Is the QR Code at McDonald's Safe to Scan? Quick Answer

Three scenarios — and how safe each one is

1. QR code inside the McDonald's app — safe

When you open the McDonald's app to place a Mobile Order, redeem a MyMcDonald's Rewards point, or present a deal coupon, the app generates a QR code on your screen. You show that code to the cashier or hold it to the self-checkout scanner. Because the code originates from within McDonald's own software, it cannot be tampered with. This is the safest scenario — no external code to scan, no redirect to follow.

2. QR code on a tabletop card, tray liner, or kiosk screen — verify first

McDonald's locations use printed QR codes on table tents, tray liners, promotional cards, and ordering kiosk screens to direct customers to deals, surveys, or menu information. These codes are legitimate, but because they are static and physically accessible, they are the primary target for sticker swaps — the same attack seen at gas stations and parking meters. Before tapping, check that the URL preview starts with mcdonalds.com. If it shows an unfamiliar domain, close it and tell a staff member.

3. QR code on a handwritten sign or a flyer handed to you — highest risk

If someone outside the restaurant hands you a flyer, or you see a handwritten sign with a QR code promising a free item or discount, treat it as suspicious. McDonald's does not distribute unsolicited paper offers in parking lots or on street corners with QR codes. These codes most commonly lead to fake sweepstakes or survey pages that harvest your name, email, and payment details for a prize that never arrives.

The one-second check that catches sticker swaps

McDonald's is one of the highest-traffic fast-food chains in the world, which makes its physical QR codes a reliable target. A scammer can walk in, place a sticker over the real code in seconds, and be gone before anyone notices. The swap is nearly invisible — the code still looks printed and official.

• Check the URL preview. When your phone camera decodes a QR code, it shows the destination URL before you tap. Any URL that does not start with mcdonalds.com or open directly in the McDonald's app is a red flag. Close the browser without tapping anything.
• Feel for a raised edge. Run your fingernail lightly along the QR code. If you feel a ridge or notice the code looks slightly misaligned with the surrounding design, a sticker may have been applied on top. Don't scan — alert the staff.
• Use QRsafer first. QRsafer checks the destination URL against threat intelligence databases before your browser loads the page. You get a safety verdict in under a second — well within the time it takes to order a combo meal.

What to do if you already scanned and something felt wrong

1. Close the page immediately — do not enter any information and do not tap any buttons on the suspicious page.
2. If you entered your McDonald's account credentials: log in at mcdonalds.com from a different device and change your password immediately. Check your saved payment methods and recent order history for unauthorized activity.
3. If you entered payment details: call your bank or card issuer right away to report potential fraud and request a replacement card.
4. Tell the restaurant staff. Point out the QR code on the table tent or signage. If it is a sticker swap, they can pull it and prevent every customer after you from being victimized.
5. File a report at reportfraud.ftc.gov with any screenshots of the code and the page it opened.

Frequently asked questions