Can a QR code redirect me to a site that steals my login?
Yes. QR codes can link to any URL — including fake login pages designed to steal your credentials.
Last reviewed: 1 June 2026
Explanation
A QR code is simply a visual encoding of a URL. Scanning one with your phone is equivalent to clicking a link you cannot read in advance. Malicious QR codes placed on flyers, stickers over legitimate codes, or shared digitally can direct you to convincing phishing sites that mimic bank logins, cryptocurrency exchanges, government portals, or social media platforms. You enter your credentials on the fake page, which are immediately captured. Some sites also attempt to install malware through the browser. The risk is heightened when codes appear in unexpected places — emails, random flyers, or stickers placed on restaurant tables or parking meters over the original code.
Common red flags
- QR code sent by email from an unverified sender
- Code appears as a sticker applied over another code
- Scanned URL shows an unfamiliar or slightly misspelled domain
- Page immediately asks for login credentials or payment details
- Browser warns of an unsafe or deceptive site
What to do now
- Preview the URL before following any QR code link
- Do not enter credentials on a page reached via QR code unless the domain is verified
- If you entered credentials, change your password and check account activity
- Report suspicious QR codes to the venue or platform involved
Frequently asked questions
How do I preview where a QR code leads before following the link?
Most phone camera apps and QR scanner apps display the URL before opening it. Always check the domain before proceeding, and close the tab if the address looks unfamiliar.