QR codes are inherently neutral — they are just a method of encoding data. But like any technology, they can be misused. QR code phishing — sometimes called 'quishing' — is a growing attack vector where criminals replace legitimate QR codes with their own, redirecting victims to phishing pages designed to steal credentials, install malware, or commit payment fraud.

How QR Code Attacks Work

There are several common attack patterns:

  • Physical replacement — a malicious sticker placed over a legitimate QR code (parking meters, restaurant tables, public signs).
  • Email phishing — a QR code image in an email, bypassing email security filters that typically scan links but not images.
  • Fake reviews and invoices — QR codes on fraudulent documents directing victims to payment pages.
  • Malicious posters — fake QR codes in public spaces (airports, bus stops) promising free WiFi, discounts, or prize claims.

Warning Signs of a Malicious QR Code

  • Physical sticker over an existing QR code — always inspect whether a QR code label has been placed over another.
  • The URL preview looks unusual — most modern phones show a URL preview before opening it. Check it carefully before tapping.
  • The URL uses a URL shortener (bit.ly, tinyurl) and you cannot see the destination.
  • The page asks for login credentials unexpectedly, especially for services you did not initiate.
  • The QR code is in an unsolicited email, particularly for banks, tax agencies, or courier services.
  • The landing page has poor design, spelling errors, or an unusual domain (e.g. paypa1.com instead of paypal.com).

How to Stay Safe When Scanning QR Codes

  1. 1Always preview the URL before tapping — iOS and Android show the destination URL before you visit it.
  2. 2Check the domain carefully — look for typosquatting (paypa1.com, gooogle.com, amazon-login.com).
  3. 3Do not scan codes in unsolicited emails — your bank will not ask you to scan a QR code to verify your account.
  4. 4Inspect physical QR codes for stickers — if a QR code looks tampered with, do not scan it.
  5. 5Never enter credentials on a page reached via QR code unless you initiated the process yourself.
  6. 6Use a QR scanner app with link preview (Google Lens, iOS Camera) rather than apps that auto-open URLs.

Is Our QR Code Generator Safe?

Yes. Our generator is safe for several reasons: (1) all QR code generation is client-side — your data never leaves your browser, (2) we do not insert tracking redirects or short links — the QR code points directly to the URL you enter, and (3) we do not collect or store any content you enter into the generator.

The QR codes you download are static and direct — no middleware, no tracking server, no third-party redirects. What you encode is what gets scanned.

Responsibility for QR Code Safety

You bear responsibility for the content you encode. Do not generate QR codes that link to phishing pages, malware, fraudulent schemes, or any illegal content. Our Terms of Service prohibit the use of our tool for any harmful or illegal purpose.