I Scanned a QR Code and It Opened a Weird Website — What Now?

First: just visiting a page is usually not enough to cause harm

Modern browsers are sandboxed. When a web page loads, it runs in an isolated environment that cannot reach your files, contacts, or other apps without your explicit permission. Simply landing on a page — even a malicious one — does not automatically install malware, drain your accounts, or hand over your passwords.

What a page can passively collect when you visit is limited: your IP address, rough geographic location, device type, browser version, and screen size. That's a browser fingerprint — annoying for tracking, but not a fast path to identity theft or account compromise.

The real danger threshold is interaction. Did you type anything? Fill out a form? Approve a download or install? Tap “Allow” on a permission prompt? If the answer to all of those is no, your risk is low.

There is a narrow exception worth knowing: exploit kits — malicious code that attacks browser vulnerabilities silently on page load — do exist. But they are rare in the wild, require your browser to be outdated and unpatched, and are almost never delivered via consumer QR codes. Keep your phone and browser updated and you are well protected from this vector.

What likely happened — and why the page looked weird

QR codes are opaque by design. You cannot see the destination URL before scanning, which makes them useful for attackers who want to bypass link-inspection habits. Several things can produce a “weird website” result:

• A phishing page designed to look like a real login. If the design mimicked a bank, social media platform, or payment app, the attacker wanted your credentials. If you typed your password, treat this as a confirmed compromise.
• A redirect chain to an unexpected domain. Some QR codes use link shorteners or redirect services. Each hop can land you on a domain that looks nothing like the original brand — even when the final destination is legitimate. If the content was relevant and no forms were pushed at you, this is often benign.
• A tampered sticker QR code placed over a legitimate one. Attackers place sticker QR codes over real codes on parking meters, restaurant tables, ATMs, and charging stations. The page you landed on was the attacker's destination, not the business's. This is called quishing.
• A broken or expired link. Not every strange landing page is an attack. Typos, expired domains, and misconfigured redirects produce confusing pages without any malicious intent.

What to do right now

Your response depends on what happened after the page loaded.

If you only looked at the page and closed it:

1. Close the tab if you haven't already.
2. Clear your browser cache and cookies for good measure: Safari → Settings → Safari → Clear History and Website Data; Chrome → Settings → Privacy → Clear browsing data.
3. Monitor your accounts and email for anything unusual over the next 48 hours.
4. No password changes are needed unless you entered credentials.

If you entered a password or username:

1. Go directly to the real website — type the address yourself, do not use any link from the suspicious page — and change your password immediately.
2. Log out of all active sessions for that account (most platforms have a “sign out everywhere” option in security settings).
3. Enable two-factor authentication if it isn't already on.
4. Check whether you reuse that password on other accounts. Change it on every site where you used it.

If you entered payment card details:

1. Call the number on the back of your card right now and report possible fraud.
2. Ask them to flag the card for unusual activity or issue a replacement number.
3. Check your recent transactions and dispute any you don't recognize.

For a complete step-by-step recovery checklist, what to do if you scanned a suspicious QR code walks through every scenario in order.

How to prevent this next time

The problem with QR codes is that you cannot read them before you scan. The fix is to use a scanner that intercepts the URL before your browser opens it — showing you the destination and checking it for threats.

• Use QRsafer to scan. Before your browser loads anything, QRsafer checks the destination URL against multiple threat intelligence feeds and returns a verdict: Safe, Risky, or Dangerous. A phishing page or suspicious redirect will not pass a threat check.
• Always read the URL before interacting. Even if your scanner flags nothing, glance at the domain before you tap a form field. Look for misspellings, extra hyphens, or unfamiliar extensions — these are signs of a lookalike phishing domain.
• Never enter credentials after scanning a QR code. If a page asks you to log in, go to that platform directly through your saved bookmark or by typing the address yourself.

For a broader guide to identifying suspicious codes before you scan, how to spot a malicious QR code before you scan covers visual and contextual signals across every type of QR scam.

Frequently asked questions