How to Spot a Malicious QR Code Before You Scan

Quishing attacks rely on speed and habit. Most people scan first and verify later. Flipping that order keeps you safer.

1. Check placement context

Ask whether the QR code makes sense in its environment. A sticker slapped over an official sign, parking meter, or restaurant menu should be treated as suspicious.

2. Look for tampering

Raised stickers, mismatched colors, and low-quality print are common signs of replacement QR codes. If it looks layered or recently added, skip it.

3. Preview the URL before opening

Most scanners and phone cameras let you preview the destination link. Pause and inspect the domain before tapping through.

4. Watch for lookalike domains

Attackers often use near-miss domains like paypaI.com (capital i) or extra words like secure-login-apple.com. Tiny differences matter.

5. Avoid entering credentials immediately

Even if a page looks familiar, avoid entering passwords, card details, or one-time codes right away. Open the official app or type the real website manually.

Final takeaway

QR codes are convenient, but convenience should not replace verification. A five-second check can prevent account takeovers, payment fraud, and malware installs.