Can a QR code steal my information?
A QR code itself doesn't steal data, but it can direct you to a phishing website or prompt a malicious download — the risk lies in what you do after scanning.
Last reviewed: 1 June 2026
Explanation
QR codes are simply machine-readable links. Scanning one is similar to clicking a URL: the code redirects your device to a website, app, or action. A malicious QR code can take you to a phishing page designed to steal login credentials, a fake payment portal that captures your card details, a site that attempts to install malware, or a prompt to download a malicious app.
The risk is not from scanning alone — it is from interacting with what the code opens. Before tapping or entering any information after scanning, check the URL your phone camera displays. Does it match a known, legitimate domain? If the code was in an unexpected location — a sticker over a printed sign, an unsolicited email, or a social media post — treat the destination with extra caution.
Common red flags
- QR code arrives in an unsolicited email, text, or social media post
- The URL shown after scanning is unfamiliar, misspelled, or uses an unusual domain
- The scanned page asks you to log in or enter payment details urgently
- QR code sticker appears to be placed over original printed material
- Scanning leads to a download prompt you didn't expect
What to do now
- Preview the URL your camera shows before opening the scanned page
- If the URL looks unfamiliar, do not proceed — close the camera app
- Verify the intended destination by typing the official website address directly
- Report suspicious QR codes — in emails to your provider, in public to the premises or local authority
- If you entered credentials or payment details on a suspicious page, act immediately: change passwords and call your bank
Frequently asked questions
Is it safe to scan QR codes at restaurants and shops?
Generally yes, if the code is printed directly on an official menu or sign with no sticker applied over it. Inspect for stickers, and check the URL matches the business's known domain before entering any details.
Can malware be installed just by scanning a code?
On a fully patched device, scanning alone is very unlikely to install anything. The real risk comes from visiting the resulting page, downloading a file, or entering details there.
What is 'quishing'?
Quishing is phishing carried out through QR codes. It is increasingly used because many email security systems are better at detecting malicious text links than image-based QR codes.