How do I spot a fake QR code?
Fake QR codes redirect you to phishing sites or prompt app installs — always preview the URL before opening it and be suspicious of QR codes stuck over the top of official ones.
Last reviewed: 10 June 2026
Explanation
QR codes are designed for convenience, which makes them useful for scammers: most people scan first and look at the URL second, if at all. Fraudsters place fake QR code stickers over legitimate ones in parking meters, restaurant tables, gym check-ins, or charity collection boxes. They also distribute them in emails, text messages, and printed flyers.
When scanned, the code redirects to a phishing page that may mimic a payment portal, a login page, or a fake app download. In parking meter attacks the victim thinks they are paying legitimately but the money goes to the fraudster. In email phishing, organisations increasingly use QR codes to bypass email link scanners — the scanner checks the email for links but cannot inspect a QR code image.
The best defence is to preview the destination URL before tapping 'open' — all modern smartphone cameras show the URL before launching the browser. Look for the same red flags you would on any suspicious link: domain mismatches, unexpected subdomains, URL shorteners hiding the destination, or a .com domain pretending to be a government or council service that would use .gov.uk.
Physically, look for signs that a sticker has been placed over the original — a sticker that is slightly misaligned, has bubbled edges, or peels up is suspicious. Report tampered QR codes to the venue immediately.
Common red flags
- QR code appears as a sticker placed on top of existing printed material
- Scanned URL uses a link shortener (bit.ly, tinyurl.com) hiding the real destination
- Destination domain does not match the organisation that displayed the code
- URL preview asks you to log in, pay, or download an app from an unrecognised source
- Code received in an unsolicited email or text message
- Sticker edges are misaligned, bubbled, or partially lifting
What to do now
- Always read the URL preview before opening it
- Do not download apps from QR codes — use the official app store instead
- Report tampered QR codes to the venue or business
- If you already opened the URL and entered data, treat it as a phishing incident and change your passwords
- Report the phishing site to your country's cybercrime authority
Frequently asked questions
Can a QR code install malware just by scanning it?
Scanning itself is safe — the camera reads the pattern. The risk is in opening the destination URL or downloading a file from it. Treat the URL as you would any link.
Are QR code payments in restaurants safe?
Usually, if the code is printed on the venue's official menu and the URL matches the venue's domain. Be cautious with codes on removable stickers.
Is there a QR code scanner that checks for phishing?
Some dedicated QR scanning apps (Kaspersky QR Scanner, Trend Micro QR scanner) check URLs against phishing databases. Your built-in camera app does not.