QR code risks and how to stay safe

Love them or hate them, QR codes are everywhere these days, from menus and parking meters to tickets and payments. As their use keeps expanding, so do QR code risks, especially since people often scan them without a second thought.

In this guide, we’ll go over what QR codes are, how they’re used (or misused), and the most common attack types. Afterwards, we’ll look into what data services collect when you access a QR link. Finally, we’ll cover how to avoid risks as a user or creator sharing their code.

What are QR codes?

QR codes are square barcodes you can scan with a phone or tablet to quickly access information. They can link to websites, apps, videos, Wi-Fi networks, or even payment portals, letting you skip typing long URLs or passwords.

Because they store data visually, QR codes are easy to print or display digitally. Businesses and creators use them for tickets, menus, promotions, or sharing details quickly, while users just point their camera to get instant access.

What are QR codes used for?

QR codes are used for more than accessing links. They let you download apps, log in safely, connect to Wi-Fi, make payments, and have a bunch of creative uses in the right hands.

• Mobile app downloads: Scan a QR code and you’ll head straight to the App Store or Google Play. It saves time typing and ensures you land on the correct app page.
• Fast, secure logins: Use QR codes to log in quickly to apps like Discord, WhatsApp, and others without typing passwords. They help verify your account while keeping your credentials safe from prying eyes.
• Instant Wi-Fi access: Connect to a network instantly by scanning a code with all the Wi-Fi details (like SSID, encryption type, and password) built in.
• Contactless payments: Pay for goods or services with a quick scan at checkout. The transaction goes through securely, while you avoid cash, cards, or entering sensitive info manually.
• Creative applications: QR codes appear in unusual ways, like linking gravestones to online tributes, interactive museum exhibits, or physical objects to extra digital goodies.

Besides these, QR codes show up in all sorts of other places to make life easier. They can act as mobile tickets for fast entry at events, verify digital IDs quickly, or help with contact tracing and check-ins during health campaigns (such as during the pandemic).

You’ll also see them on product packaging for details and offers, in restaurants for contactless menus, on public transport for tickets and schedules, and even on business cards to share portfolios or professional profiles with a quick scan.

Common QR code risks

The usefulness and adaptability of QR codes are a double-edged sword. Because they’re so widespread nowadays, bad actors inevitably misuse them for scams, stealing user accounts, or installing dangerous malware that can spy on you or cause other damage.

Sharing QR codes also has its own set of risks, for both businesses and customers. For instance, a diner in China posted a meal photo that showed a table-ordering QR code. Pranksters used it to place fake orders, disrupting the restaurant and inflating the total to $81,000.

Thankfully, the restaurant didn’t make her pay, though you can see how easily a QR code can be abused if it reaches the wrong audience.

What are the different types of QR code attacks?

Here’s a breakdown of the main types of QR code attacks to watch out for, and how to stay safe in each case.

1. QR code phishing (quishing)

QR code phishing (or quishing) works pretty much like classic phishing scams, except the malicious links come from a QR code. Instead of clicking a fake email link, you scan a code that sends you to a spoofed login page designed to steal your passwords or card details.

Keep these tips in mind when dealing with QR links, and you’ll avoid most quishing attempts:

1. Disable auto-opening links: Make sure your phone doesn’t automatically open QR links after scanning. This gives you a chance to check the URL first.
2. Check the main domain: Look at the core website address (like paypal.com) and ignore any extra words or unusual characters that might trick you. If the link is shortened, copy and paste it into a free tool like ExpandURL to see where it leads.
3. Watch for lookalike letters: Scammers swap letters with similar-looking characters from other scripts (like “раураl.com” using Cyrillic “р”). You can paste the domain into  NordVPN’s link checker or similar tools to see if it’s safe.
4. Verify HTTPS and certificate: Make sure the site uses HTTPS and shows a valid certificate by tapping the lock icon in the address bar. Expired or missing certificates are a sign of a scam website.
5. Double-check before acting: Take a moment to think if the site or action makes sense in context. If something feels off—like a parking meter asking for a login, or a government website not using a .gov domain—don’t go through with it.

2. Malware downloads

QR codes can link to a file instead of a normal website. You might think you’re downloading a menu, ticket, or app update, but the file can contain spyware or other harmful software. After you install it, the malware can track your activity, steal your data, or show intrusive ads.

These threats look normal in context, like a conference badge that claims to give access to session materials, or a restaurant QR code that asks you to download an app. Never install anything from unknown sources, no matter how much “it makes sense to be there.”

3. Fake payment or donation QR codes

Fake payment or donation QR codes appear in public places, on flyers, or even layered over real codes. You think you’re paying for parking or donating to a cause, when in reality your money goes straight to a scammer’s account.

Since QR payments happen fast, you may not double-check the recipient name before confirming. Scammers place these codes in busy settings where you’re less likely to pause and verify the payment details carefully.

4. Malicious Wi‑Fi QR codes

Everyone loves free Wi-Fi, and QR codes means no typing in long passwords, either. You scan, join the network, and assume it’s safe. But just as in an “Evil Twin” attack, the hotspot could be controlled by someone monitoring traffic or injecting harmful content.

Once connected, your data may pass through their system. That makes it easier for them to capture login credentials or redirect you to fake sites, especially if you’re browsing without checking the address bar.

5. QRLJacking

QRLJacking targets QR-based login systems. An attacker generates a legitimate login QR code from a real service, then tricks you into scanning it. When you do, you unknowingly log them into your account instead of your own device.

Because the code itself is valid, it can look completely safe. However, you’re pairing your account with the attacker’s session. This often affects platforms that use QR login for convenience (e.g., Slack, WhatsApp), so always confirm where the code came from before scanning.

6. Brushing scams

Brushing scams involve receiving unexpected packages, and the FBI warns that QR codes can play a role in these schemes. The package may arrive without sender info, but will include a code asking you to scan it for more details or to confirm delivery.

Normally, brushing scams use this tactic to collect personal data or boost fake reviews under your name. In this case, once you scan and enter details, scammers can link your information to fraudulent activity, which could get you in trouble long after the fact.

If you don’t remember ordering anything and don’t see proper sender info, avoid scanning sketchy packages.

Do QR codes collect personal information?

Simply scanning a QR code won’t collect any personally identifiable information. However, following a scanned link may lead to a website or service that gathers aggregate data for analytics and similar purposes, including:

• Location data: Shows where users scan QR codes based on IP addresses; useful to understand which areas interact with the code the most.
• QR code usage statistics: Tracks timestamps and how often codes are scanned, which helps businesses see which promotions or materials get the most attention over time.
• Device, OS, browser, and language settings: Helps developers understand the tech their audience uses, like whether iPhone or Android users are more likely to scan the code, or if they should consider offering their service in other languages.
• Referral sources: Where the user came from before scanning, like a website, social media post, or printed material.
• UTM tags: Some links include tiny labels called UTMs that tell the website which campaign, post, or ad led someone to scan the QR code. They just track traffic and don’t collect personal info.

Beyond that, you’d have to check the website’s privacy policy to see what other data they collect. Of course, QR codes can also lead to forms that ask you to insert personal data (such as for a survey), but this isn’t collected automatically.

Over time, if you scan many codes linked to the same platforms or campaigns, it can help build a picture of your interests or habits. While QR codes can’t personally identify you, it’s worth knowing that each scan adds to your overall digital footprint.

How to minimize the risks of using QR codes

New threats pop up all the time, but these tips should reduce QR code risks and keep your data safe:

• Don’t scan random codes: Only scan codes from trusted sources. Avoid flyers, posters, or random codes in public places where someone could swap in a fake one. The same goes for QR codes in emails you can’t confirm are legit.
• Stick to the built-in QR scanner: Use your phone’s camera or a trusted scanner app that shows a link preview (Google Lens and Photos work).
• Check the URL before tapping: Look at the full web address before opening anything. If it looks off or doesn’t match the company, don’t proceed. Some malicious links use shorteners (e.g., bit.ly, tinyurl) to mask the domain; best to avoid them entirely.
• Use anti-tracking browser extensions: Add extensions that block trackers when you open QR links, so your activity isn’t logged across websites.
• Limit what you share via QR codes: Avoid giving too much personal info when filling out QR-linked forms, unless it’s absolutely necessary.
• Use disposable or temporary emails: If a QR code asks for registration, use a temporary address to avoid spam or having your main account exposed in a data breach.
• Read the company’s privacy policy: Check how they handle your info before scanning codes to check in, enter contests, or register for accounts.
• Enable two-factor authentication (2FA): Add 2FA to your sensitive accounts so even if someone gets your login through quishing, they can’t access it easily.
• Update your device and apps: Always install the latest iOS, Android, and app updates to patch vulnerabilities that malicious QR links could exploit.
• Report suspicious codes: If you find a code that seems fake or tampered with, alert the business or platform so others don’t fall for it.

Where to report fraudulent QR codes

If you spot a QR code that looks fake, leads to a scam site, or looks like it’s been swapped, reporting it helps authorities track and shut down scams. You can file reports with agencies that handle online fraud, phishing, and cyber scams in your region:

In the United States, you can report scams, including QR code‑based fraud, to the FTC or the FBI’s IC3. If you’re in the United Kingdom, contact Action Fraud. Canadians can report QR scams to the AFC, while Australians should get in touch with the ACCC.

No matter your location, local law enforcement or anti-fraud agencies should be able to help prevent scams in your area.

How to create and share QR codes safely

Whether you’re a business owner, putting up flyers for a cause, or organizing a community event, here’s how to create and share your info without exposing yourself or your users to the usual QR code risks.

1. Choose a trusted QR code generator

Not all services are safe, so picking a reliable QR generator is essential. Use well-known tools with a clear privacy policy and positive reviews. Avoid random apps that ask for unnecessary permissions or might store the data you encode.

A good generator gives you control over your QR codes, lets you track usage, and often includes extra security features. This reduces the risk of someone hijacking or misusing the codes you share with users or customers.

2. Double-check the encoded content

Verify every link, Wi-Fi password, or message before sharing the QR code to make sure it points exactly where you want it to.

Be extra careful with URLs to avoid typosquatting, where attackers register domains that look almost identical to the real one. A single swapped letter can redirect users to a malicious site, so double-check every character in your links.

3. Set access control and usage limits

Controlling who can scan your QR code prevents unwanted access. Some generators let you restrict scanning to certain devices, locations, or user accounts. You can also limit the number of scans to prevent abuse.

Adding a random hash to each code ensures only the intended audience (like diners at a restaurant) can use it and prevents outsiders from scanning leftover codes. For extra safety, generate a new QR code for each session or user. Once the session ends or the bill is settled, make the code invalid.

4. Secure QR data with encryption

Encrypting the information inside your QR code adds a strong layer of protection. Technologies like SQRC let you split the data into public and private parts, letting anyone see general info while keeping the private portion locked behind a key. This way, even if someone scans the code with a normal app, they won’t get access to confidential content.

Event organizers often use this for ticketing, especially VIP or backstage passes. Only the official app or system can read the encrypted part, ensuring that access rights can’t be faked. Encrypted QR codes also appear in banking and healthcare, where private data needs to stay secure while still being easily scannable.

5. Prevent QR code tampering

Attackers sometimes swap legitimate QR codes with malicious ones to trick your users. To stop this, use unique codes and check the codes regularly wherever you share them, making sure they haven’t been replaced or altered.

You can also add digital signatures to your QR codes. When someone scans the code, the app checks the signature to confirm it’s valid. If an attacker modifies the content, the signature becomes invalid, letting users and systems know the code has been tampered with.

Physical measures like printing on tamper-proof stickers or embedding your logo into the QR design make copying or faking your codes even harder.

6. Use time-limited, dynamic QR codes

Dynamic QR codes are more secure than static ones, as they link to a server that can refresh them and invalidate old codes. Setting an expiration window is also a good idea, so the code automatically stops working if the user doesn’t activate it within a set period.

7. Make the design readable

Custom colors, logos, or patterns can make your QR code look nice, but they shouldn’t affect scanning. Keep enough contrast and avoid making the code too small or dense.

A readable design ensures all scanners can decode it quickly. This is important for users with older devices or low-light conditions, and it reduces the risk of errors when accessing linked content.

8. Test the code on different devices

Speaking of older devices, scan your QR code on multiple phones, tablets, and apps to confirm it works everywhere. Check how it behaves in different browsers too. A little testing helps catch any problems before you waste money printing out codes with broken URLs, or that half your audience isn’t able to scan.

9. Keep an eye on usage

Monitor who scans your QR codes and when. Unexpected spikes or unusual locations can indicate misuse or that the code was shared beyond your intended audience. Regularly reviewing scan data lets you spot suspicious activity early and take action before it causes problems or exposes private content.

Frequently asked questions