Are QR Codes on Receipts Safe to Scan?
Usually yes — but the answer changes depending on where the receipt came from. Here is the quick verdict for printed receipts, emailed receipts, and kiosk receipts, plus the one check you can do in under five seconds.
The short answer by receipt type
Not all receipt QR codes carry the same level of risk. The format and source of the receipt determine how cautious you need to be.
Printed receipt from a recognized business — low risk
A QR code printed on a receipt from a restaurant, grocery store, or retailer you just visited is generated by their point-of-sale system. It typically links to a customer feedback survey, loyalty program, or return portal. These are overwhelmingly safe. Glance at the URL your phone shows before tapping — it should match the business name — and proceed.
Email or text receipt with a QR code — moderate risk
Phishing emails impersonating retailers, banks, and payment apps often include a QR code to bypass link-scanning filters. Before tapping, confirm the sender's email domain exactly matches the brand's official domain (not “paypal-receipts.net” — the real domain is paypal.com), and check that the URL preview points to that same domain. If anything looks off, go to the business's website directly instead of scanning.
Receipt from a parking kiosk, ATM, or unattended terminal — higher risk
Unattended payment terminals are a documented target for QR sticker scams. A scammer can place a small printed sticker over the original QR code on a receipt roll or on the terminal itself. Before scanning any code from a kiosk, inspect the receipt for signs of tampering and check the URL preview carefully. For parking kiosks specifically, see our guide to fake parking meter QR code scams.
The one check that works for every receipt
Every modern smartphone camera app shows you the destination URL before it opens. Hold your camera over the code, read the URL that appears, and ask: does this domain match the business that gave me the receipt?
- If the receipt is from Target, the URL should include target.com — not “target-rewards.net” or “mytgt-survey.com.”
- If the receipt is from a local restaurant, the URL should include the restaurant's own domain or a known feedback platform like surveymonkey.com or qualtrics.com.
- If the URL is a long string of random characters with no clear brand connection, do not tap.
This takes about three seconds and eliminates the vast majority of risk. For a broader guide to pre-scan checks, see how to check if a QR code is safe.
Red flags on any receipt QR code
- The URL domain does not match the business that issued the receipt
- The page immediately asks for your email, password, or payment details before showing anything else
- The receipt came by text from an unknown number, not from the merchant's confirmed email address
- The QR code on a kiosk receipt looks like it was printed on a sticker rather than part of the original receipt
- The offer seems too good — a prize, discount, or reward just for scanning
If any of those apply, close the browser tab and do not enter any information. No legitimate business needs you to submit credentials to claim a receipt-linked survey reward.
What to do if you already scanned and something seems off
- Closed the page without entering anything: you are almost certainly fine. Clear your browser history as a precaution.
- Entered your email address only: expect a spike in phishing emails. Enable spam filtering and be extra skeptical of any “account verification” emails that follow.
- Entered a login password: change it immediately on every site where you reuse it, and enable two-factor authentication.
- Entered a credit or debit card number: call your card issuer now. Ask them to flag potential fraud and issue a replacement card. Monitor your statements for unfamiliar charges.
Frequently asked questions
Are QR codes on receipts safe to scan?
Printed receipts from recognized businesses are low risk — the code typically links to a survey or loyalty program. Emailed receipts are moderate risk because phishing emails impersonate retailers with convincing-looking QR codes. Receipts from unattended kiosks (parking meters, ATMs) carry the highest risk due to sticker tampering. In all cases, check the URL preview before tapping and close the page if the domain does not match the business.
Can a receipt QR code steal my information?
Simply opening the URL is rarely enough to cause harm on a patched phone. The real danger is landing on a fake page that asks for login credentials or payment details. This has been documented on tampered kiosk receipts and in phishing emails disguised as transaction confirmations. Never enter account or payment information on any page reached through a receipt QR code unless the URL clearly matches the official business domain.
What should I do if I scanned a receipt QR code and something seems wrong?
If you only viewed the page and entered nothing, clear your browser history and move on. If you entered login credentials, change that password immediately and turn on two-factor authentication. If you entered a card number, call your card issuer right away to flag the account and request a replacement card. Report the scam to the FTC at reportfraud.ftc.gov.
Know before you scan — every time.
QRsafer checks the destination URL against real-time threat databases the moment you point your camera, giving you a Safe, Risky, or Dangerous verdict before the page loads. Replace your phone's default scanner and stop guessing whether a receipt code is safe.