Skip to main content

Tip 9: Watch Out for QR Code Scams

May 7, 2026

QR codes are visually identical whether they’re legitimate or malicious. Slowing down by two seconds before scanning is all it takes to stay safe.

What to do:

  • In public spaces, physically inspect a QR code before scanning. Look for a sticker placed on top of another code, misaligned printing, or codes that look added rather than printed.
  • After scanning, read the full URL before proceeding. If it looks suspicious, doesn’t match the brand or company, or asks you to log in to something you weren’t expecting, close it immediately.
  • Be especially cautious of QR codes paired with urgency (“Scan now to claim your reward” or “Scan to avoid a fine”).

Common mistake: QR codes have become so normalized that most people scan them reflexively. Attackers capitalize on this by placing fake codes over legitimate ones in high-traffic locations – parking meters, restaurant tables, gas station pumps, trade show booths – or embedding malicious codes in emails designed to look like invoices or delivery notifications.

Because the eye sees only a pattern, not a destination, there’s no visual warning the way a suspicious-looking link might trigger.

The scan-then-check habit catches nearly all of them.

How to know it’s done:

  • Employees know to check the URL after scanning before tapping through
  • In your office, QR codes used for business purposes (lobby sign-ins, event check-ins, etc.) are reviewed periodically to ensure they haven’t been tampered with