Is the QR Code at Chick-fil-A Safe to Scan? Quick Answer

Where Chick-fil-A legitimately uses QR codes

Chick-fil-A is one of the highest QR-code-adopting quick-service restaurant brands in the US — millions of Chick-fil-A One members are trained to scan for points, rewards, and digital receipts. Legitimate use cases include:

• Chick-fil-A One rewards payment. Your personal QR code on the “Scan” screen inside the official app is shown to the cashier, who scans it from their side. You display it; you do not scan anything external. The code refreshes automatically and is tied to your loyalty account.
• Mobile order pickup confirmation. When you order ahead in the app, a confirmation code may appear that the team member uses to hand off your order at the counter or drive-through window.
• Tray liners and in-restaurant promotional cards. Chick-fil-A frequently prints QR codes on tray liners, table cards, and seasonal promotional inserts that link to chick-fil-a.com pages, limited-time offers, or Chick-fil-A One sign-up flows. These are the codes to verify before scanning.
• Catering and delivery confirmations. Catering order confirmations may include QR codes for tracking and sign-off. These link to cfa.com or a recognized third-party logistics partner.

If the QR code fits one of those patterns and the URL preview shows chick-fil-a.com or cfahome.com, you are safe to proceed.

The real risk: sticker QR code swaps on tray liners and table cards

The scam requires no hacking skill. A bad actor walks into a Chick-fil-A, pulls a pre-printed QR sticker from their pocket, and presses it over the legitimate QR code on a tray liner or counter promotional card. The process takes three seconds and is virtually invisible in a busy dining room. When the next customer scans it, they land on a phishing page — often a convincing Chick-fil-A One login lookalike — that asks for their account credentials or payment details.

This is the same low-tech attack used across restaurants broadly and at coffee shops. Chick-fil-A is an especially appealing target because its loyalty app has extremely high adoption — scammers know customers are comfortable scanning and entering account credentials at the counter.

How to spot a swapped sticker in one second

• Look for raised edges or misalignment. A sticker applied over a printed QR code usually has a slightly raised border and may be slightly crooked. Run your fingernail across the code — if you feel a ridge, skip the scan and order through the app directly.
• Check the URL preview before tapping. After scanning, your phone shows you the destination link before opening it. Any URL that does not start with chick-fil-a.com or cfahome.com is a red flag. Close the browser without tapping anything.
• Use QRsafer before you open. QRsafer decodes the QR code and checks the destination against threat intelligence before your browser ever loads the page — giving you a safety verdict in under a second.

What if you already scanned and something felt wrong?

1. Close the page immediately — do not enter any information and do not tap any buttons on the suspicious page, including “X” or “Close.”
2. If you entered your Chick-fil-A One login: go directly to chick-fil-a.com and change your password. Check your points balance and order history for unauthorized activity.
3. If you entered payment details: call your bank or card issuer immediately to report potential fraud and request a card replacement. Charges on a credit card are disputable under the Fair Credit Billing Act.
4. Tell a Chick-fil-A team member. Point out the QR code on the tray liner or card. If it is a sticker swap, they can remove it and protect every customer after you.
5. File a report at reportfraud.ftc.gov with any screenshots of the code and the page it opened.

Frequently asked questions