How to Check If a QR Code Is Safe Before You Scan
QR codes hide their destination until after you scan — by then your browser has already loaded the page. Here is how to verify a QR code is safe before it gets that far, what to look for once you land on a page, and the fastest way to protect yourself every time.
Why checking a QR code is harder than checking a link
When you receive a suspicious email, you can hover over a link and read the URL before clicking. QR codes remove that step. The square pattern you see on a sign, receipt, or business card tells you nothing about where it goes — it is just an encoded string of characters that your phone's camera turns into a URL and immediately opens.
Attackers exploit this by placing QR codes in contexts that feel trustworthy: restaurant table tents, parking meters, package delivery notices, and workplace posters. The physical or digital context provides false legitimacy, and the hidden URL does the rest. By the time you realize you are on a phishing page, your browser has already run any scripts the page loaded and, if you entered credentials or payment details, the damage is done.
The goal of any safety check is to evaluate the URL before your browser connects to the server — not after.
The fastest method: use a QR code safety app
The most reliable way to check any QR code is to scan it with an app that inspects the URL before opening it. QRsafer does this in three steps:
- Decode: The app reads the QR code and extracts the encoded URL.
- Check: The URL is matched against threat intelligence databases — known phishing domains, malware delivery sites, and domains flagged by security researchers.
- Verdict: You see Safe, Risky, or Dangerous before your browser ever loads the page. You decide whether to proceed.
This approach catches known malicious destinations instantly and flags unfamiliar or suspicious-looking domains so you can investigate further before committing. It takes the same amount of time as a normal scan — you just get a verdict first.
How to check manually if you have already scanned
If you have already scanned a code and the page has loaded, do not close the browser yet. Check the address bar immediately:
Step 1 — Read the registered domain
Ignore subdomains and everything after the first slash. Focus on the core domain and TLD — the part that looks like example.com. That is the only part that matters for ownership. A URL like usps.com/track is fine; usps-tracking-update.info/confirm is not, regardless of how official it looks.
Step 2 — Does the domain match the claimed organization?
If the QR code was on a Chase Bank mailer, the page should be on chase.com — not chase-account-verify.net or any domain with extra words. If it does not match, close the tab immediately.
Step 3 — Look for HTTPS and a valid certificate
A padlock icon and HTTPS mean the connection is encrypted — but they do not mean the site is legitimate. Phishing sites routinely use HTTPS. A site using plain HTTP in 2025 is an additional red flag, but HTTPS alone is not a clearance.
Step 4 — Do not enter anything until you are certain
Simply landing on a page carries low risk for most users on updated devices — the real danger is entering credentials, payment details, or personal information. If you are uncertain about the page, close it, navigate directly to the organization's official website by typing the address yourself, and confirm whether the request is legitimate from there.
URL warning signs that reveal a scam
These patterns appear consistently across QR code phishing campaigns:
- Brand name plus extra words or hyphens: “amazon-gift-claim.com,” “paypal-account-verify.org,” “fedex-delivery-confirm.net.” Real brands own their brand name as the registered domain without additions.
- Unusual top-level domains: Domains ending in
.info,.xyz,.top,.click, or country codes unrelated to the claimed organization are common in phishing infrastructure. - Random-looking strings in the domain or path: Legitimate service URLs are readable. A domain like
qr-3f8a1b.comwas likely auto-generated for a campaign. - URL shorteners that hide the final destination: Links through bit.ly, tinyurl, or similar services do not tell you where you are actually going. Expand them at a link-preview service before proceeding.
- The domain was registered very recently: Free WHOIS lookup tools let you check when a domain was registered. Domains less than a few months old appearing in QR codes sent by “your bank” or “the IRS” are almost certainly fraudulent.
- The physical QR code is a sticker placed over another code: Run a fingernail along the edge — a sticker sitting on top of a legitimate printed code is a classic physical tampering technique used at parking meters, gas pumps, EV chargers, and restaurant tables.
How to check a QR code you cannot scan right now
If someone sent you a QR code image — in an email, a text, or a document — and you want to check it without scanning it directly:
- Save the image file and open it in QRsafer's image-decode feature, or upload it to a reputable online QR decoder to extract the URL without opening it.
- Read the extracted URL carefully using the domain-inspection method above.
- Paste the URL (without clicking it) into Google Safe Browsing's Transparency Report at
transparencyreport.google.com/safe-browsing/searchto check if it has been flagged. - If you still need to verify, navigate directly to the organization's official website by typing the address yourself and confirm whether the request in the QR code is legitimate.
Frequently asked questions
Can you tell if a QR code is safe just by looking at it?
No. A QR code's visual pattern tells you nothing about its destination. Two codes that look entirely different can point to the same URL, and attackers often add logos or color to make fraudulent codes appear official. Safety can only be determined by inspecting the encoded URL — which requires either a safety app or decoding the code before opening it.
Is it safe to scan a QR code without an app?
Your phone's built-in camera scanner opens the URL immediately without any safety check. A dedicated app like QRsafer intercepts the destination first and shows you a safety verdict before loading the page. If you regularly scan QR codes in public places — restaurants, transit stations, parking meters — using a safety scanner is the single most effective change you can make.
What URL signs indicate a QR code is a scam?
The clearest sign is a registered domain that does not match the organization the code claims to represent. Attackers commonly add hyphens, extra words, or uncommon TLDs to imitate real brands — for example, usps-parcel-confirm.info instead of usps.com. Other red flags: URL shorteners that hide the final destination, recently registered domains, and HTTP instead of HTTPS.
Check every QR code automatically before it opens
QRsafer scans each code against threat intelligence databases and returns a Safe, Risky, or Dangerous verdict in real time — so you never have to inspect a URL manually again. Replace your phone's default QR scanner and scan with confidence.