Yes — scanning a QR code with your phone's built-in camera is safe. The risk lives in the URL the code opens, not in the act of scanning. A scanned code can take you to a phishing site the same way a tapped link can. That's the whole threat model. The good news: every modern phone previews the destination URL before opening it, so two seconds of attention defeats almost every QR scam in the wild.
If you want the encoding side — what's actually inside that black-and-white square — we have a separate piece on how QR codes actually work. This one is about the safety question.
Are QR codes themselves dangerous?
A QR code is just an encoding. The grid of black-and-white modules resolves to a string of text, usually a URL but sometimes a Wi-Fi credential or a vCard. The bytes themselves can't run anything on your phone. What matters is what your phone does with the decoded string.
For URL codes, that's the same risk model as a tapped link. The destination might be a real site, a spoofed login page, or a malware drop. The Federal Trade Commission's framing is the right one: scammers hide harmful links in QR codes to steal personal information, so the defense is the same as for any unsolicited link — verify the destination before you commit. The iOS Camera and Google Lens both preview the URL before opening it, and that preview is the single most effective defense you have. QRDock does the same preview, and additionally checks the destination against known-bad-domain lists before navigation. Best-effort, not a guarantee, but a useful second layer.
What is quishing — and why it works
Quishing is QR-code phishing. The name is a portmanteau of "QR" and "phishing," and it covers attacks where the malicious URL is delivered inside a QR code instead of a clickable link.
Attackers like quishing for one mechanical reason: most secure email gateways and SMS link scanners do not OCR images for URLs. The malicious link never appears as plaintext, so it slides past filters that would have caught the same URL in a message body. Researchers have documented enterprise campaigns where the phishing payload bypassed corporate email security entirely because the URL existed only inside a QR-code image. Once you scan on a personal phone, the click is no longer on the company-managed laptop and no longer visible to the security stack.
What you land on after the scan is usually one of three things. Most often, it's a spoofed login page — Microsoft 365, Google, your bank — that captures whatever you type. Second is a prompt to install an app from outside the App Store or Play Store. The third, called out in CISA's malicious-QR-code guidance, is a "device-linking" flow on WhatsApp or Telegram that hands an attacker control of your messaging account.
Sticker-overlay scams in the wild
The biggest category of QR scam isn't email — it's a sticker stuck over a real QR code on a real-world surface.
Parking meters and tickets. Cities across the U.S., U.K., and Australia have warned residents about stickers placed over the legitimate QR codes on parking meters. The fake code routes payment to attacker infrastructure. There's also a fast-moving SMS variant: the FBI and several state DMVs have flagged a "Notice of Default" wave that uses an embedded QR code to pressure recipients into paying a fake traffic violation of a few dollars while harvesting full card details.
Restaurant menus and survey posters. A 60-year-old woman in Singapore lost roughly $20,000 after scanning a sticker on a bubble-tea-shop door promising a free drink for completing a survey. The QR sent her to a third-party app install, and the app drained her bank account (BleepingComputer). Same pattern, different surface.
Unexpected packages. In a January 2025 alert, the FTC described a brushing-scam variant: an unexpected package arrives with a note saying to scan a QR code to find the sender or get return instructions. The destination is a credential-harvesting page or a malware drop.
The mechanic is consistent. Overlay a real-world surface that people already trust, and you don't need to bypass anyone's email filter at all.
How to preview a QR code's URL before opening it
iPhone. Open the Camera, point at the code, and wait for the yellow URL banner at the bottom of the frame. Read the domain before tapping.
Android. Use the Camera or Google Lens — both preview the URL and run it through Safe Browsing for known phishing flags before navigating.
Skip third-party scanners. Most third-party QR-scanner apps add tracking, run ads, or both. The OS scanner is enough for normal use, and a small purpose-built scanner like QRDock works without either.
Five red flags in a destination URL
When you read the previewed URL, check for these:
- Misspellings or character swaps —
microsft.com,paypa1.com,rnstanding in form,0forO. - Unusual TLDs —
.zip,.top,.mov,.clickare heavily abused; legitimate retailers and city services almost never use them. - A link shortener —
bit.ly,tinyurl, or a custom shortener — hiding the real destination. - A prompt to install an app from outside the App Store or Play Store.
- Pressure language attached to the URL or the surrounding message — "pay before midnight," "your account will be locked," a tiny payment amount that feels designed to be approved without thinking.
Any one of these is enough reason to close the preview and go to the service yourself.
What to do if you already scanned a malicious QR
Only previewed the URL and didn't open it? You're fine. Move on.
Opened the page but didn't enter anything? Close the tab and clear your browser cache. Most quishing pages are credential collectors, not drive-by malware, so there's no follow-up action required.
Entered a username and password? Change that password right now on the real site, turn on two-factor authentication (a passkey or an authenticator app, not SMS), and check the affected account's recent sign-ins for anything you don't recognize.
Entered card or bank information? Call the card issuer to dispute any charges, consider freezing your credit at the three U.S. bureaus, and file a report at IdentityTheft.gov. The FTC has a step-by-step guide for this exact scenario.
Frequently Asked Questions
Is it safe to scan a QR code with my phone's camera?
Scanning with the built-in iOS Camera or Google Lens is safe by itself — both apps preview the destination URL before opening it and warn on known phishing domains. The risk lives in what you do after the preview. If the URL looks unfamiliar, misspelled, or asks for credentials or a payment, close the preview and navigate to the service yourself.
What is quishing?
Quishing is QR-code phishing — a portmanteau of QR and phishing. Attackers embed a malicious URL inside a QR code (often as an image in an email, a sticker on a real-world surface, or a code in an SMS) so the link bypasses filters that scan plaintext URLs. The destination is usually a spoofed login page or a sideloaded-app prompt designed to steal credentials or money.
How do I tell if a QR code on a parking meter or menu is fake?
Look at the physical surface first. A scam QR is almost always a sticker layered over the original — check for a slight paper-edge, a different texture, or a fresh sticker on a weathered sign. Then preview the URL before opening: a legitimate city or restaurant URL won't be a shortener, won't use unusual TLDs like .zip or .top, and won't ask you to install an app from outside the App Store or Play Store.
I already scanned a suspicious QR code — what should I do?
If you only previewed the URL and didn't open it, you're fine. If you opened the page but didn't enter anything, close the tab and clear your browser cache. If you entered credentials, change that password right away, turn on two-factor authentication (preferably a passkey), and watch your card and bank statements for unfamiliar charges. If you submitted card or bank details, contact the card issuer to dispute the charge and consider a credit freeze.
Does QRDock protect me from malicious QR codes?
QRDock previews the URL before opening it, like the iOS Camera, and additionally checks the destination against known-bad-domain lists before navigation — so if the QR points to a flagged phishing host, you see a warning instead of the page. The check is best-effort, not a guarantee. QRDock doesn't track you and doesn't run ads, so the preview is the entire feature, not a hook to upsell a subscription.
The takeaway
QR codes aren't the threat — unverified destinations are. Two seconds of URL preview defeats almost every quishing attack. Stick with the OS scanner or QRDock, read the URL before you tap, and treat any QR that demands payment, credentials, or an out-of-store app install with the same suspicion you'd give an unsolicited email link.