Is It Safe to Scan a QR Code at a Restaurant?
Mostly yes — but with one real exception. Here is the short answer, what the actual risk looks like, and three things to check before you tap.
The short answer
Restaurant QR codes used for digital menus are among the most common and, in most cases, completely legitimate uses of QR codes. Restaurants adopted them widely, and the codes typically link to menus hosted on platforms like Toast, Square, BentoBox, or the restaurant's own website. The code itself is not the problem.
The real risk is a tampered code — a sticker that someone has placed over the original QR code to redirect you to a phishing page. This is the same technique used at parking meters and EV chargers, and it does happen at restaurants — particularly at high-turnover spots where table cards are not closely monitored.
The key question is not “is this QR code type safe?” — it is “has this specific code been tampered with?” A few quick checks answer that question before you scan.
Three things to check before you scan
1. Feel the edges
Run your fingernail along the border of the QR code. A sticker placed over the original code will have a raised edge or feel slightly different from the surrounding printed surface. If the code sits proud of the paper or card it is on, that is a red flag.
2. Check for branding consistency
A tampered sticker is usually lower resolution or a slightly different size than the surrounding printed material. If the QR code looks like it was printed on a home printer and glued onto a professionally designed table card, treat it with suspicion.
3. Glance at the URL before tapping
When your phone decodes the QR code, it shows you the URL before opening it. That URL should contain the restaurant's name or a recognizable menu-platform domain — toasttab.com, square.site, bentobox.com, or the restaurant's own domain. If you see a generic-looking URL with hyphens, random characters, or an unfamiliar domain, do not proceed.
What a legitimate restaurant QR code looks like vs. a scam
Legitimate menu QR codes take you to a page that:
- Shows the restaurant's actual menu — food items, prices, photos
- May let you place an order or pay through the restaurant's own ordering system
- Uses a domain that matches the restaurant name or a known platform
- Does not ask for your email, password, or full credit card number before showing you anything
A fraudulent page might:
- Ask you to “log in” or “create an account” before seeing a menu
- Immediately request payment or card details
- Display a generic “loading” screen that then redirects you to a different site
- Look like a real menu but have a URL you do not recognize when you check the address bar
Restaurants that use legitimate QR ordering systems — Square, Toast, Olo — never ask you to enter login credentials just to view a menu. If you are asked to do that, close the tab and ask your server for a printed menu or the correct link.
When restaurant QR codes do ask for payment
Some restaurants have fully integrated pay-at-table QR systems where you settle your bill by scanning a code on the receipt. That is a legitimate use case — but it means you need to be a bit more careful at the payment step, because this is where a tampered code causes the most harm.
Before entering any card details:
- Confirm the URL in your browser matches the restaurant's known domain or a recognized payment platform.
- Check that the amount shown matches what is on your paper receipt.
- If anything looks off — wrong logo, wrong amount, unfamiliar domain — pay at the counter or with your server instead.
What to do if the code takes you somewhere suspicious
If the page you land on feels wrong — wrong URL, unexpected login request, unfamiliar branding — do these steps in order:
- Close the browser tab immediately. Do not tap “Allow” on any permission prompts (camera, location, notifications).
- Do not enter any information — no name, email, password, or card number.
- Tell your server. Restaurant staff want to know about tampered table codes so they can replace them.
- If you already entered payment details, call your bank right away to flag the transaction and request a replacement card.
- Report the incident to the FTC at reportfraud.ftc.gov.
For a full walkthrough of what to do after any suspicious scan, see what happens if you scan a fake QR code.
Frequently asked questions
Are QR codes at restaurants safe to scan?
In most cases, yes. The real risk is a tampered sticker QR code placed over the legitimate one — the same technique used at parking meters and gas pumps. Before scanning, feel for a raised sticker edge and check that the URL your phone shows matches the restaurant's name or a known menu platform. If it does, you are almost certainly fine. If it does not, ask your server for the correct link.
How can I tell if a restaurant QR code has been tampered with?
Run your fingernail along the code's edge — a sticker overlay will feel raised compared to the surrounding surface. Also check that the code's print quality and size match the rest of the table card. After scanning, look at the URL before tapping anything: it should contain the restaurant's name or a recognizable platform domain like toasttab.com or square.site. A URL with hyphens, random characters, or no connection to the restaurant is a warning sign.
What should I do if a restaurant QR code takes me to a suspicious page?
Close the tab immediately without entering any information. Tell your server so the code can be replaced. If you already entered payment details, call your bank right away to flag the charge and get a new card. You can also report the scam to the FTC at reportfraud.ftc.gov.
Scan restaurant QR codes without the guesswork
QRsafer checks the destination URL against threat intelligence databases before your browser opens it — giving you a Safe, Risky, or Dangerous verdict in real time. Replace your phone's default QR scanner and never have to manually inspect a URL again.