Genuine QR Code vs Malicious QR Code
How to tell a legitimate QR code from a tampered or fake one designed to redirect you to a phishing site.
Last reviewed: 1 June 2026
Most QR codes are exactly what they claim to be, and scanning one to see a menu or a timetable is ordinary and safe. The weakness is not the technology but the fact that you cannot read a QR code with your eyes, so you are trusting whatever is printed in front of you. That is what quishing exploits. A sticker goes over the code on a parking meter, a poster, or a table card, and the page it opens is a careful copy of the operator's own payment screen. It works because the setting feels official and you are usually in a hurry, standing at a machine with a queue behind you. What matters most is the address: preview the domain before you act, and never enter card details on a page you reached only through a scanned code.
Side-by-side comparison
| Genuine QR code | Malicious QR code | |
|---|---|---|
| URL preview | Destination URL matches the expected organisation's domain | URL is a lookalike domain or URL shortener that hides the destination |
| Physical placement | Code appears to be original printed material | Sticker placed over original code; slightly misaligned or different finish |
| Landing page action | Takes you to information or an expected service; low-friction | Immediately asks for payment details, login, or personal data |
| Context | Code makes sense in its physical or digital context | Unexpected QR code in an email, text, or on a notice you weren't expecting |
| Certificate | Landing page uses a valid HTTPS certificate matching the organisation | HTTP or mismatched HTTPS; certificate name doesn't match the claimed brand |
Common red flags
- QR code that is a sticker layered over what appears to be a printed original
- Destination URL is a lookalike domain or uses a URL shortener
- Landing page immediately requests payment card details or login credentials
- QR code received in an unsolicited email or text with urgency attached
- Mismatched HTTPS certificate on the landing page
- Paying for parking, a fine, or a service via a QR code that wasn't there before
Verification steps
- Use a QR scanner that previews the URL before opening it, so you can read the domain
- Check whether the landing page domain matches the expected organisation's official domain
- If scanning a physical code, look for signs of tampering — stickers over original print
- For payments, type the organisation's URL directly rather than using a QR code
- Report suspected tampered QR codes to the venue or operator immediately
What not to do
- Don't enter payment details on a page you reached via an unexpected QR code without checking the URL
- Don't scan QR codes received in unsolicited emails or texts without verifying the sender first
- Don't assume HTTPS means the site is legitimate — fraudsters can obtain certificates
- Don't ignore misaligned or sticker-over-sticker QR codes in public places
A safe response
If you are standing at a machine or a poster, step back from it. Look at the code itself for a sticker edge, a different paper finish, or a slight misalignment over the print underneath. Rather than scanning, type the operator's address into your browser yourself, or use their official app, and pay there. If a scanned page has already asked for card details, close it without submitting. If you did enter them, ring your bank on the number on the back of your card, ask them to stop the card and watch for pending payments, and report the tampered code to the venue or operator so it can be removed.
Frequently asked questions
How do I preview a QR code URL before visiting it?
Most modern smartphone camera apps and dedicated QR scanner apps display the destination URL before you open it. Check the domain carefully before tapping to proceed.
Are QR codes in emails ever legitimate?
Occasionally, but treat them with the same caution as links. Preview the URL, verify the sender independently, and if in doubt, navigate to the service directly instead of scanning.
What if the URL looks right but the page asks for my card details?
A convincing lookalike domain can be very close to the real one. Check character by character — particularly for substituted letters (0 for O, 1 for l). When in doubt, navigate directly from a bookmark.