Elido
6 min readCompliance

Are QR Codes Safe? Quishing and How to Stay Protected

QR codes are safe to scan - the risk is where they lead. How quishing works, how to spot a malicious QR code, and what to do if you scanned a fake one.

Sasha Ehrlich
Compliance · EU residency
A QR code beside a warning triangle and a shield, showing that scanning is safe but you must check where a QR code leads to avoid quishing, in the Elido brand palette

QR codes are safe to scan. The code itself is just an encoded link, and opening it is no more dangerous than typing the same web address by hand. The real risk lives in where the code sends you - and that is where attackers operate. A malicious QR code can point to a spoofed login page built to steal your password, or to a download that asks you to install something harmful. So the honest answer to "are QR codes safe" is: the scan is safe, the destination is what you have to check.

The attack has a name now - quishing, a blend of "QR" and "phishing" - and it has grown because it sidesteps two defenses at once. A QR code hides its destination until after you scan, so the old advice to inspect a link before clicking is harder to follow. And because a code is an image, it slips past many email filters that only read text and links. Government and security researchers have flagged the rise, and the technique now shows up in everything from fake parking-meter signs to invoices.

I look at this from a compliance seat, where the question is usually "can we put a QR code on a customer-facing thing without creating risk?" The answer is yes, with habits. This guide covers how quishing works, how to read a code before you trust it, and what to do if you already scanned a bad one. If you are creating codes rather than scanning them, how to create a QR code is the place to start.

How Quishing Works#

A quishing attack has the same anatomy as any phishing attempt, with the link swapped for a code. Understanding the steps makes the warning signs obvious.

The attacker produces a QR code that resolves to a fraudulent destination - a fake login portal, a payment page, or a malware prompt. They place it where people scan without thinking: an email that looks like it is from IT or a bank, a sticker stuck over a real code on a poster or parking meter, a flyer, or an unexpected package. The victim scans with their phone, sees a page that mimics something familiar, and enters credentials or card details. The data goes to the attacker.

What makes it effective is concealment. With a normal phishing link, a careful person can hover and read the URL first. A QR code shows you nothing until you have already committed to scanning, and on a small screen the address bar is easy to ignore. Kaspersky's breakdown of quishing makes the same point: the hidden destination is the whole advantage. The related server-side trick that lets any redirect be bent toward a malicious site is the subject of open redirect vulnerabilities, and it is worth knowing the two often work together.

A quishing attack shown in stages: attacker creates a malicious QR code, places it as a sticker over a real one, victim scans and lands on a fake login page that harvests credentials

Warning Signs of a Malicious QR Code#

You can catch most quishing attempts before any harm by reading the context and the preview together. A few signals do most of the work.

  • You were not expecting it. A code that arrives unsolicited - in an email, a text, a piece of mail, or a delivered package you did not order - deserves suspicion before anything else.
  • It is a sticker. A physical code that looks added on top of existing artwork, especially on parking meters, posters, and menus, is the single most common in-the-wild trick.
  • It manufactures urgency. Wording like "scan immediately to avoid suspension" or "verify now" is designed to push you past the moment where you would normally check.
  • The preview looks wrong. After scanning, most phones show the URL before opening it. Misspellings, an unfamiliar domain, a domain that does not match the brand, or a shortener you cannot resolve are all reasons to stop.
  • It demands credentials or payment right away. A legitimate destination rarely asks you to log in or pay before showing you anything. A fake one leads with it.

The US Federal Trade Commission's guidance and the UK NCSC's advice on suspicious messages both come down to the same instinct: if the code and its context do not both feel right, do not act on what it opens.

Two-column checklist: red flags of a malicious QR code such as unexpected codes, stickers, urgent wording, and mismatched domains, beside safe habits like previewing the URL and never entering secrets a code pushed you to

How to Scan QR Codes Safely#

Safe scanning is a short set of habits, not a special app. None of them slow you down much once they are routine.

  1. Use your phone's built-in camera or a scanner that previews the URL. Read that preview before you open it, every time.
  2. Check the domain against who you think sent the code. The brand at the front of the address should match the brand on the poster, email, or menu.
  3. Be wary of codes that resolve to a shortener you cannot expand - and conversely, trust is easier when a code points to a clear branded domain you recognize.
  4. Never enter passwords, card numbers, or one-time codes on a page you reached only because a QR code told you to. Navigate to the site yourself instead.

That third point cuts both ways, and it is where the people who make codes can help the people who scan them. A branded short link on a domain a customer recognizes is far easier to trust than an opaque one, which is part of why branding a code is a security feature and not just a design one - see branded QR code design.

If you publish customer-facing QR codes and want them to read as trustworthy - your domain, your branding, a destination you can repoint if it is ever abused - generate trackable QR codes with Elido so your audience sees a name they know rather than a random string.

If You Already Scanned a Bad One#

Scanning and previewing a malicious code does almost nothing on its own, so if you stopped at the preview, you are very likely fine - close it and carry on. The exposure comes from the next steps, and if you took them, move quickly.

Close the page and do not enter anything more. If you already entered a password, change it on the real site and switch on two-factor authentication for that account. If you entered card or bank details, call your bank. If you installed or downloaded anything, run a security scan and remove it. Then report it - in the US through the FTC, and elsewhere through your national fraud or cybercrime body - and keep an eye on the affected accounts for a few weeks, because stolen credentials are often used later rather than immediately. The wider posture for vetting any short or shortened destination is in are URL shorteners safe and the URL shortener security checklist.

QR Codes Are Worth Keeping - With Habits#

None of this is a reason to abandon QR codes. They are a genuinely useful bridge from physical to digital, and the format itself is not the problem - the social engineering wrapped around it is. The same logic applies on the publishing side: a code you control, point at your own domain, and can measure and repoint is safer for your audience than a static throwaway, because you can react if a destination is ever compromised.

For organizations, the compliance view is that a QR code is just another channel carrying a link, and the same data-minimization and residency rules apply to whatever it leads to - the detail is in GDPR for URL shorteners and on our trust page. Scan with a preview, check the domain, never enter secrets on a page a code pushed you to, and QR codes stay what they were meant to be: a convenience, not a liability.

Try Elido

Paste a URL, get a working short link

No signup. Link lives for 30 days. Sign up to keep it forever.

Free, no signup required · 2 per day

Try Elido

EU-hosted URL shortener with custom domains, deep analytics, and an open API. Free tier - no credit card.

Tags
are qr codes safe
quishing
qr code phishing
qr code scam
malicious qr code
qr code security

Continue reading