TLDR
A NordVPN survey found that 73% of Americans scan QR codes without checking where they lead. That is exactly what scammers count on. QR code phishing (quishing) surged 5x in 2025, with 249,000 malicious QR code emails recorded in a single month. The ScamVerify™ QR scanner lets you upload any QR code image and checks the destination URL against 74,032 URLhaus malicious domains and 60,758 ThreatFox indicators of compromise before you ever visit the link. Here is a complete guide to verifying QR codes before scanning them.
Why You Should Always Check QR Codes
A QR code is just a URL encoded as a pattern of black and white squares. You cannot tell where a QR code leads by looking at it. Unlike a text hyperlink where you can hover to preview the URL, a QR code is completely opaque until decoded.
This opacity is the core problem. Every QR code you scan could link to:
- A legitimate website (restaurant menu, payment portal, event registration)
- A credential harvesting page designed to steal your login information
- A malware download site
- A fake payment portal that captures your credit card details
- A site that installs tracking or surveillance software
You have no way to distinguish these by appearance. The QR code for a legitimate restaurant menu looks identical to one that leads to a phishing site.
Step-by-Step: How to Check a QR Code Before Scanning
Step 1: Use Your Phone's Built-In URL Preview
Modern smartphones (iOS 11+ and Android 8+) show a URL preview when the camera detects a QR code. This is your first line of defense.
On iPhone:
- Open the Camera app
- Point it at the QR code
- A notification banner appears at the top showing the URL
- Read the URL before tapping it
On Android:
- Open the Camera app or Google Lens
- Point it at the QR code
- A link preview appears on screen
- Read the URL before tapping it
What to look for in the URL:
- Does the domain match the expected organization? (e.g.,
parkchicago.comfor Chicago parking, notparking-chicago-pay.com) - Are there suspicious subdomains? (e.g.,
apple.com.fake-site.netwhere the real domain isfake-site.net) - Is the domain misspelled? (e.g.,
arnazon.cominstead ofamazon.com)
Step 2: Upload to ScamVerify QR Scanner
For maximum security, use the ScamVerify QR scanner to verify any QR code before visiting the destination:
- Take a photo of the QR code (screenshot or camera photo)
- Go to scamverify.ai/qr-checker
- Upload the QR code image
- ScamVerify will:
- Decode the QR code server-side using jsQR
- Extract the embedded URL
- Check the URL against 74,032 URLhaus malicious domains
- Check against 60,758 ThreatFox indicators of compromise
- Run AI analysis on the URL structure and domain
- Return a plain-English risk assessment
This process takes seconds and catches threats that a URL preview alone might miss.
Step 3: Inspect the Physical QR Code
If you are scanning a QR code in a physical location (parking meter, restaurant table, event poster, package), check for tampering:
| Check | What to Look For |
|---|---|
| Sticker overlay | QR code sticker placed on top of another QR code |
| Alignment | QR code is crooked or misaligned with surrounding text |
| Material mismatch | QR code is on different material than the rest of the sign |
| Edge damage | Adhesive residue or torn edges from removed original |
| Consistency | Different QR code compared to identical meters/tables nearby |
Run your fingernail along the edge of the QR code. A fraudulent sticker overlay will have a detectable edge that a printed-on code will not.
Step 4: Verify the Landing Page
Even after checking the URL, verify the page after it loads:
- Re-read the URL in the browser address bar. Some QR codes redirect through multiple URLs. The final destination may differ from the preview.
- Check for HTTPS. While HTTPS does not guarantee legitimacy (free SSL certificates are widely available), a payment or login page without HTTPS is always suspicious.
- Compare to the official site. If the QR code claims to be from a specific company, open a new browser tab and type that company's URL directly. Compare the two sites.
- Never enter credentials or payment information if anything looks off.
Step 5: Use Alternative Verification Methods
When possible, bypass QR codes entirely and use direct methods:
| Instead of Scanning QR Code | Do This Instead |
|---|---|
| Parking meter QR code | Use the official parking app or meter card reader |
| Restaurant menu QR code | Ask staff for a physical menu |
| Email QR code | Type the company's URL directly in your browser |
| Package delivery QR code | Go to the carrier's official site and enter the tracking number |
| Event ticket QR code | Use the official ticketing app |
Red Flags That a QR Code Is Malicious
Watch for these warning signs across all QR code contexts:
In emails:
- Unexpected email with a QR code instead of a normal link
- Urgency language ("scan immediately," "expires in 24 hours")
- Sender address does not match the claimed organization
- No text alternative to the QR code (legitimate emails include both links and QR codes)
In physical locations:
- QR code is a sticker rather than printed on the surface
- No context or labeling explaining what the QR code does
- QR code appears in an unusual location or on an unofficial-looking sign
- Multiple QR codes in close proximity (one legitimate, one fraudulent)
On the destination page:
- URL does not match the expected domain
- Page immediately requests sensitive information (credentials, payment, SSN)
- Login page looks slightly different from the official version
- No way to navigate to the site's homepage or other pages
Common QR Code Scam Scenarios
| Scenario | What Scammer Wants | Your Defense |
|---|---|---|
| Parking meter sticker | Credit card number | Use official app or card reader |
| Fake restaurant menu | Login credentials | Ask for physical menu |
| "Free Wi-Fi" QR at cafe | Network traffic interception | Use your cellular data instead |
| Fake package delivery notice | Personal information | Check carrier site directly |
| Email from "IT department" | Corporate credentials | Contact IT through known channels |
| Cryptocurrency investment flyer | Wallet keys or payment | Avoid crypto QR codes from strangers |
Teaching Others to Check QR Codes
Older adults and less tech-savvy individuals are particularly vulnerable to QR code scams. If you are helping someone learn safe QR code habits:
- Show them the URL preview feature on their specific phone model
- Bookmark the ScamVerify QR scanner on their phone's home screen for easy access
- Teach the "when in doubt, don't scan" rule. It is always safer to type a URL manually than to scan a QR code
- Practice together with legitimate QR codes so they understand what a normal URL preview looks like
For more on protecting elderly family members from scams across all channels, see our complete elder protection guide.
FAQ
Can a QR code install malware on my phone automatically?
No. Scanning a QR code by itself does not install anything. A QR code encodes a URL, and your phone shows a preview before opening it (on modern devices). The risk comes from visiting the URL and then downloading an app, entering credentials, or granting permissions. On an up-to-date iPhone or Android device with a modern browser, simply visiting a malicious URL is extremely unlikely to cause automatic infection.
Is the URL preview on my phone camera always accurate?
The URL preview shows the initial URL encoded in the QR code. However, that URL may redirect to a different destination after you tap it. This is why Step 4 (verify the landing page URL in the browser bar) is important. Some QR code attacks use legitimate-looking intermediate URLs that then redirect to the actual malicious page.
How does ScamVerify's QR scanner work differently from my phone camera?
Your phone camera decodes the QR code and shows you the URL, but it does not check the URL against threat databases. The ScamVerify QR scanner decodes the QR code and then runs the extracted URL against 74,032 URLhaus malicious domains, 60,758 ThreatFox indicators of compromise, and AI pattern analysis. It provides a risk assessment, not just a URL preview.
Should I stop using QR codes entirely?
No. QR codes from trusted, expected sources (your doctor's office check-in, a restaurant you chose to visit, a product you purchased) are generally safe. The risk comes from unsolicited QR codes: unexpected emails, random stickers in public places, and flyers from unknown sources. The key habit is to verify before scanning, not to avoid QR codes altogether.
What percentage of QR codes are actually malicious?
The vast majority of QR codes are legitimate. However, the 5x surge in quishing attacks and 249,000 malicious QR emails in a single month (November 2025) means the risk is real and growing. The 73% of Americans who scan without checking are creating a large opportunity for attackers. Verification takes seconds and costs nothing.
