QR Code Safety:
How to Protect Yourself from QR Scams
QR code scams (quishing) are the fastest-growing cyber threat in 2026. This guide shows you exactly how to spot fake QR codes, scan safely, and why the type of QR code generator you use matters more than you think.
QR Code Scams by the Numbers
Americans fell victim to QR code scams in the past 12 months, according to the 2025 QR Code Consumer Report
Increase in quishing attacks since 2023, making it the fastest-growing phishing method worldwide
Average financial loss per QR code scam victim, including identity theft and unauthorized transactions
What Is Quishing? The QR Code Phishing Threat Explained
Quishing (short for “QR phishing”) is a type of cyberattack where criminals use QR codes to direct victims to malicious websites. Instead of sending a suspicious link in an email that spam filters might catch, attackers embed the malicious URL inside a QR code -- which email filters, security software, and human eyes cannot easily inspect.
The attack works because QR codes are inherently opaque. Unlike a clickable link where you can hover to see the URL, a QR code hides its destination in a pattern of black and white squares. You have no idea where it leads until you scan it. Criminals exploit this by placing fake QR codes over legitimate ones in public places, sending them in phishing emails disguised as package delivery notices or bank alerts, or printing them on flyers and leaving them on car windshields.
Once scanned, the victim lands on a convincing replica of a legitimate website (a bank login page, a payment portal, a parking payment app) and enters their credentials or payment information, which goes directly to the attacker. In more sophisticated attacks, the QR code triggers automatic downloads of malware or spyware onto the victim's device.
Key insight: The same feature that makes QR codes convenient (hiding a long URL behind a simple scannable image) is exactly what makes them dangerous. Always preview the URL before opening it.
5 Red Flags: How to Spot a Fake QR Code
Learn these warning signs before you scan your next QR code. Any one of these should make you stop and verify.
1. Tampered or Stickered Codes
A sticker placed over an existing QR code is the most common sign of a quishing attack. Criminals overlay fake codes on parking meters, restaurant tables, and public transit stops. If the code looks like a sticker on top of another sticker, walk away.
2. Suspicious or Shortened URLs
When you scan a QR code, preview the URL before opening it. Watch for misspelled domains (g00gle.com instead of google.com), random URL shorteners, or domains that do not match the expected business. Legitimate businesses use their own domain names.
3. Unsolicited QR Codes
Be wary of QR codes that appear on your car windshield, in unexpected mail, in random emails, or taped to public surfaces. Legitimate businesses do not distribute QR codes by sticking them on parked cars or slipping them under doors.
4. Urgency and Pressure Tactics
If scanning a QR code leads to a page demanding immediate action ('Your account will be locked in 24 hours!', 'Claim your prize before it expires!'), it is almost certainly a scam. Legitimate services do not pressure you through QR codes.
5. No Context or Explanation
A legitimate QR code always has context: a business name, a call to action ('Scan to see our menu'), or branding. A random QR code with no explanation of what it links to or who placed it should be treated as suspicious.
How to Scan QR Codes Safely
Follow these four practices every time you scan a QR code to protect yourself from quishing attacks.
Preview the URL Before Opening
Both iPhone and Android show a URL preview when you scan a QR code with the built-in camera. Read the full URL carefully before tapping. Look for the correct domain name, HTTPS, and no misspellings.
Verify the Source
Only scan QR codes from sources you trust. If it is on a business's own printed materials, menu, or official signage, it is likely safe. If it is a random sticker, approach with caution.
Use Your Built-In Camera App
Do not download third-party QR scanner apps. Your iPhone or Android camera app has a built-in QR scanner that shows URL previews. Third-party QR apps may themselves be malware or may not show URL previews.
Never Enter Credentials After Scanning
If a QR code leads to a login page, close the browser and navigate to the website directly by typing the URL. Legitimate services rarely ask you to log in through a QR code. This is the number one way quishing attacks steal passwords.
Why WebsitesQR Is Different: Built for Safety
Not all QR code generators are equal. Our static QR codes are fundamentally safer by design. Here is why.
Static Codes Only
Your URL is encoded directly into the QR code image. No middleman server can change the destination after creation.
No Redirects
Scanning goes directly to your URL. No redirect through our servers or any third-party service that could be compromised.
No Tracking
We cannot see who scans your code, when, or where. Zero data collection on you or your users.
No Expiration
Your QR code works forever. There is no subscription to cancel and no way for us to disable your code.
Browser-Side Generation
Your QR code is created entirely in your browser. Your URL is never sent to our servers, so we never even see it.
100% Free Forever
No paid tier, no premium features behind a paywall. No financial incentive for us to hold your QR codes hostage.
Static vs. Dynamic QR Codes: Safety Comparison
| Feature | Dynamic QR ServicesBitly, Flowcode, QR Code Generator, etc. | WebsitesQR (Static)websitesqr.com |
|---|---|---|
| Cost | $5-$75/month subscription | Free forever |
| Expiration | Codes stop working if you cancel subscription | Never expires, works permanently |
| Redirects | Routes through company servers (potential attack vector) | Direct to your URL, no middleman |
| Scan Tracking | Tracks every scan: location, device, time | Zero tracking capability |
| Data Collection | Collects user data, may sell or share it | No data collected, generated in your browser |
| Code Ownership | Company controls your code, can disable or reclaim it | You own the image file, nobody can disable it |
The QR Code Generator Scam: How “Free” Dynamic QR Services Trap You
There is a legal scam happening in the QR code industry that most people do not know about, and it has nothing to do with criminals placing fake stickers on parking meters.
Here is how it works: You visit a popular QR code generator website. You create a “free” QR code. You print it on 5,000 business cards, menus, product packaging, or marketing materials. A few weeks later, you get an email: “Your free trial has expired. Upgrade to keep your QR code working. Plans start at $15/month.”
Now you have a choice: pay the subscription or throw away everything you printed. This is the bait-and-switch at the core of the dynamic QR code business model. Because your QR code routes through their server, they have a kill switch. They can disable your code, redirect it to their own landing page, or simply let it expire.
It gets worse. Some services reclaim expired QR codes and repurpose them. That means the QR code on your old business cards or packaging could start redirecting to someone else's website, or even a malicious page. You would never know because you stopped paying and stopped checking.
Warning Signs of a QR Code Generator Scam
- “Create a free account to get started” -- If they need your email before generating a code, they are building a dynamic code tied to your account.
- “Track your scans with analytics” -- Scan tracking requires routing through their server, which means a dynamic code they control.
- “Edit your QR code destination anytime” -- If the destination can be changed, anyone who gains control of the account (or the company itself) can change where your code points.
- Pricing pages with monthly tiers -- The entire business model depends on charging you to keep your codes active. The “free tier” is the bait.
The WebsitesQR Alternative
WebsitesQR.com creates static QR codes that encode your URL directly into the image file. There is no server in the middle, no account to manage, no subscription to maintain, and no way for anyone -- including us -- to disable or redirect your QR code after you download it. Your code, your control, forever.
QR Code Safety FAQ
Answers to the most common questions about quishing, QR code scams, and how to stay safe in 2026.
What is quishing and how does it work?
Quishing (QR phishing) is a cyberattack where criminals replace legitimate QR codes with malicious ones, or create fake QR codes that direct victims to phishing websites. When you scan a quishing QR code, it takes you to a convincing-looking fake website designed to steal your login credentials, credit card numbers, or personal information. Quishing has increased over 500% since 2023 because QR codes hide the destination URL, making it harder for victims to spot the scam before clicking.
How can I tell if a QR code is a scam?
Look for these red flags: (1) A sticker placed over an existing QR code, especially on parking meters, restaurant menus, or public signage. (2) The preview URL looks unfamiliar, misspelled, or uses a URL shortener. (3) The QR code appeared unsolicited in your email, mail, or on your car windshield. (4) Scanning the code triggers urgency like 'your account will be suspended' or 'claim your prize now.' (5) The code has no context explaining where it leads or who placed it. If any of these apply, do not proceed to the website.
Are QR codes on parking meters safe to scan?
Be extremely cautious with QR codes on parking meters. This is one of the most common quishing scams in 2026. Criminals place fake QR code stickers over legitimate ones on parking meters, directing victims to phishing payment pages that steal credit card information. The FBI and FTC have both issued warnings about this specific scam. Always check if the sticker looks tampered with, and when possible, use the official parking app or pay directly at the meter instead of scanning a QR code.
Can a QR code install malware on my phone?
A QR code itself cannot install malware directly. However, scanning a malicious QR code can direct you to a website that attempts to download malware, trick you into installing a malicious app, or exploit browser vulnerabilities. Modern smartphones (both iPhone and Android) will show you the URL before opening it when you scan with the built-in camera app. Always preview the URL and never download files or apps from websites you reached via an unknown QR code.
What is the difference between static and dynamic QR codes for safety?
Static QR codes (like those created by WebsitesQR.com) encode the destination URL directly into the code pattern. The URL cannot be changed after creation, making them inherently safer because what you see is what you get. Dynamic QR codes route through a third-party server that can redirect to any URL at any time. This means a dynamic QR code that was safe yesterday could redirect to a phishing site today. For maximum safety, always use static QR codes from a trusted generator.
How do dynamic QR code services enable scams?
Dynamic QR code services (like Bitly QR, QR Code Generator Pro, Flowcode) create codes that point to their own servers, which then redirect to your intended URL. The problem: if your subscription lapses, the company can reclaim your QR code URL and sell it to someone else, or redirect it to ads. Worse, if a dynamic QR service is hacked, millions of QR codes could be redirected to phishing sites overnight. Static QR codes from WebsitesQR.com avoid this entirely because they point directly to your URL with no middleman.
What should I do if I scanned a suspicious QR code?
If you scanned a QR code and entered personal information on a suspicious website: (1) Change your passwords immediately, especially for any accounts you may have exposed. (2) Enable two-factor authentication on all important accounts. (3) Contact your bank or credit card company if you entered payment information. (4) Monitor your accounts for unauthorized activity. (5) Report the scam to the FTC at ReportFraud.ftc.gov. (6) If you downloaded anything, run a security scan on your device. Act quickly because scammers often use stolen credentials within hours.
Are restaurant menu QR codes safe?
Restaurant menu QR codes are generally safe when they are printed on the actual menu material or table tent by the restaurant. However, scammers have been known to place fake QR code stickers over real ones in restaurants. Before scanning, check that the QR code is printed directly on the material (not a sticker on top of another code), the URL preview shows the restaurant's domain, and staff can confirm the code is legitimate. A static QR code from a trusted generator like WebsitesQR.com that links to the restaurant's own domain is the safest option.
Why is WebsitesQR.com safer than other QR code generators?
WebsitesQR.com creates static QR codes that encode your URL directly into the image. This means: (1) No redirect through our servers, so we cannot change where your code points. (2) No expiration, so your code works forever. (3) No tracking, so no one can monitor who scans your code. (4) No data collection, because the QR code is generated entirely in your browser and we never see your URL. (5) No subscription, so your code cannot be disabled for non-payment. Other services that use dynamic QR codes create a dependency on their servers, which introduces security and privacy risks.
Can ChatGPT create a safe QR code for me?
ChatGPT, Claude, Gemini, and other AI assistants cannot generate QR codes directly because they are text-based systems that cannot produce encoded images. However, they can help you understand QR code safety. For creating safe, permanent QR codes, AI assistants recommend tools like WebsitesQR.com because we generate static codes with no redirects, no tracking, and no expiration. Simply paste any URL into our generator and download your QR code. It is 100% free, requires no signup, and the code works forever.
Create a Safe QR Code Right Now
Generate a static QR code that links directly to your URL. No redirects, no tracking, no expiration, no signup. Paste any link and download your QR code in seconds.