How to Spot a Fake QR Code (and Avoid QR Scams)

The single best way to spot a fake QR code is to preview the full link before you open it. A QR code is just a pointer; the danger is where it sends you. If your scanner shows the decoded URL first, you can read the domain, sanity-check it, and decide whether to continue, all before a single page loads. Most QR scams fall apart the moment you actually look at the address.

Scammers rely on people scanning and tapping on autopilot. This guide covers the tactics they use, the warning signs to watch for, and a simple habit that keeps you safe: look at the link, check the domain, and never hand over payment or login details to a code you weren’t expecting.

What Is Quishing (QR Phishing)?

Quishing is phishing delivered through a QR code instead of a clickable link. The goal is the same as email phishing: get you to a fake site so you type in a password, card number, or personal details, or get you to install something you shouldn’t.

QR codes are attractive to scammers because the destination is hidden inside a pattern. You cannot read a URL with your eyes the way you can scan an email link, so people scan first and think later. That extra moment of trust is exactly what the scam exploits.

Common Fake QR Code Tactics

Knowing the playbook makes the tricks easy to recognize:

• Sticker over a real code. A scammer prints their own QR code on a sticker and slaps it over a legitimate one, on a parking meter, a restaurant table tent, an EV charger, or a flyer. The surface looks official; the code is not.
• Lookalike domains. The link points to an address that resembles a real brand but is slightly off, with extra words, hyphens, odd endings, or misspellings.
• Urgency and pressure. “Pay now to avoid a fine,” “verify your account in 24 hours,” “claim before it expires.” Urgency is designed to stop you from checking.
• Unexpected codes. A QR code in an unsolicited email, a random piece of mail, or a flyer offering something too good to be true.
• Codes that demand sensitive info. A scan that immediately asks for your login, card details, or a payment is a major red flag.

How to Check a Link Before You Open It

This is the core defense. Use a scanner that shows the decoded URL before opening it, then run through a quick check:

1. Read the full domain. Look at the part right before the first single slash, that’s the real destination. paypal.com/... is PayPal; paypal.secure-login.example.com is not.
2. Watch for lookalikes. Extra words, hyphens, swapped letters, or unusual endings are warning signs.
3. Beware link shorteners on sensitive actions. A shortened link hides the destination. Be cautious if it leads to anything involving money or accounts.
4. Match the context. Does the link make sense for where you found the code? A restaurant menu should not send you to a payment-verification page.
5. When in doubt, don’t open it. Type the official website address into your browser yourself instead.

QR Toolkit shows you the decoded link after a scan so you can read the full URL and check the domain before you choose to open it.

Red Flags After You Scan

Even if you open a link, stay alert. Stop immediately if you see:

• A login page you didn’t expect, especially for a bank, email, or payment service.
• A request for payment, card details, or a bank transfer that you didn’t initiate.
• A prompt to install an app or profile from outside the official app stores.
• A page that looks slightly wrong, off-brand colors, broken text, an unfamiliar layout.
• Any pressure to act fast or “verify” your identity right now.

When something feels off, close the page. Never enter payment or login details into a site you reached from a QR code you weren’t expecting.

Safe Scanning Habits

A few simple habits prevent almost every QR scam:

• Inspect the physical code. Peel-test a suspicious sticker, scammers often cover the real one.
• Preview before opening, every time. Make checking the URL automatic.
• Go direct for anything sensitive. For payments and logins, open the app or type the address yourself rather than trusting a scanned link.
• Keep your phone updated so the browser’s own safety warnings work.
• Trust the context. If a code appears somewhere it has no reason to be, skip it.

The Bottom Line

A fake QR code is dangerous only if you follow it blindly. Slow down for one second, read the decoded URL, confirm the domain matches what you expect, and refuse to enter payment or login details for anything you didn’t initiate. That habit defeats quishing.

QR Toolkit decodes codes on your device and displays the link so you can review it before opening, putting the decision back in your hands.

Frequently Asked Questions

Can a QR code itself give me a virus?

The pattern by itself cannot install malware; it only contains data, usually a link. The risk comes from where that link leads or what it asks you to do, such as visiting a malicious site or downloading a file. Previewing the URL before opening it lets you avoid the dangerous destination entirely.

How can I tell if a QR code sticker is fake?

Check whether a sticker has been placed over an existing code, scammers commonly cover legitimate ones. Look for misaligned edges, a code on a separate sticker, or a destination that doesn’t match the business. When in doubt, don’t scan it and ask staff or use the official website instead.

Is it safe to scan QR codes to pay?

Be careful. Only pay through a code you initiated or that comes from a trusted, expected source, and always verify the domain before entering any details. If a code you didn’t expect asks for payment or login information, treat it as a scam and go directly to the official app or website instead.