QR Code Scams: The Invisible Threat You Scan Every Day

QR codes are essentially links encoded in a visual format — and like any link, they can point to malicious destinations. The critical difference is that QR codes cannot be visually inspected before scanning. When you hover over a link on a webpage, you can see where it leads.

When you scan a QR code, you have no idea what URL is encoded until your device processes it. Criminals exploit this by placing fraudulent QR codes over legitimate ones in public spaces, distributing fake flyers and posters with malicious codes, sending printed materials through the post with QR codes leading to phishing pages, and even projecting QR codes in public areas. The technique is sometimes called quishing — QR code phishing.

Parking metres and public transport ticket machines are frequent targets — criminals place stickers with their own QR codes over the legitimate payment codes, redirecting payments to their accounts. Restaurant table-top QR menus have been replaced with codes leading to fake ordering pages that harvest payment card details. Fake package delivery notices left at doors contain QR codes linking to credential harvesting pages.

Event tickets, conference materials, and promotional flyers are used to distribute malicious codes. Some scammers even place stickers on products in shops, hoping customers will scan them expecting product information and instead land on phishing pages.

Always use your phone's built-in QR scanner or camera application rather than third-party scanners, as native applications typically preview the URL before opening it. Check the previewed URL carefully before proceeding — look for suspicious domains, misspellings, or unexpected destinations. Be particularly cautious with QR codes in public spaces, especially those that appear to have been placed over existing codes.

If a QR code leads to a payment page, verify that the URL matches the legitimate payment provider. Avoid scanning QR codes from unsolicited printed materials received by post. If possible, navigate to websites directly rather than through QR codes.

Even if you scan a malicious QR code, Sorinify provides protection at the point where your browser opens the destination URL. Our server-side analysis evaluates the page before it loads, detecting phishing pages, fake payment forms, and credential harvesting sites regardless of how you arrived at them. This automatic protection is particularly valuable for QR code scams because the malicious URL is hidden until after the code is scanned.