QR Code Security: What to Scan and What to Avoid
QR Code Security: What to Scan and What to Avoid
QR codes are convenient, but they can also be abused. Here's how to stay safe when scanning.
The Risk
When you scan a QR code, you can't see the URL until your phone processes it. Scammers can replace a legitimate code with one that sends you to a phishing site or triggers a malicious download.
What to Look For
Before scanning
- Is the QR code in a trusted location? (e.g., official poster vs. sticker on a lamppost)
- Has it been tampered with? (e.g., a sticker placed over the original)
- Is the context legitimate? (e.g., restaurant table tent vs. random flyer)
After scanning
- Check the URL in your browser before entering any data
- Look for HTTPS and a familiar domain
- Be cautious if you're asked to download an app or enter credentials
Best Practices
- Don't scan random codes — If you didn't seek it out or it's in an unexpected place, skip it
- Preview when possible — Some phone cameras show the URL before opening; use that
- Use a QR scanner with preview — Apps that show the destination URL before opening add a layer of safety
Creating Safe QR Codes
If you're creating QR codes:
- Use URLs you control (your website, your forms)
- Use HTTPS
- Avoid redirect chains that hide the final destination
- Test your codes before distributing them