QR Code Security: What to Scan and What to Avoid

Updated February 2026.

QR code security matters: QR codes are convenient, but they can also be abused. Here's how to stay safe when scanning.

The Risk

When you scan a QR code, you can't see the URL until your phone processes it. Scammers can replace a legitimate code with one that sends you to a phishing site or triggers a malicious download.

What to Look For

Before scanning

• Is the QR code in a trusted location? (e.g., official poster vs. sticker on a lamppost)
• Has it been tampered with? (e.g., a sticker placed over the original)
• Is the context legitimate? (e.g., restaurant table tent vs. random flyer)

After scanning

• Check the URL in your browser before entering any data
• Look for HTTPS and a familiar domain
• Be cautious if you're asked to download an app or enter credentials

Best Practices

• Don't scan random codes — If you didn't seek it out or it's in an unexpected place, skip it
• Preview when possible — Some phone cameras show the URL before opening; use that
• Use a QR scanner with preview — Apps that show the destination URL before opening add a layer of safety

Creating Safe QR Codes

If you're creating QR codes:

• Use URLs you control (your website, your forms)
• Use HTTPS
• Avoid redirect chains that hide the final destination
• Test your codes before distributing them

Create trustworthy QR codes for your own use.