QR code safety tips: how to scan smarter and avoid modern scams

QR codes have quietly become part of daily life, from restaurant menus and parcel lockers to parking meters and payment terminals. They are fast and convenient, but that same simplicity also makes them attractive to scammers.

With a bit of awareness and a few habits, you can keep the convenience while reducing the risk. Here is how QR code fraud works and what to do before you point your camera at another black and white square.

How QR code scams actually work

A QR code is just a shortcut that tells your phone to take an action, usually opening a link. The problem is that you cannot see where it leads until you scan it, and most people tap quickly without checking the details.

Scammers exploit this by placing their own codes over legitimate ones, printing malicious codes on flyers, or sending them in emails and messaging apps. The code might open a fake login page, start a payment, trigger an app download or try to collect your personal data.

Common situations where QR codes are risky

Not every QR code is suspicious, but some locations and situations deserve extra attention. Public spaces are a common target because codes are easy to replace or cover without being noticed.

Watch out in places like parking meters, ticket machines, shared scooters and bikes, posters on street poles, and unattended charity or tip boxes. Codes in unsolicited emails, social media messages and random flyers are also worth treating with caution.

Red flags to check before you scan

You can avoid many problems by pausing for a moment before opening your camera app. Ask yourself who placed the code and whether it looks official and consistent with its surroundings.

Be careful if the code is a sticker slapped over another code, poorly aligned, or looks different from the design around it. Very urgent messages like “scan now to avoid a fine” or “only way to pay” are also warning signs, especially in public places.

What to look for after you scan

Most modern phones show a small preview of the website address before opening it. This is your chance to inspect the link and decide whether it seems trustworthy.

Check that the domain name is spelled correctly, uses the expected company or government address, and starts with HTTPS. If the link is a jumble of random characters or a suspicious short link with no clear brand name, close it and navigate manually instead.

Safer ways to pay and log in

Payment and login pages are prime targets for QR scams, because they can capture your card details or account credentials. Treat any scanned link that asks for sensitive information as high risk.

Whenever possible, avoid entering passwords, card numbers or bank details on sites you reached from a QR code. Instead, open your bank, wallet or shopping app directly, or type the official web address yourself. If a parking or ticket service claims QR is the only way, look for an app name, SMS number or official website printed nearby.

Using built-in tools on your phone

Your phone can help you stay safe if you use the protections that are already there. On both iOS and Android, you can usually see and copy the link from the QR prompt before opening it.

Some mobile browsers and security apps also warn you about known malicious sites. Keeping your operating system and browser up to date improves these protections, since security lists and filters are updated regularly.

How to handle QR codes in emails and messages

Criminals are adding QR codes to phishing emails to bypass link filters. The message might say your package is delayed, your account is blocked or you must confirm a payment, with a code to “fix” the issue.

Apply the same rules you would use for suspicious links. If it claims to be from a bank, delivery company or tax office, ignore the code and go directly to the official app or website. Never scan a code in a message that pressures you with deadlines or threats.

Protecting children and older relatives

Families often mix different comfort levels with technology, which can create gaps that scammers exploit. Children may scan anything out of curiosity, and older relatives may trust codes if they appear in official-looking places.

Explain that QR codes are like links, and that they should check with you before paying, logging in or entering personal details after scanning one. Showing examples on your own phone, including how to see the link preview, can make the idea concrete.

What to do if you think you scanned a bad code

If you opened a suspicious page, close it immediately and clear it from your browser history and tabs. Do not tap on pop-ups that ask to install apps or grant permissions, and do not enter any information.

If you already typed a password or card number, change the password from another device and contact your bank or card issuer to monitor or block payments. Running a security scan with a reputable mobile security app can also help catch unwanted downloads.

Making QR codes safer for businesses

Organisations that rely on QR codes can reduce risk for their customers with a few simple steps. Use printed designs that are hard to tamper with, such as codes integrated into full posters or behind protective covers.

Display your official website or app name next to the code, and remind users that they can always navigate manually. Staff should be told to watch for stickers or damaged displays, especially at payment points and entrances.

Convenience with caution

QR codes are not inherently dangerous, but they remove the friction that normally makes people pause before clicking a link. Scammers rely on that lack of friction and on the fact that many of us scan without thinking.

By adding a short check before and after you scan, and by avoiding sensitive actions on pages reached only via a code, you can keep most of the benefits with far less risk.