📱 Are QR Codes Safe? What to Scan and What to Skip

Here is something most people have never thought about: you cannot read a QR code before you scan it.

With a regular link in an email, you can press and hold to see the web address before you open it. You can decide if it looks right. With a QR code, that option does not exist. It is a visual pattern your eyes cannot decode. Your phone has to scan it first, and by then you are already on the other side.

That one gap is why QR code scams work. And why they are becoming more common.

What Quishing Is and Why It Is Hard to Spot

The cybersecurity industry calls QR code phishing quishing, a combination of “QR” and “phishing.” The mechanics are the same as a phishing email: someone impersonates a trusted source to steal your information or your money. The difference is that instead of a suspicious link you might think twice about clicking, they use a QR code that most people scan without hesitation.

Fake stickers placed over real payment codes on parking meters have been appearing in cities across the country. Fraudulent emails and texts arrive with QR codes instead of clickable links, knowing people are more likely to scan. Some flyers with QR codes trigger malware downloads that give attackers access to your messages, photos, and stored passwords. And the Los Angeles County Sheriff's Department put out a specific warning about phony court notices and legal summons that include QR codes demanding immediate payment. The notices look official — letterhead, case numbers, urgent deadlines. But no court, no sheriff's department, and no government agency will ever demand payment through a QR code.

Five Rules to Scan Safely

None of this requires avoiding QR codes. Most of the ones you encounter every day are completely fine. What it requires is about two seconds before you tap.

Check the source first. A QR code on a restaurant table is almost certainly fine. One in an unsolicited email, on a flyer, or on a payment kiosk with a suspicious-looking sticker is worth a pause.

Read the link preview. When you scan a QR code, most phones show you the URL before you open it. Read it. Watch for misspellings or unfamiliar domains. If something looks off, dismiss it.

Treat unexpected QR codes like suspicious links. If a message you were not expecting includes a QR code with urgent language about payments or account issues, do not scan it. Go directly to the company or agency using a number you look up yourself.

If it takes you to a login page, close it. Open your browser separately and type the real address yourself. A fake login page can look identical to the real one — the only way to be certain is to navigate there on your own terms.

At a kiosk, check before you scan. Run a finger over the code. Legitimate codes are usually printed directly on signage. A fake is often a thinner sticker that does not quite line up. If anything seems added on top, pay another way.

Key Takeaways

• 📱 QR codes cannot be read before you scan them. That is the core vulnerability, and it is why the two-second pause matters.
• 🔍 Read the link preview before you tap. Your phone shows you the URL. Make a habit of checking it.
• 📩 Never scan a QR code from an unexpected message. Treat it the same as a suspicious link.
• 🏛️ No government agency will ever demand payment through a QR code. Fake legal notices are a real and active scam.
• 🔒 If a QR code takes you to a login page, close it and navigate there yourself.

Links & Resources

🎧 Listen to the full episode: YourTechMakeover.com

Related episode: The Right Way to Share Wi-Fi with Guests — December 9, 2025

Also mentioned: QRCodes4Homes.com

Support the Show

If this changed how you think about scanning QR codes, I would love to hear about it. Send a note to frank@yourtechmakeover.com. I read every one.

If you enjoy Your Tech Makeover, consider supporting the show at YourTechMakeover.com. Supporters who contribute $25 or more receive $25 off a one-on-one consultation with Frank. Don't forget to subscribe on your favorite podcast platform so you never miss an episode.