Security 2026-02-25 5 min By Cornelious Fazal

How to Tell If a QR Code Is Safe Before You Scan It

Quick Answer

Most QR safety guides tell you what to do AFTER a scam. This guide shows you exactly how to verify a QR code is legitimate before you ever point your camera at.

Safety Note: If you believe you have already scanned a malicious QR code and entered personal information, contact your bank immediately and change any compromised passwords. The FBI's Internet Crime Complaint Center (IC3) at ic3.gov accepts reports of QR code fraud.

Why Most QR Safety Advice Is Too Late

Search for "QR code scam" and you find hundreds of articles explaining what happens after you have already been attacked. They describe phishing sites, malware downloads, and credential theft in detail - after the fact.

This guide is different. It gives you a five-step pre-scan checklist you run before you point your camera. Every step takes under 10 seconds. Together they catch the overwhelming majority of malicious codes deployed in public spaces and unsolicited emails in 2026.

Step 1: Read the URL Preview Before You Tap

Both Apple iOS and Google Android show a URL preview "bubble" at the top of the screen the moment the camera detects a QR code. This preview appears before you tap it - and before the browser opens.

You must read the domain name in that preview. Ask three questions:

  • Do I recognize this domain? If the code is on a restaurant table and the preview shows strangesite-payment.net, that is a red flag.
  • Is the spelling correct? Attackers register lookalike domains: paypa1.com (with the number 1) instead of paypal.com, or amazon-secure-login.com instead of amazon.com.
  • Does the domain match the context? A parking meter code should point to a known local government or parking operator domain - not a financial services page you have never seen.

If anything in the preview looks wrong, close the camera app immediately. Do not tap.

Step 2: Physically Inspect the Code for Sticker Overlays

The most common physical attack involves a criminal printing a malicious QR code on waterproof sticker paper and pressing it directly over a legitimate code. From a distance, you cannot tell the difference.

Before scanning any public QR code - especially on parking meters, EV chargers, ATM machines, or restaurant tabletops - do this physical check:

  1. Run your fingernail along the edge of the code. A sticker overlay has a slightly raised edge you can feel.
  2. Look for misaligned edges or uneven borders compared to the surrounding printed material.
  3. Check if the code's quiet zone (the white border) looks like it was cut off or is a different shade than the surrounding label.

If you feel or see an overlay, do not scan. Report the tampered code to the business or local authority responsible for the asset.

Step 3: Never Scan a Code in an Unsolicited Email or Text

A QR code embedded in an email is almost never legitimate. Real companies send hyperlinks in emails - not image-based QR codes - because hyperlinks are plainly visible and users can hover over them to check the destination.

When a code appears in an email, it is typically because the attacker wants to bypass your corporate email security gateway. Email filters check hyperlinks for malicious destinations automatically. They cannot easily decode a QR code image.

The rule: if you did not actively request an email that contains a QR code, treat the code as malicious until proven otherwise. Call the company directly using a phone number from their official website to verify.

Step 4: Never Scan a Code Displayed on a Computer Screen

A QR code appearing on a screen - inside an email, a chat message, or a Teams/Slack notification - and asking you to scan it with your personal phone is a major red flag.

Legitimate IT systems do not make employees scan their monitor with a personal phone to update software, reset a corporate password, or verify their identity. If this ever happens to you at your workplace, call your IT help desk before scanning anything.

Step 5: Use a QR Scanner App That Previews URLs

The native camera app on both iPhone and Android shows the URL preview but does not perform any safety analysis of the destination. For scanning public codes in high-risk environments (parking lots, transit stations, events), consider using a dedicated scanner app that actively checks the destination URL against known malicious site databases before opening it.

Options include Kaspersky's QR Scanner (available on iOS and Android) and Trend Micro's QR Scanner, both of which perform a background safety check on the URL before loading the page.

For QR codes you generate for your own business, always use a free static code that links directly to your own domain - not a dynamic code that routes through a commercial redirect server that attackers can target. Read our full guide on why static QR codes are safer than dynamic ones to understand the technical difference.

Frequently Asked Questions

The outcome depends on what the code encodes. Most malicious codes redirect to phishing websites that mimic real login pages to steal credentials. Others attempt to auto-download malware. A small number trigger phone actions like making a call or sending a pre-composed text. If you scanned a suspicious code, do not enter any information on the page that opened, close the browser immediately, and change any passwords you may have entered.

Scanning a QR code alone cannot install malware. The code must redirect you to a webpage or trigger a file download that you then interact with. However, if the code opens a webpage exploiting a browser vulnerability on an unpatched phone, drive-by malware installation is theoretically possible. Keeping your phone operating system updated eliminates the overwhelming majority of such risks.

In the United States, report QR code fraud to the FBI Internet Crime Complaint Center at ic3.gov. For codes found on government property (parking meters, public transit), report to the local authority managing that asset. For codes on private business property, notify the business manager directly so they can inspect and replace the compromised code.

Generally yes, if the code is on the restaurant's own printed material and the URL preview shows the restaurant's own website domain. The risk increases with tabletop codes where a third party could have pressed a sticker overlay. Do the physical edge inspection described in Step 2 if you are scanning a tabletop code in an unfamiliar location.

Previewing the URL and reading the domain name is your most effective single defence. Most phishing pages use recognizable brand names in subdomains or paths to appear legitimate. Always focus on the root domain (the part just before .com, .net, or .org) not the full path. The root domain is the only part the attacker cannot impersonate without detection.
Back to Knowledge Hub