Genuine QR Code vs Malicious QR Code
How to tell a legitimate QR code from a tampered or fake one designed to redirect you to a phishing site.
Last reviewed: 1 June 2026
QR code fraud — sometimes called 'quishing' — exploits the fact that humans cannot read a QR code the way they can read a URL. Scammers print fake QR codes over legitimate ones on parking meters, restaurant menus, or public posters, redirecting you to phishing pages that collect credentials or payment details. The safest habit is to preview the URL before taking any action on it, and to be wary of any QR code that lands you on a page asking for payment details or login credentials.
Side-by-side comparison
| Genuine QR code | Malicious QR code | |
|---|---|---|
| URL preview | Destination URL matches the expected organisation's domain | URL is a lookalike domain or URL shortener that hides the destination |
| Physical placement | Code appears to be original printed material | Sticker placed over original code; slightly misaligned or different finish |
| Landing page action | Takes you to information or an expected service; low-friction | Immediately asks for payment details, login, or personal data |
| Context | Code makes sense in its physical or digital context | Unexpected QR code in an email, text, or on a notice you weren't expecting |
| Certificate | Landing page uses a valid HTTPS certificate matching the organisation | HTTP or mismatched HTTPS; certificate name doesn't match the claimed brand |
Common red flags
- QR code that is a sticker layered over what appears to be a printed original
- Destination URL is a lookalike domain or uses a URL shortener
- Landing page immediately requests payment card details or login credentials
- QR code received in an unsolicited email or text with urgency attached
- Mismatched HTTPS certificate on the landing page
- Paying for parking, a fine, or a service via a QR code that wasn't there before
Verification steps
- Use a QR scanner that previews the URL before opening it, so you can read the domain
- Check whether the landing page domain matches the expected organisation's official domain
- If scanning a physical code, look for signs of tampering — stickers over original print
- For payments, type the organisation's URL directly rather than using a QR code
- Report suspected tampered QR codes to the venue or operator immediately
What not to do
- Don't enter payment details on a page you reached via an unexpected QR code without checking the URL
- Don't scan QR codes received in unsolicited emails or texts without verifying the sender first
- Don't assume HTTPS means the site is legitimate — fraudsters can obtain certificates
- Don't ignore misaligned or sticker-over-sticker QR codes in public places
A safe response
If you are unsure about a QR code, type the organisation's URL directly into your browser instead of scanning. For public QR codes that look tampered with, notify the venue and report to the relevant authority. If you've already entered payment details, contact your bank immediately.
Frequently asked questions
How do I preview a QR code URL before visiting it?
Most modern smartphone camera apps and dedicated QR scanner apps display the destination URL before you open it. Check the domain carefully before tapping to proceed.
Are QR codes in emails ever legitimate?
Occasionally, but treat them with the same caution as links. Preview the URL, verify the sender independently, and if in doubt, navigate to the service directly instead of scanning.
What if the URL looks right but the page asks for my card details?
A convincing lookalike domain can be very close to the real one. Check character by character — particularly for substituted letters (0 for O, 1 for l). When in doubt, navigate directly from a bookmark.