QR Code Security: What to Know Before You Scan
QR phishing attacks rose 587% in 2023. Learn how QR codes work internally, what makes them exploitable, and how to scan safely.
In January 2022, drivers in Austin, Texas found QR code stickers on parking meters. They looked official. They led to a phishing site that harvested credit card numbers. The city hadn't put them there.
Austin PD confirmed at least 29 meters had been tampered with before the stickers were removed. The scam site mimicked the city's payment portal closely enough that multiple victims entered their full card details before anyone reported it.
This wasn't a hypothetical risk or a conference demo. It was a Tuesday.
Since then, QR-based phishing (often called "quishing") has grown fast. A 2023 report from ReliaQuest found a 587% increase in QR phishing attacks between January and September of that year.
The FBI's Internet Crime Complaint Center (IC3) issued a public warning in January 2022 specifically about tampered QR codes. So it's worth understanding what a QR code actually does, how it can be abused, and what you can do about it.
The Myth: "QR Codes Are Just Convenient Links"
Most people treat QR codes the way they treat hyperlinks: point, click, done. But a QR code is not just a URL in a square pattern. It's a general-purpose data container defined by the ISO/IEC 18004 standard.
The maximum capacity is approximately 4,296 alphanumeric characters, which is enough to fit a short essay. Here's what a single QR code can encode:
- URLs (the obvious one)
- Wi-Fi credentials, including SSID, password, and encryption type. Scanning one can auto-join your phone to a network.
- vCards with full contact details: name, phone, email, address, organization
- Calendar events that prompt you to add an appointment
- Plain text, including scripts or encoded commands
- SMS or email drafts pre-filled with a recipient and message body
Key point
The issue isn't that QR codes can do these things. The issue is that none of this is visible before you scan. A URL on a webpage at least shows you where it points. A QR code shows you nothing. You're trusting the square.
Inside a QR Code: What You're Actually Scanning
Understanding the structure helps explain both why QR codes work and why they're exploitable. A standard QR code has several distinct regions:
Finder patterns. Those three large squares in the corners (top-left, top-right, bottom-left) tell the scanner where the code is and how it's oriented. They work at any angle, which is why you don't need to hold your phone perfectly straight.
Alignment patterns. Smaller squares scattered through the code that help with distortion correction. Larger QR codes have more of them.
Timing patterns. Alternating black-and-white modules between the finder patterns. These establish the grid spacing so the decoder knows where one module ends and the next begins.
Format and version information. Encoded near the finder patterns, this tells the scanner which error correction level is used and what version (size) of QR code it's reading.
Data and error correction. The rest of the code is the actual payload, interleaved with Reed-Solomon error correction codewords. QR codes support four error correction levels:
- L — 7% recovery
- M — 15% recovery
- Q — 25% recovery
- H — 30% recovery
Level H means almost a third of the code can be damaged or obscured and it'll still scan. That error correction is the reason QR codes can have logos embedded in the center. It's also, as we'll see later, something attackers can take advantage of.
Quishing: QR Phishing by the Numbers
The Austin parking meter incident was early. The trend got worse. Here's what the data shows:
The 587% figure. ReliaQuest documented the surge in their September 2023 threat report. The growth was driven largely by email-based QR phishing: attackers embedding QR codes in emails to bypass link-scanning security tools.
Because the malicious URL is encoded in an image (the QR code), traditional email security filters that scan text-based links miss it entirely.
The UK energy bill scam. In early 2022, residents in multiple UK cities received fake energy bill notices with QR codes. The codes led to phishing sites impersonating their energy providers. Victims entered account credentials and payment details.
The scam was effective because energy companies had legitimately started using QR codes on paper bills, so the vector felt normal.
Email bypasses. This is the big one for corporate environments. An attacker sends an email with a QR code image instead of a clickable link. The email body might say "Scan to verify your Microsoft 365 credentials" or "Scan to view your shared document."
Microsoft's own threat intelligence team flagged this pattern, noting that it neatly sidesteps most URL-inspection-based email security.
Physical placement. Beyond Austin, similar sticker campaigns have been reported on restaurant menus, bus stops, and even cemetery information plaques. The attacker just needs a printer and a few minutes alone with the target surface.
The common thread
QR codes transfer trust from context to content. If the code is on a parking meter, you trust the meter. If it's in an email from "IT Support," you trust the sender. The code itself carries no authentication.
How to Scan Safely: A Practical Checklist
You don't need to stop scanning QR codes. But you do need to add a step between scanning and acting.
Use your phone's native camera app
Both iOS and Android show a URL preview before opening the link when you scan with the built-in camera. Third-party QR scanner apps often skip this preview and open the URL immediately. Worse, some free scanner apps have their own tracking or adware. Stick with the default.
Read the domain before tapping
When the preview appears, actually look at the URL. A legitimate parking payment site will be on a recognizable city domain, not something like parking-pay-meters.xyz. Watch for misspellings, extra subdomains, and unfamiliar TLDs.
Be suspicious of stickers
If the QR code is a sticker placed on top of another surface, treat it as potentially tampered. Legitimate QR codes on official infrastructure are usually printed directly onto the material, not stuck on afterward. Peel a corner if you can. If there's another QR code underneath, that's your answer.
Treat email QR codes with extra caution
If an email asks you to scan a QR code instead of clicking a link, ask why. There's rarely a good reason to put a QR code in an email sent to a device that already has a browser. It's usually done to bypass security filters. When in doubt, navigate to the service directly.
Never enter credentials on a QR-linked page
If scanning a QR code takes you to a login page, close it. Go to the service directly by typing the URL or using a bookmark. This single rule blocks the majority of quishing attacks.
Watch for unexpected prompts
If scanning a QR code triggers a "Join this Wi-Fi network?" or "Add this contact?" dialog you didn't expect, decline. A restaurant menu QR code should open a webpage, not connect you to a network.
How to Generate Safe QR Codes
If you're creating QR codes for your own business, event, or project, a few steps reduce the risk for your users:
Always use HTTPS URLs. A QR code pointing to an HTTP address immediately looks suspicious to anyone who checks the preview. HTTPS is the baseline expectation.
Test before distributing. Scan your own QR code with multiple devices and apps before printing or publishing. Verify it goes where you expect, that the landing page loads correctly, and that no redirect chain is involved that could be hijacked later.
Use a trusted generator. Free QR generators that insert tracking redirects between your code and the destination URL add a point of failure and a privacy concern.
A straightforward tool that encodes the URL directly into the QR code, with no intermediary, is what you want. Toolery's QR Generator does exactly this: it creates the code client-side in your browser without sending your data to any server.
Print directly onto materials. If the QR code will be displayed in a public space, print or engrave it onto the surface. Stickers are easy targets for replacement. A QR code etched into a metal sign is much harder to tamper with.
Include a plaintext URL alongside the code. Give people the option to type the address manually. This provides a fallback for anyone who doesn't trust the code and acts as a verification layer for those who do scan it.
Limitations: What QR Security Can't Solve
Even with all the right precautions, QR codes have structural weaknesses that can't be patched with user behavior alone.
Social engineering remains effective. If an attacker puts a QR code on a flyer that says "Scan for free concert tickets" and the link goes to a convincing ticket site, most people won't cross-reference the domain against the venue's official site.
Context overrides caution, and QR codes provide very little verifiable context.
Error correction can be weaponized
An attacker can take a legitimate QR code, alter specific modules within the error-correction tolerance, and change the encoded URL while keeping the code visually similar to the original. At level H, up to 30% of modules can be modified without breaking the code. Research presented at security conferences has demonstrated this technique.
No built-in authentication. There is no standard mechanism for a QR code to prove who created it. Unlike HTTPS certificates that verify a server's identity, or email signatures that verify a sender, a QR code is just data. Anyone can generate one that encodes any content.
The ISO/IEC 18004 standard defines the encoding format, not an identity layer.
Dynamic QR codes add another risk. Some QR code services generate codes that point to a short URL which redirects to the final destination. The owner of that short URL can change the redirect target at any time.
A QR code that pointed to a legitimate page last month might point somewhere else today.
The Takeaway
QR codes aren't inherently dangerous, but they're inherently opaque. You can't read them with your eyes, so you're always trusting something else to tell you what's inside. That gap between "scan" and "understand" is exactly where attackers operate.
The practical rules are simple: preview before you tap, never enter credentials on a QR-linked page, and be skeptical of codes stuck on top of things.
If you're generating QR codes for others, keep them direct, use HTTPS, and give people a plaintext URL as a backup.
If you need to create a QR code right now, Toolery's QR Generator builds everything locally in your browser. No data leaves your device, no tracking redirects, no intermediary servers.