How to Spot a Malicious QR Code Before You Scan
Quishing attacks rely on speed and habit. Most people scan first and verify later. Flipping that order keeps you safer.
QR code scams are accelerating. The FBI reported a sharp rise in QR code fraud starting in 2022. The FTC's Consumer Sentinel Network logged over 22,000 QR-related fraud reports in 2023. And a 2024 Hoxhunt study found that 22% of employees clicked a simulated quishing link in training exercises — compared to 4% who clicked a traditional phishing link.
1. Check placement context
Ask whether the QR code makes sense in its environment. A sticker slapped over an official sign, parking meter, or restaurant menu should be treated as suspicious.
2. Look for tampering
Raised stickers, mismatched colors, and low-quality print are common signs of replacement QR codes. If it looks layered or recently added, skip it.
3. Preview the URL before opening
Most scanners and phone cameras let you preview the destination link. Pause and inspect the domain before tapping through.
4. Watch for lookalike domains
Attackers often use near-miss domains like paypaI.com (capital i) or extra words like secure-login-apple.com. Tiny differences matter.
5. Avoid entering credentials immediately
Even if a page looks familiar, avoid entering passwords, card details, or one-time codes right away. Open the official app or type the real website manually.
Final takeaway
QR codes are convenient, but convenience should not replace verification. A five-second check can prevent account takeovers, payment fraud, and malware installs.
If you already scanned one, go straight to What to Do If You Scanned a Suspicious QR Code or the shorter overview What Happens If You Scan a Fake QR Code?.
Last updated May 2026.
See also
- What to Do If You Scanned a Suspicious QR Code
- What Is Quishing?
- QR Code Phishing Email (Quishing)
- QRsafer vs. iPhone Camera
- QR Code Threat Map
Download QRsafer for iOS or Android and verify any QR code before you tap through.