I scanned a suspicious QR code. What should I do now?

Close the page without entering any information. If you already typed a password, change it on the real website immediately and turn on two-factor authentication. If you entered card details, call your bank and ask them to freeze the card.

Legal

QR Code Safety Guide

Q: Can a QR code steal my bank details?

A QR code cannot read or access anything on your phone. But if a code takes you to a convincing fake payment page and you enter your card number there, the attacker gets those details. Always check the domain in your browser bar before entering payment information.

Q: Should I avoid scanning QR codes in public?

No. Most public QR codes are legitimate. Just check the surface for sticker overlays, read the URL preview before tapping and avoid entering sensitive information on pages you reached through an unfamiliar code.

Q: Do I need a special app to scan QR codes safely?

No. Your phone's built-in camera app is the safest option. It shows a URL preview before opening the link. Avoid third-party scanner apps from unknown developers because some bundle adware or request unnecessary permissions.

QR codes show up on restaurant tables, parking meters, package labels, event tickets, shop windows and business cards. Most are harmless. But the same convenience that makes them useful also makes them easy to abuse. This page explains the actual risks, walks through real scam patterns and gives you a short checklist you can use every time you scan.

What a QR code actually is

A QR code is a square pattern that stores a short piece of text. In most cases the text is a URL. The code does not run software, it does not connect to your bank and it cannot read files on your phone. All it does is hand your phone a string of characters so you do not have to type them.

Because you cannot read the destination just by looking at the pattern, you are trusting whoever printed the code. That is where the risk lives.

How QR code scams actually work

Every QR scam follows the same basic formula: get the victim to a fake page, then ask for something valuable. The code is the bait, not the weapon. Here are the methods that appear most often in real reports:

Sticker swap. Someone prints a new QR code on a sticker and pastes it over the original on a parking meter, restaurant table tent or public notice. The victim scans the replacement and lands on a lookalike payment screen.
Phishing mail (quishing). An email arrives with a QR code image instead of a clickable link. The sender claims to be a bank, courier, employer or tax office. Because the URL is hidden inside a picture, most email security filters cannot flag it.
Fake delivery card. A printed card left in the mailbox says a package could not be delivered. The QR code leads to a page that asks for a small redelivery fee, capturing card details in the process.
Malicious redirect chain. The code points to a shortened URL that bounces through several domains before landing on the phishing page. The extra hops make it harder to spot the final destination.
Fake WiFi login. A code in a cafe or hotel lobby connects to a rogue WiFi network. The attacker runs a captive portal that looks like the venue's login page and collects the credentials people type.

What to check before you scan

Look at the surface. Is the code printed directly on the material or is it a sticker on top of something else? A sticker over an existing code is the most common tampering method.
Consider the context. Does the code belong where it is? A QR code taped to a random lamppost promising a prize is a red flag. Official codes appear on branded menus, sealed product packaging, event badges or verified business cards.
Check the sender. If the code arrived in an email, look at the sender address carefully. Banks, couriers and government agencies almost never ask you to scan a QR code inside an email.

What to check after you scan

Read the URL before you tap. Most phone cameras show the URL in a small banner before opening it. Look for misspellings, extra characters or domains that imitate a known brand (for example paypa1.com instead of paypal.com).
Check for HTTPS. A padlock icon alone does not prove a site is safe, but a missing one on a page that asks for personal data is a clear warning sign.
Never enter passwords or card numbers on a page you reached through a QR code unless you have independently verified the domain by typing it into your browser yourself.
Watch for pressure. Scam pages often use countdown timers, account lockout warnings or limited-time offers to rush you. Real services do not force immediate action through a QR scan.

Real scam scenarios people run into

Parking meter stickers

Fraudulent QR stickers on parking meters redirect drivers to a fake payment page that collects card details. This scam has been reported in cities across the US and Europe. If your city has an official parking app, use that instead of scanning a code on the meter. If there is no app, look for the meter's own display or coin slot.

Restaurant and cafe table tents

A scammer replaces the QR code on a table tent with one leading to a phishing page that looks like a tip or payment screen. If the page you land on does not match the restaurant name or asks for card details you did not expect, close it and ask the staff for a paper menu or the direct URL.

Missed delivery notices

A printed card arrives in the mail saying a package could not be delivered. The QR code links to a form that asks for a small redelivery fee. The real goal is your card number. Genuine delivery services reattempt delivery, leave the package at a pickup point or provide a reference number you can check on their official site.

Email and messaging phishing

A QR code inside an email sidesteps traditional link scanners because the URL is embedded in an image, not in clickable text. If any email asks you to scan a code to verify your account, reset your password or confirm a payment, ignore the code and go directly to the service website by typing the address yourself.

Public WiFi login screens

A QR code in a hotel, airport or conference venue connects your phone to a network that looks legitimate but is controlled by an attacker. The captive portal page copies the venue branding and asks for an email, phone number or room number. Check with venue staff for the real network name and compare it to what appears on your screen after scanning.

Crypto and investment codes

Scammers post QR codes on social media, forums or even physical flyers promising free cryptocurrency or high returns. The code leads to a wallet address or a fake exchange login. No legitimate investment opportunity asks you to send funds by scanning a random QR code.

How to protect yourself

Use your phone's built-in camera. You do not need a third-party scanner app. Some third-party apps bundle adware or request permissions they do not need.
Keep your phone's operating system and browser up to date. Security patches close the vulnerabilities that a malicious page might try to exploit.
Turn on two-factor authentication for important accounts. Even if someone captures your password through a fake login page, they still need the second factor to get in.
If a code takes you somewhere unexpected, close the tab. You can always reach a service by typing the official domain directly into your browser.
Use a QR code scanner that shows you the decoded text before visiting the link so you can read the full URL first.

I already scanned a suspicious code. What now?

Close the page immediately. Do not enter any information. If you only previewed the URL and did not interact with the page, you are probably fine.
Disconnect if something downloaded. Turn on airplane mode, then check your recent downloads and delete anything you do not recognize. Run a scan with your phone's built-in security tool.
Change compromised passwords. If you entered a password on the page, change it on the real website right away. Use a different password for every account.
Contact your bank. If you entered card details, call your bank or card issuer immediately and ask them to block the card and watch for unauthorized charges.
Report the scam. Tell the business whose brand was copied and file a report with your local consumer protection agency or police.

For businesses that print QR codes

If you put QR codes in front of your customers, a few precautions make tampering harder and build trust:

Print codes directly on the material. Stickers are easy to peel and replace.
Use your own domain, not a URL shortener. Customers should be able to see where the code leads.
Add a short note next to the code, such as "This code opens yourdomain.com/menu", so people know what to expect before they scan.
Check your codes regularly. Walk through your location and scan each one to confirm it still leads where it should.
Test your codes with a contrast checker and a size calculator to make sure they are readable in the conditions where they will be scanned.

Frequently asked questions

Can a QR code hack my phone?

No. A QR code only holds text, usually a URL. Scanning it does not install software or give anyone access to your phone. The risk starts after you open the link and interact with the page it leads to. Modern phones show you a URL preview before opening anything.

What happens if I scan a malicious QR code?

If you only scan and see the URL preview, nothing happens. The danger is in what you do next: entering passwords on a fake login page, typing card numbers into a phishing form or downloading an app from an untrusted source. As long as you check the URL and close the page if something looks wrong, you are safe.

What is quishing?

Quishing is phishing through QR codes. An attacker prints a fake code on a sticker, flyer or email. The code leads to a page that copies a real login screen or payment form to collect credentials. The word comes from combining "QR" and "phishing."

Can a QR code steal my bank details?

A QR code cannot read or access anything on your phone by itself. But if a code takes you to a convincing fake payment page and you type your card number there, the attacker gets those details. Always check the domain in your browser bar before entering payment information. If you are not sure, close the page and go to the payment provider's website directly.

Should I avoid scanning QR codes in public?

No. Most public QR codes are put there by real businesses for real purposes. Just take a second to check the surface for sticker overlays, read the URL preview before tapping and hold back from entering sensitive information on pages you reached through a code you have not verified.

Do I need a special app to scan QR codes safely?

No. Your phone's built-in camera is the safest option. It shows a URL preview before opening the link. Third-party scanner apps from unknown developers sometimes bundle adware or ask for permissions they do not need. If you want an online option, you can use our browser-based scanner which decodes codes locally without uploading your image.

I scanned a suspicious code. What should I do?

Close the page without entering anything. If you already typed a password, change it on the real website right away and turn on two-factor authentication. If you entered card details, call your bank and ask them to freeze the card. Then report the scam to the business being impersonated and to your local authorities.

Are QR codes on product packaging safe?

Codes printed directly on sealed retail packaging are almost always safe because they were placed there during manufacturing. Be more cautious with codes on separate stickers, inserts or anything that looks like it was added after the product left the factory.