VOID or a visible pattern if someone attempts to peel them off. These stickers are available from most commercial printing suppliers and add minimal cost while significantly deterring overlay attacks.

Regularly inspect your QR codes for tampering. Establish a routine — daily for high-traffic QR codes like parking meters and payment terminals, weekly for restaurant table tents and in-store displays. During inspection, scan each QR code yourself to verify it links to the correct destination. Check for stickers placed over your codes. Check that the QR code appearance matches your expected branded design. This is the single most effective security measure a business can implement because it catches tampering before customers are affected. Assign this inspection to a specific employee or add it to an existing opening or closing checklist.

Use your own domain for QR code destinations rather than generic URL shorteners. A QR code linking to yourbusiness.com/menu is inherently more trustworthy and verifiable than one linking to bit.ly/xK3mQ7. Your own domain confirms the link belongs to your business, makes it easier for customers to verify legitimacy from the URL preview, and gives you control over the destination without depending on a third-party service. If you use dynamic QR codes, choose a QR code platform that uses branded short links with your domain or a clearly attributable domain rather than generic shortened URLs.

Educate your customers about your QR codes. Include a note near your QR codes that says something like Our official QR codes link to yourbusiness.com. If this code links elsewhere, please alert our staff. This simple notice helps customers identify tampered codes and empowers them to report suspicious QR codes. It also demonstrates that your business takes security seriously, which builds customer trust. For businesses in sensitive contexts (financial services, healthcare, government), more explicit security notices may be appropriate, including instructions for customers to verify the URL domain before entering any information.

Use HTTPS for all QR code destination pages. Every URL encoded in your QR codes should use HTTPS, not HTTP. HTTPS encrypts the connection between the customer's phone and your server, preventing man-in-the-middle attacks and ensuring the page content has not been tampered with in transit. Modern browsers display security warnings for HTTP pages, which can alarm customers and damage trust. HTTPS is free through services like Let's Encrypt and is a non-negotiable baseline for any business web presence, not just QR code destinations.

QR code privacy: what data is collected when you scan

Privacy concerns about QR codes are common and worth understanding clearly. The question of what data is collected when you scan a QR code has a nuanced answer that depends on the type of QR code and what happens after scanning. Understanding the distinction helps you make informed decisions about when and where you scan.

Scanning a static QR code collects no data whatsoever. A static QR code encodes data directly in its visual pattern. When your phone scans it, the decoding happens entirely on your device. No server is contacted, no information is transmitted, and no one is notified that you scanned the code. A static QR code containing a WiFi password simply delivers the password to your phone locally. A static QR code containing a vCard simply delivers the contact information locally. If you scan a static QR code and do not open the encoded URL, no data about your scan is collected by anyone. This is mathematically guaranteed by how static QR codes work — the data is in the pattern, not on a server.

Dynamic QR codes route through a redirect server, which can log scan data. When you scan a dynamic QR code, the encoded URL is a short link hosted on the QR code platform's server. Your phone requests that URL from the server, which logs the request (including the time, your IP address, and your device's user agent string) before redirecting you to the final destination. The QR code platform provides this data to the QR code creator as analytics: number of scans, scan times, approximate locations derived from IP addresses, and device types. This is the same data that any website collects when you visit it — it is standard web server logging, not invasive surveillance. Your IP address reveals your approximate geographic area (usually city-level) but not your precise location, name, or identity.

The website you visit after scanning is where meaningful data collection occurs. If a QR code links to a website with Google Analytics, Facebook Pixel, or other tracking tools, those tools collect the same data they would collect from any website visit: pages viewed, time on site, click behavior, and potentially cross-site tracking via cookies. If the website asks you to create an account, fill out a form, or enter payment information, you are voluntarily providing personal data to that website. This data collection is governed by the website's privacy policy, not by the QR code. The QR code was simply the mechanism that delivered you to the website, similar to a Google search result or an email link.

For maximum privacy when scanning QR codes, follow these practices: scan the QR code and read the URL preview before visiting the site, use a privacy-focused browser with tracking protection enabled, do not enter personal information on sites you reached through QR codes in public places, use a VPN if you are connecting to WiFi via QR code in a public location, and be aware that dynamic QR codes will log your scan as part of their analytics. For static QR codes containing non-URL data (WiFi credentials, vCard contacts, plain text), there are zero privacy concerns because no network communication occurs during scanning.

The future of QR code security: emerging protections

As QR code usage continues to grow and security threats evolve, the technology industry is developing new protective measures. Understanding these emerging protections gives businesses and consumers confidence that QR code security is improving and helps you prepare for upcoming changes.

Secure QR codes with digital signatures are an emerging standard that adds cryptographic verification to QR codes. A digitally signed QR code includes an encrypted signature that the scanning device can verify against the known public key of the issuer. If the QR code content has been altered or the code was not created by the claimed issuer, the signature verification fails, and the scanner alerts the user. This technology is already being implemented in pharmaceutical supply chains (to prevent counterfeit medications) and government documents (to verify identity credentials). As smartphone cameras and operating systems add support for signature verification, this could become the standard for all QR codes in sensitive contexts.

AI-powered URL analysis is being integrated into smartphone operating systems and browsers to evaluate QR code destinations in real time. When you scan a QR code, the URL is checked against known phishing databases, analyzed for characteristics common to malicious URLs (domain age, registrar, hosting location, SSL certificate details), and assessed for similarity to legitimate domains that might indicate a typosquatting attack. Google Safe Browsing and Apple's Intelligent Tracking Prevention already provide some of this functionality, and future versions will expand their QR code-specific analysis capabilities.

Industry standards for QR code deployment security are being developed by organizations including the GS1, the Internet Engineering Task Force (IETF), and various national cybersecurity agencies. These standards address best practices for QR code generation, deployment, monitoring, and incident response. As these standards mature and gain adoption, businesses will have clear frameworks for secure QR code implementation, and consumers will benefit from a more consistently secure QR code ecosystem.

Consumer education remains the most effective security measure in the near term. Technology alone cannot prevent all QR code scams because the fundamental vulnerability is human behavior — scanning and tapping without checking. As awareness of QR code security risks grows through media coverage, government advisories, and business education efforts, the percentage of people who habitually check URL previews before tapping will increase, making quishing attacks less effective overall. The most impactful thing you can do today is develop the habit of checking every QR code URL before opening it and sharing this practice with the people around you.

Businesses should view QR code security as an ongoing responsibility, not a one-time setup. Just as you update passwords, patch software, and monitor for breaches, you should regularly inspect your deployed QR codes, update your security practices as new threats emerge, and educate your staff and customers about safe scanning habits. The businesses that take QR code security seriously will be the ones that maintain customer trust as QR code usage continues to expand into more critical applications like payments, identity verification, and healthcare records.