QR code phishing: how to recognize a fraudulent code and protect yourself while scanning

Are QR codes safe? How to avoid fraud and phishing

QR codes have become a regular tool in everyday interactions — from restaurant menus to authentication in banking apps. However, their growing popularity has triggered another trend: cybercriminals are increasingly using QR codes as a channel for phishing attacks, data theft, and financial fraud.

Most users perceive QR as a "neutral" technology, not suspecting that a single scan can lead to a fake website or the download of malicious software. That raises the question: are QR codes truly safe? And what can be done to avoid the risks?

In this article, we will explore in detail:

  • the threats hidden behind QR codes;
  • what typical fraud scenarios look like;
  • the signs that point to potential dangers;
  • how to check a QR code before scanning;
  • and what to do if you become a victim of an attack.

This article is intended for both regular users and businesses that use QR codes in their processes. The goal is not to cause panic, but to help foster a conscious and safe approach to a technology that has long gone beyond being just an “auxiliary tool”.

QR codes: infographic showing pros and risks — fast access vs phishing and fraud via fake QR codes.
QR codes: convenience vs risks. On one side — quick access and contactless use, on the other — the possibility of phishing and data manipulation.

What makes QR codes dangerous?

At first glance, a QR code seems like a convenient and neutral tool: you just scan the image and get to the page you want. But the main vulnerability is that the content of a QR code is invisible to the user until it is scanned. This opens the door to manipulation — especially when people act automatically.

Phishing via QR: how does it work?

Phishing is a type of fraud where a user is deceived and tricked into handing over their own data: login, password, card details, etc. In the case of QR codes, this takes the form of so-called quishing (QR phishing).

Example: a cybercriminal prints a QR code that leads to a fake banking or popular service website. This code is placed over the original one — on an ATM, poster, coffee shop wall, or even on a receipt. The user scans it, unsuspectingly enters their data — and effectively hands it over to the fraudsters.

What can a QR code do?

A QR code can contain any link — including those that:

  • lead to malicious or fake websites that collect personal data;
  • initiate automatic file downloads (such as an infected app);
  • use redirects to mask the real URL;
  • deceive the user with fake logos or by imitating a well-known brand.

These actions do not “hack” your device directly, but they activate dangerous scenarios through carelessness or user trust. This is the essence of social engineering.

💡 Tip for beginners: Just like with suspicious emails, you can be routed to a fake site via QR. But unlike emails, a QR code always looks the same — regardless of where it leads.

Important: physical replacement of the original QR code

One of the most dangerous tactics is replacing a real QR code in public spaces. Fraudsters simply place their malicious code on top of the original. This can happen on:

  • menus in restaurants or cafeterias;
  • announcements, posters, billboards;
  • printed materials: brochures, product packaging;
  • even charity donation boxes or receipts.

For an ordinary user, the difference between a “genuine” and a “fake” code is invisible. That’s why it’s important to know — where and how you can trust a QR code, and when you should avoid scanning it.

Examples of Attacks via QR Codes

A theoretical threat is one thing. But to build true awareness, it's important to see what phishing or fraudulent attacks via QR codes actually look like in real life.

1. Replacement of a QR Code on a Public Surface

In a coffee shop, there's a menu with a QR code on the table. A scammer arrives early and places their own code over it, leading to a fake menu website — one that looks similar, but has a card entry field for “table reservation”. The data is entered — and goes straight to the criminals.

2. QR Code on a Poster or Billboard

In the city center, there's a banner advertising an event with a QR code for buying tickets. An attacker sticks their own code on top, leading to a cloned website that collects bank card details. The user pays for a “ticket”, but never attends the event.

3. QR Code in a Fake Email or SMS

The victim receives an SMS: “Your parcel is on hold. Confirm delivery at this link”, with a QR code attached. It leads to a site that requires entering personal data or paying a “fee”. On the surface, everything looks plausible.

4. QR Codes for “Payment” or “Donations”

Donation boxes with announcements for fundraisers appear in the streets — featuring a QR code for money transfers. However, the code leads to a scammer’s personal account and has nothing to do with the stated cause.

5. QR Code on a Parking Meter or Payment Terminal

Scammers place their own QR code on a payment terminal, which doesn't lead to the payment page, but to a site mimicking the bank interface. The user enters their login and password — and loses access to their account.

💡 Tip: If a QR code looks suspicious — crookedly placed, looks worn, or appears “too new” — it’s best not to scan it.

These examples all share a common trait: a QR code acts as a bridge to a resource you haven’t yet entrusted with your data — but you effectively already have.

How to Identify a Fraudulent or Fake QR Code

Although all QR codes look the same — as square pixel blocks — their content can vary dramatically. You can't see the danger visually, but there are a few warning signs to watch for.

1. QR Code Is Placed in an Untrusted Environment

If you see a QR code on a lamp post, in an elevator, or stuck over another — that's the first reason to be cautious. Codes in public spaces are easy to replace — so don't trust them without checking.

2. The Code Leads to a Website with a Strange or Shortened URL

Many attacks use URL shorteners (bit.ly, t.ly, qr.link) to hide the real site. If your browser or camera shows only a shortened link — try not to open it right away, but use third-party preview services first.

3. The QR Code Requires Immediate Action

“Confirm now”, “Pay immediately”, “Your parcel was not delivered” — these are classic social engineering signs. Scammers play on urgency so you won't double-check a resource's authenticity.

4. The Code Looks Superficially Pasted or “Newer” Than the Surface

If a QR code is stuck on an ATM, poster, or menu — check if it looks fresher than the underlying surface. Often scammers simply stick their code over the genuine one. Crookedness, bubbles, or mismatch in style — are all reasons to be suspicious.

5. The QR Opens a Site that Looks “Almost Genuine”

If scanning opens a page resembling a bank, delivery service, or familiar platform — carefully check:

  • whether the domain is spelled correctly (for example, ukrposhta.info instead of ukrposhta.ua);
  • whether there is a secure connection (the address starts with https://);
  • whether you are asked to enter a password or bank details immediately without verifying authenticity.
💡 Tip: Don’t scan QR codes under pressure (in a queue, rush, crowd). It’s better to spend 10 seconds checking than to spend days regaining access to your account.

How to Use QR Codes Safely

QR codes themselves are not dangerous — the risk arises when we interact with them without verification. If you learn to assess the context of where the code comes from and where it leads — the risk of fraud is greatly reduced.

📱 For Regular Users

1. Always check the link before following it

Most smartphones (iOS and Android) display the URL pointed to by the QR code before opening it. If the address looks unfamiliar, contains strange characters, or does not match the brand (for example, secure-pay-pal.com instead of paypal.com) — do not open it.

2. Do not scan codes from random sources

If a QR code is placed in a subway, on a wall, or on a fence — it is not always official information. Scammers deliberately place their codes where people scan them thoughtlessly: in elevators, cafes, on public transport.

3. Avoid entering personal data on suspicious pages

If after scanning you are immediately asked to enter your email, password, or card details — stop. Trusted services do not ask for sensitive information without your explicit initiative.

4. Use apps you trust

For example, scan bank codes via the official bank app. The smartphone camera is convenient, but not always secure. Some apps can warn you about phishing or check the reputation of a URL.

💡 Tip: If you are unsure, it’s better to take a photo of the code and check it later with a secure app than scan it “on the go.”

🏢 For Businesses and Organizations

Branded QR code on a restaurant table with an explanation for scanning.
Example of a branded QR code with a caption for users: as an element to build trust and reduce the risk of code substitution.

1. Control the physical placement of QR codes

QR codes placed in public (on tables, storefronts, POS materials) can be substituted. It’s important to secure them in a way that prevents overlaying (protective film, engraving, integration into design).

2. Implement dynamic QR codes with analytics

Dynamic codes allow you to:

  • track the number of scans;
  • analyze geolocation and user devices;
  • replace the target link if the previous one is compromised;
  • detect abnormal scan spikes — a sign of a possible attack.

3. Add logo and explanation under the code

Simple text like “Scan to view menu” or “Pay with LiqPay” increases trust and reduces the risk of substitution. A brand logo within the code itself (provided it is a high-contrast design) also makes it unique and harder to forge.

4. Provide an alternative: a short link

If a user is unsure, there should be an alternative path. Add example.com/pay nearby — this increases transparency and brand loyalty.

5. Regularly test your QR codes

Even static codes should be checked after printing, especially if you have changed the design or site content. Check on multiple devices (Android, iOS), with weak internet, in dark environments.

📌 Conclusion: QR codes are a powerful communication tool, but like any channel, they need to be implemented properly. Security is not about complexity, but about attention to detail.

What to Do If You Scanned a Phishing QR Code

The first few minutes after an incident are the most important. Even if you are unsure whether the code was dangerous, it is better to check and take basic measures. Most phishing attacks succeed because users underestimate the situation or respond too late.

1. Close the tab and clear your browser history

If after scanning you simply landed on a suspicious page, but did not interact with it — the risk is minimal. However, close the page immediately, do not click any links or buttons. Clear your browser cache to avoid reopening or auto-saved scripts.

2. If you entered a password — change it immediately

If you entered your password on a fake website, scammers may use it to:

  • gain access to your email or online banking;
  • check if this password is used on other services (using the same password everywhere is a common mistake);
  • quickly take over the account before you can react.

Change passwords on all related services, starting with your main email and financial accounts. Don’t delay — phishing bots often act automatically.

3. If you entered payment card data — block it

Even if no money has been taken yet, attackers can save the data and use it later. The safest option is to block the card or stop online operations via your banking app.

Then contact support. In some cases, the bank can block the transaction if it is not yet confirmed.

4. Report the company being impersonated

If the fake website mimics a well-known brand (bank, postal service, online store) — it’s not just your problem. The sooner the company learns about the phishing duplicate, the sooner it can be blocked at the domain or hosting level.

Almost all services have a form or email for such incidents: “report phishing” or “security”.

5. Check your device for malware

If something was downloaded after opening the site or your device started acting differently (slower, new icons, ads appeared) — run a virus scan.

  • On Android — check your recent downloads, open the “Apps” section, look for unfamiliar items.
  • On iOS — the risk is lower, but check Safari, your browsing history, and disable autofill.

6. Report the scam on the platform or via your browser

If you notice phishing activity or a clone site — you can report it via the browser’s related form (for example, “Report unsafe site” in Chrome or Firefox), or on the platform the site is impersonating (such as the bank’s or marketplace’s support).

This will help block the site globally and reduce the risk for other users.

Key principle: do not ignore the incident, even if you think “nothing happened.” Data could have been intercepted — and used later. It is better to act right away.

Conclusion: Conscious Use is the Key to Safety

QR codes are not just a tool for convenience. They have become part of modern user digital behavior, a channel for communication, payments, authentication, and marketing. But at the same time — they have opened a new attack vector, based not on technological complexity, but on inattentiveness.

The question of “are QR codes safe” has no universal answer. They can be absolutely safe — or quite the opposite. It all depends on the context: where the code is placed, who created it, is it clear where it leads, and how the user interacts with it.

That is why the best protection is not a ban, but awareness and the habit of checking. A simple algorithm of “pause → check → act” significantly reduces risk even in complex scenarios.

For business, QR codes remain an effective tool — provided they are implemented transparently, with consideration for UX, design, security, and user trust.

🔐 A QR code is just a bridge. What matters is where it leads and whether you are ready to cross it.