Should I scan a QR code sent to me by email?

Be cautious. QR codes in unsolicited emails are increasingly used to bypass email security filters and direct you to phishing pages.

Last reviewed: 1 June 2026

Explanation

A QR code in an email is just a link in a different format — it takes you to a URL, which may be a phishing page, a malware download, or a fake login page. Scammers send QR codes in emails specifically because many corporate email-security systems do not scan image-based QR codes as thoroughly as clickable text links.

Before scanning, consider: do you recognise the sender and did you expect this email? Does the surrounding context make sense? After scanning, check the URL your phone shows before opening the page — look for misspellings or unusual domains.

If you received an unsolicited QR-code email claiming to be from your bank, a parcel service, or a tech company, treat it with the same caution you would treat a suspicious link.

Common red flags

QR code in an unsolicited or unexpected email
Email creates urgency — 'scan now to verify your account'
The URL shown after scanning is unfamiliar or misspelled
Email is from a sender you don't recognise
QR code is the only content, with little or no explanatory text
Claimed sender is a bank, delivery company, or tech firm

What to do now

Preview the URL your phone shows before opening the scanned page
If the URL looks unfamiliar, do not open it
Navigate to the company's website directly if you want to check your account
Report the suspicious email to your email provider
If you entered credentials on the scanned page, change your password immediately and enable 2FA

Frequently asked questions

Is it safe to scan a QR code if my email came from a company I use?

Email sender addresses and display names can be spoofed. If the email was unexpected or asks you to scan urgently, go to the company's website directly rather than using the QR code.

Can scanning a QR code alone install malware?

Scanning a code and viewing the URL in your camera app is generally safe. The risk comes from opening the resulting page or downloading anything from it.

Explanation

If you received an unsolicited QR-code email claiming to be from your bank, a parcel service, or a tech company, treat it with the same caution you would treat a suspicious link.

Common red flags

QR code in an unsolicited or unexpected email

Email creates urgency — 'scan now to verify your account'

The URL shown after scanning is unfamiliar or misspelled

Email is from a sender you don't recognise

QR code is the only content, with little or no explanatory text

Claimed sender is a bank, delivery company, or tech firm

What to do now

Preview the URL your phone shows before opening the scanned page

If the URL looks unfamiliar, do not open it

Navigate to the company's website directly if you want to check your account

Report the suspicious email to your email provider

If you entered credentials on the scanned page, change your password immediately and enable 2FA

Frequently asked questions

Is it safe to scan a QR code if my email came from a company I use?

Email sender addresses and display names can be spoofed. If the email was unexpected or asks you to scan urgently, go to the company's website directly rather than using the QR code.

Can scanning a QR code alone install malware?

Scanning a code and viewing the URL in your camera app is generally safe. The risk comes from opening the resulting page or downloading anything from it.

Should I scan a QR code sent to me by email?

Explanation

Common red flags

What to do now

Frequently asked questions

Related pages

Should I scan a QR code sent to me by email?

Explanation

Common red flags

What to do now

Frequently asked questions

Related pages