Simple guide to QR code scams and how to check if a code is safe

QR codes are everywhere now: on restaurant tables, parcel lockers, posters, bills, and even in public transport. They are convenient, fast, and feel almost automatic to use.

That convenience is exactly why scammers like them. With one quick scan, your phone can be sent to a malicious site, a fake payment page, or a download you never meant to start. The good news: with a few checks, you can use QR codes with far more confidence.

How QR code scams actually work

A QR code is just a shortcut to information: usually a web address, payment request, contact card, or Wi-Fi details. Your camera reads the pattern and turns it into something your phone understands.

Scammers exploit the fact that most people scan first and think later. They rely on trust in the physical object: a poster, a sticker, a parcel, or a restaurant menu. If the code looks like it “belongs there”, many people do not question it.

Common types of QR code scams

• Fake payment codes:A sticker placed over a real code at parking machines, charity boxes, or tip jars that sends money to the scammer instead of the organisation.
• Fake login pages:A code that opens a realistic looking page for services like email, cloud storage or banking and steals your password when you sign in.
• Malicious downloads:A code that starts a download for a suspicious app or file that can contain malware, especially when you are prompted to install something outside the official app store.
• Phishing forms:A code from a parcel “delivery problem” note, parking ticket, or survey that asks for card details or personal data it does not need.

The QR code itself is not dangerous. The risk comes from what it sends you to and how quickly you interact without checking.

Before you scan: quick checks in the real world

Your first line of defence is not on the screen, it is in your surroundings. Look at where the QR code is and how it is attached or printed.

Ask yourself a few simple questions before you even open the camera.

Physical red flags around a QR code

• Sticker on top of something else:If the code looks like a fresh sticker on an old sign, machine or menu, especially if crooked or low quality, be careful.
• Code in unusual places:A QR code taped to a parking meter, street sign, ATM, or door is worth questioning, especially if there is no clear company branding.
• No clear explanation:If the sign just says “Scan here” without explaining what will happen (pay, read the menu, visit a site), treat it with suspicion.
• Pressure or urgency:Notes like “Pay this fine within 1 hour” or “Your package will be returned today” combined with a QR code are classic scare tactics.

If something feels off, use an official app instead, like your parking app, delivery app, or the company’s own website typed manually.

What to check on your phone before you tap

Most modern phones show the web address (URL) that a QR code points to before you open it. This small preview is your best friend.

Take two seconds to read it. Those two seconds can save you from a lot of trouble.

How to read the QR link preview

• Check the domain:Focus on the part just before the last “.com”, “.lt”, “.eu” and so on. For example, insupport.example.com, the main domain isexample.com. Inexample.support.com, the main domain issupport.com, which can be completely different.
• Watch for lookalikes:Scam pages often use tiny changes likeexamp1e.com(with a “1”), extra letters, or different endings like.infoinstead of.com.
• Look for URL shorteners:Links like bit.ly, tinyurl, or other short domains can be legitimate, but you cannot see where they go. Only tap them if you fully trust the source.
• Do not ignore security warnings:If your browser or phone shows a warning about an unsafe site or certificate issue, back out. Those warnings exist for a reason.

If the preview looks odd or unrelated to what you expect (for example, a random domain when you are paying parking fees), cancel and use a known method instead.

When it is safer not to use a QR code

There are situations where QR codes are common but not necessary. In these cases, using a different method is often safer and just as quick.

Here are a few moments where it is better to say no to a scan.

Risky scenarios and better alternatives

• Payments and fines:If a bill, parking ticket or message asks you to pay by scanning a code, cross check using the official app, banking details you already know, or the organisation’s published payment information.
• Delivery problems:If you get a note, email or SMS about a failed delivery that includes a QR code, go directly to the delivery company’s website or app instead of scanning.
• Wi-Fi access:Some places share Wi-Fi through QR codes. If the network name or provider looks unfamiliar, ask staff to confirm or type the password manually.
• Public posters and advertisements:For unknown brands or offers that look “too good to be true”, search for the company by name in your browser rather than scanning.

A simple rule: if money, passwords or personal data are involved, prefer a method you initiated yourself, like opening an official app or typing an address.

Extra phone settings that make QR scanning safer

A few small changes on your phone can limit damage if you do end up on a malicious page. They are not perfect protections, but they add useful friction.

Most of these are available on both Android and iOS, though names and exact paths can change over time, so check your current system version.

Useful options to turn on

• Built in browser protection:Use a modern browser with security features turned on, such as blocking dangerous sites and alerting you to suspicious pages.
• No automatic downloads or installs:If a scanned link tries to download an app outside the official store, cancel. Only install apps from Google Play, Apple’s App Store, or your organisation’s approved source.
• Password manager:A built in or trusted password manager often does not autofill on fake domains. If it refuses to fill your details, treat that as a warning.
• Two factor authentication:Even if a malicious QR code tricks you into sharing a password, an extra sign in code can still block access to your accounts.

It is also wise to keep your phone’s system updates and apps current. Updates often close security gaps that attackers rely on.

What to do if you scanned a suspicious QR code

Everyone makes mistakes, especially when in a hurry. If you realise a link looked wrong or you entered details on a strange page, act quickly rather than feeling embarrassed.

Fast action can reduce the impact dramatically.

Immediate actions to take

• Close the page:Exit the browser tab or app right away. Do not tap additional pop ups or permissions.
• Change passwords:If you entered a password on a suspicious page, change it directly on the legitimate site or app as soon as possible.
• Watch your bank and accounts:Check for unfamiliar transactions or login alerts. Inform your bank promptly if you see anything unusual.
• Run a security check:Use your phone’s built in security tools or a reputable security app to scan for issues, especially if something was downloaded.
• Get official help:For serious concerns, contact your bank, mobile provider, employer IT support, or relevant authority using contact details from their official site, not from the suspicious message.

If the QR code came from a physical place like a café, parking machine or shop, consider informing staff so they can remove any malicious stickers and warn other customers.

Making QR codes work for you, not scammers

QR codes are not going away. Used thoughtfully, they are a useful shortcut that saves you typing and time. The key is to bring a small pause and a quick check into your routine.

Look at where the code is, read the link preview, be extra cautious when money or logins are involved, and trust your instincts if something feels off. A few seconds of attention are often enough to stay on the safe side.