Protect yourself from QR scams, quishing, and phishing. Safe scanning and creating trustworthy codes.
QR codes are convenient, but that convenience makes them a target for scams. A sticker placed over a legitimate code, a phishing link in a parking meter, or a fake payment QR at a register can trick people into visiting malicious sites or sending money to the wrong account. This guide covers how to scan safely, how to create trustworthy codes on OnestQR, and what to do if something looks wrong.
QR adoption surged across restaurants, parking, transit, and retail. Scammers noticed. Because a QR code hides the destination URL until the scan completes, people cannot preview where they are going the way they can with a typed link.
Security researchers call email based QR phishing "quishing." The pattern is the same in physical spaces: replace or overlay a legitimate code with one that points somewhere malicious. Awareness is your first defense. For safe creation habits, also read QR code best practices.
An attacker places a new QR sticker on top of a real one. The victim scans what looks like an official parking, menu, or payment code but lands on a phishing site or a payment page controlled by the attacker.
The scanned page mimics a bank login, email sign in, or government portal. Victims enter credentials that go straight to the attacker.
Some malicious destinations trigger automatic file downloads or exploit browser vulnerabilities. Less common on modern phones, but still worth guarding against.
Fake payment QR codes at registers or peer to peer payment scams route money to the wrong account. Always verify the recipient name before confirming a payment.
Phishing emails now include QR images instead of clickable links to bypass email filters. The email claims to be from your bank, courier, or IT department and asks you to scan for an urgent action.
Most QR codes are legitimate. These habits reduce your risk without avoiding QR codes entirely:
If a scanned page asks for credentials you did not expect, close it and navigate to the service directly by typing the URL or using the official app.
If you publish QR codes for your business, your customers' security depends on your practices. On OnestQR, every code is a dynamic redirect, which gives you advantages static codes cannot match.
Point codes to pages on your own website or verified profiles. A code that leads to a generic redirect chain through unfamiliar domains erodes trust. Link directly to your menu, booking page, or contact page.
Send scanners to mobile friendly pages with clear branding. A page that looks abandoned or unrelated to your business triggers the same suspicion as a suspicious domain. For contact pages, see our vCard QR code landing page for the recommended URL based approach.
On public signage, laminate codes flush with the surface so stickers cannot be layered on top. Check codes periodically in high traffic areas. If you find a tampered code, replace it immediately and update the destination in your OnestQR dashboard if needed.
All OnestQR codes are dynamic redirects. If you discover that a printed code was compromised or needs to point somewhere else, change the destination in seconds without reprinting. Read static vs dynamic QR codes to understand why this matters for security response.
Unexpected scan spikes from countries or devices you do not serve can signal that your code was copied or tampered with. OnestQR records timestamp, device type, country, browser, and operating system on every scan at no extra cost. Setup is in how to track QR code scans, and campaign analysis tips are in the QR code analytics guide.
Organizations printing codes at scale should treat QR deployment as part of their security posture:
For WiFi QR codes, post the network name in plain text as a backup and follow the setup checklist in WiFi QR code setup. Guests should recognize the network name after scanning.
Transparency helps you assess risk:
OnestQR is not a link preview or malware scanning service. The redirect forwards visitors to your configured destination. Keep that destination secure and HTTPS protected on your end.
If you are new to OnestQR, start with how to create a QR code. The process takes under a minute. Customize the design with custom QR code design while keeping contrast high enough to scan reliably.
For large batches of unique codes, bulk CSV upload is not available yet. The QR code API is coming soon. Until then, see bulk QR code generation for current workflow options.
A QR code itself is just encoded data. The risk comes from the destination page or file the code opens. Preview the URL before proceeding and avoid downloading unexpected files.
Look for sticker edges, color mismatches, or codes that appear newer than the surface around them. Compare the code against a known good version on the business website or app.
They can be, because you can change the destination if a code is compromised. All OnestQR codes are dynamic. The safety advantage depends on how quickly you monitor and respond to issues.
Your phone's built in camera app is sufficient for most people. If you use a third party app, choose one from a reputable developer and review its privacy policy.
OnestQR records timestamp, device type, country, browser, and operating system per scan. It does not identify individual users by name. See how to track QR code scans for details.
Clear labeling near the code, a destination on a domain the customer recognizes, a mobile friendly landing page, and physical protection against sticker swaps. Follow the placement rules in QR code best practices.
Codes do not expire on a timer. They keep redirecting as long as your account is active and the destination URL is live. Full details in do QR codes expire.
Generally yes in trusted venues like cafes, hotels, and offices you patronize. Verify the network name matches what is posted nearby. Setup guidance is in WiFi QR code setup.
Dynamic, trackable, and editable free forever. No signup wall, no forced trial, no ads on your scans.