Are QR Codes Safe? How to Check Before You Continue

This guide reflects common QR code uses and security guidance available in June 2026. Applications, payment systems and menu names may change over time.

QR codes appear on restaurant menus, parking machines, invoices, parcels, tickets, posters and account sign-in screens. Most are ordinary shortcuts that make it easier to open a website or complete another action without typing a long address.

The difficulty is that a person cannot normally read the destination or instruction from the visible pattern. A genuine QR code and a malicious QR code can therefore look almost identical.

When a phone scans a QR code, it decodes an instruction. That instruction may open a website, prepare a payment, connect to a wireless network or authorise another device to use an account. The phone can read the instruction, but it cannot decide whether the person who created or placed the code is trustworthy.

Most QR codes are legitimate. The risk is not the square pattern itself. The risk depends on the instruction stored inside it, the context in which the code appears and what happens after it is scanned.

Scanning a QR code does not automatically mean that a phone, account or payment method has been compromised. The important checks usually begin when the device shows what it is proposing to open or approve.

What a QR Code Actually Tells Your Device

A QR code is a machine-readable pattern that stores information in a form a phone, tablet or scanner can decode.

The visible squares do not explain the instruction in ordinary language. The scanning application reads the pattern and converts it into data that another application can use.

Depending on its purpose, a QR code may contain:

• A website address.

• Plain text.

• Contact details.

• Wireless network details.

• A telephone number or prepared message.

• Payment information.

• Ticket or booking information.

• An application download link.

• Account sign in or device linking information.

The QR code tells the device what data has been stored. It does not normally tell the device whether the person who created the code had a legitimate reason for doing so.

The same type of code can therefore be used for an ordinary restaurant menu, a genuine payment page, a false sign in page or an unauthorised device linking request.

Why a QR Code Cannot Prove Who Created It

A code may be printed on an official-looking notice, placed inside a familiar email or displayed beside a recognised logo. Those details provide context, but they do not independently verify the contents of the code.

A normal QR code does not usually contain a verified identity showing who printed, displayed or placed it. Anyone with access to a QR code generator can create a pattern that points to a website or prepares another supported action.

A false code may also be placed over a genuine one on a sign, parking machine, menu or payment notice. The person scanning it may see the expected location and branding without noticing that the printed code has been replaced.

Some systems apply separate protections. For example, a ticketing application may verify a signed ticket, or a banking application may confirm the payee before approving payment. Those protections come from the wider service and application, not from the appearance of the QR code itself.

A familiar logo, colour, location or sender is therefore not proof that the encoded instruction is genuine.

What Can Happen After a QR Code Is Scanned

On many phones, the camera first decodes the QR code and displays a preview or notification. The action normally continues only after the person selects that prompt.

Other applications may process a code within a specific workflow. A banking application, ticketing application or messaging application may recognise the encoded information and prepare an action inside the app.

A scanned code may:

• Open a website.

• Display text or contact information.

• Prepare a payment.

• Ask to connect to a wireless network.

• Open an application store.

• Prepare an email, telephone call or message.

• Begin an account sign-in process.

• Request approval to link another device.

• Download or offer a file.

Scanning and continuing are separate stages. If no website was opened, no information was entered, no payment was approved, no software was installed and no account linking request was accepted, the exposure may be limited.

This should not be treated as a permanent guarantee. Applications, browsers and operating systems can contain vulnerabilities, which is why devices and applications should remain supported and updated.

Common Malicious QR Code Scenarios

Malicious QR codes usually rely on social engineering. The code hides the destination or action, while the surrounding message provides a reason to scan it.

Common examples include:

• A false sign-in page that asks for an email address and password.

• A payment code that directs money to the wrong recipient.

• A sticker placed over the original code on a parking machine or public notice.

• A code inside an email, invoice or parcel notification that opens a fraudulent website.

• A code that asks someone to install an unfamiliar application or configuration profile.

• A messaging application code that links another device to the account.

• A false wireless network code that connects the phone to an unexpected network.

• A code used during a telephone scam while the caller continues to give instructions.

These examples do not mean that every QR code should be treated as dangerous. They show why the code should be considered part of the whole request rather than as proof that the request is genuine.

The practical question is not only “Does the code scan?” It is also “Does the action shown after the scan match what I intended to do?”

WhatsApp and Messaging App Device Linking Scams

Messaging applications use QR codes legitimately when an account owner connects a computer, browser, tablet or second phone to an existing account.

The account owner normally starts the process inside the official application, opens the linked devices section and scans a code shown on the device they want to connect.

A scammer can create a genuine device linking request but misrepresent its purpose. The scammer may claim that the code is needed to vote in a competition, verify an account, resolve a support problem, join a service or confirm an identity.

The important question is whether you personally began a device linking process. If you did not, scanning the code or entering a linking code may authorise another device to access the messaging account.

Meta announced additional WhatsApp warnings in March 2026 for situations where behavioural signals suggest that a device linking request may be suspicious. A warning can provide useful context, but it should support your decision rather than replace it.

For WhatsApp:

• Do not scan a WhatsApp linking QR code unless you personally started the process.

• Do not enter or share a device linking code supplied through another website, message or telephone call.

• Check that the computer, browser, tablet or phone being linked is physically in front of you and belongs to you or your organisation.

• Review Settings, then Linked Devices, and remove anything you do not recognise.

• Do not leave WhatsApp Web open on shared or public computers.

• Keep two-step verification and an account passkey enabled where available.

For wider WhatsApp account protection, see How to Improve WhatsApp Security.

For instructions on reviewing active browser and desktop connections, see How to Check if Someone Is Using WhatsApp Web on Your Account.

How to Check a QR Code Before Continuing

A QR code should be treated in the same way as an unfamiliar link or an unexpected request. The device may decode it correctly while the reason for the request remains false.

Before continuing, review the following:

• Consider the context. Check who is asking you to scan the code and why the action is needed.

• Inspect physical codes for stickers, damage, replacement labels or signs that another code has been placed over the original.

• Use the phone’s built-in camera or a familiar trusted application where possible. Avoid installing an unknown QR scanner solely to read the code.

• Read the destination preview before opening it.

• Check the domain name carefully for misspellings, added words, unusual endings or a completely unrelated organisation.

• Do not treat HTTPS or a padlock as proof that the website belongs to the expected organisation. HTTPS protects the connection but does not confirm the legitimacy of the website owner.

• For a payment, check the payee, amount and merchant details shown inside the payment application before approval.

• For account sign in or device linking, begin from the official application or known website rather than from an unexpected QR code.

• Do not install an unfamiliar application, browser extension, device profile or security certificate because a scanned page instructs you to do so.

• Do not enter a password, verification code, payment card number or account recovery information unless the destination and purpose have been independently confirmed.

• Keep the phone, browser and relevant applications updated.

Where the request is sensitive, verify it using a telephone number, application or communication method that was already known to be genuine. Do not rely only on contact information supplied beside the QR code or inside the page it opens.

QR Codes in Emails, Invoices and Public Places

The location of a QR code changes the checks that make sense. A code received in an email presents different questions from one printed on a restaurant menu or attached to a parking machine.

QR Codes in Emails and Documents

A QR code inside an email or document moves the destination away from the visible message and onto the phone used to scan it. This can make the underlying address harder to inspect before the request is acted upon.

Do not assume that a QR code is safe because the email passed through spam filtering or appears to come from a familiar account. Compromised accounts and familiar services can still be used to distribute misleading requests.

Be particularly careful when an email or invoice uses a QR code to request:

• A password or Microsoft 365 sign in.

• Payment card information.

• Bank account details.

• A verification code.

• Account recovery information.

• Approval of new payment details.

• Installation of an application.

The QR code may genuinely open a website or sign in page, but that does not prove that the destination belongs to the organisation named in the email or invoice. A malicious code can lead to a false page designed to look like Microsoft 365, a bank, a supplier, a delivery company or another familiar service.

The phone can decode the address stored in the QR code, but it cannot decide whether the organisation controlling that address is genuine. Check the domain name and the purpose of the request before entering information or approving an action.

Where an invoice contains new or changed payment instructions, do not rely on the QR code, the page it opens or contact details supplied in the same message. Confirm the change using an established telephone number and the organisation’s normal payment approval process.

QR Codes in Public Places

Codes on menus, posters, parking machines, charging points and public notices are often legitimate. The physical location provides useful context, but it does not prevent a false sticker from being placed over the original code.

Before paying or signing in:

• Check whether the code appears to be part of the original printed material.

• Look for another label underneath it.

• Compare the organisation name and web address with nearby official information.

• Use the organisation’s known application or type its official website directly where there is doubt.

• Do not continue if the page requests information that does not match the expected purpose.

A restaurant menu should not normally need banking credentials. A parking payment page should not need an email account password. An unexpected request is a reason to stop and check the destination independently.

A page can look convincing and use HTTPS while still being fraudulent. The padlock protects the connection to that page; it does not prove that the page represents the organisation you expected.

QR Codes Used for Payments

A payment QR code may contain a merchant reference, recipient information, payment address or a link to an online checkout page.

The payment application or website still needs to show what is being approved. The QR code itself is not the final confirmation.

Before approving a payment:

• Confirm the name of the recipient or merchant.

• Check the amount and currency.

• Review any payment reference.

• Confirm that the payment application or website is the one normally used for that service.

• Stop if the page asks for unrelated account credentials or verification codes.

• Do not let an unsolicited caller guide you through a QR payment while remaining on the telephone.

• Independently contact the organisation where the payment request is unexpected or different from previous arrangements.

For business payments, a QR code must not bypass normal approval procedures. A request to change supplier bank details or make an urgent payment should be verified using the organisation’s established process.

A successful scan only confirms that the code was readable. It does not confirm that the payment recipient is correct.

What to Do After Scanning a Suspicious QR Code

The appropriate response depends on what happened after the code was scanned. Scanning, opening a page, entering information, approving payment and installing software are different events.

If You Only Scanned the Code

If the phone displayed a preview but you did not open it, close the prompt.

If a page opened but you did not enter information, download a file, approve a payment or accept an account request, close the page and do not return through the same code.

Check whether the browser downloaded anything automatically. Do not open an unexpected file.

On a personal device, remove the file if no further investigation is required. On a work device, follow the organisation’s reporting process before deleting it, because the file name and other details may help identify what occurred.

Keep the device and browser updated. There is not normally a reason to reset a phone solely because a QR code was scanned and no further action occurred.

If You Entered a Password or Verification Code

Open the genuine service using its official application or a previously saved address.

Change the affected password and make it unique. Do not reuse the previous password elsewhere.

If the same password was already being used for another account, change it there as well. Give priority to the associated email account because access to email may allow other accounts to be reset.

Review active sessions, connected devices, security notifications and account recovery information.

Enable multi-factor authentication or a passkey where supported.

If a verification or recovery code was shared, follow the account provider’s recovery process and remove unfamiliar devices or sessions.

If You Approved a Payment

Contact the bank, card provider or payment service using its official application or the telephone number printed on the card or statement.

Explain what was scanned, what payment was approved and when it occurred.

Follow the provider’s fraud reporting and account protection instructions.

Do not continue communicating through the message, website or telephone number that supplied the QR code.

If You Installed Software or Linked a Device

Remove an unfamiliar linked device from the affected account.

If an application, browser extension, device profile or file was installed, stop using the affected device for sensitive work until the installation has been reviewed.

Where available, run the device’s built-in security checks. Update the operating system, browser and installed applications.

Where the device is used for work, notify the organisation’s IT or security contact and provide the message, website address and approximate time of the event.

Avoid making several unrelated changes before the situation is understood. Preserving the message, code or website address can help identify what occurred.

How Organisations Can Publish QR Codes More Safely

An organisation publishing a QR code is asking people to trust an instruction they cannot read directly from the printed pattern. The surrounding information should therefore help confirm the purpose and expected destination.

Useful controls include:

• Print the organisation name and purpose beside the code.

• Show a short, readable version of the expected web address where space allows.

• Use a domain controlled by the organisation rather than an unrelated shortening service.

• Keep control of any redirect used by a dynamic QR code.

• Use HTTPS while recognising that encryption does not prove ownership or intent.

• Provide an alternative written web address, application name or telephone contact.

• Avoid placing passwords, private keys, access tokens or other secrets directly inside a QR code.

• Record who owns the code, where it is displayed and which destination it uses.

• Review physical codes periodically for replacement stickers or damage.

• Use different codes for different locations or campaigns where this helps identify misuse.

• Remove or replace codes when the destination is no longer needed.

• Review payment and account linking codes more frequently because the consequence of redirection is higher.

• Make sure staff know how to verify reports of a replaced or suspicious code.

The QR code should direct people to a controlled service. It should not become an unmanaged shortcut that remains in circulation after the original page, payment process or account workflow has changed.

What QR Code Safety Controls Cannot Guarantee

No individual check can prove that every QR code is safe.

A destination preview helps reveal the web address, but a shortened address or redirect may hide the final destination.

HTTPS protects information while it travels between the device and website, but it does not prove that the website represents the expected organisation.

A familiar logo, sender, location or application may provide useful context, but those details can be copied or compromised.

Browser warnings, email filtering, antivirus software and application warnings can reduce risk, but a warning may not appear for a newly created or previously unknown threat.

Independent verification also has limits if the verification uses contact information supplied by the same suspicious message or website.

This is an example of layered security in practice. A destination preview, supported device, software updates, account protection, payment approval controls and independent verification address different parts of the risk. Our guide to layered security explains why no single control should carry the whole responsibility.

This guide is not a permanent checklist. QR code uses, operating systems, applications, payment systems and scam methods continue to change. Settings and internal procedures should be reviewed periodically.

QR codes often lead to a website, download, sign in request or application workflow. The following guides cover related checks in more detail.

How to Check If a Download Is Safe

Why Trusted Services Can Still Be Used in Cyber Attacks

What Is a PWA, and Is It Safe to Install?

These topics reinforce the same principle: a familiar service, secure connection or recognised application is useful context, but should not be treated as complete proof that the requested action is safe.

Further Information and Official Guidance

For further technical detail, the following official guidance explains QR code risks, messaging application targeting and linked device behaviour.

NCSC: QR Codes – What’s the Real Risk?

NCSC: Messaging App Targeting

Meta: Fighting Scammers and Protecting People With New Technology and Partnerships

WhatsApp Help Centre: About Linked Devices

These external sources provide additional context. Their wording, menu paths and product behaviour may change after this guide is published.

Summary

QR codes are ordinary machine-readable instructions. They can open websites, prepare payments, connect devices or start application workflows, but the visible pattern does not normally prove who created it or whether the requested action is genuine.

Before continuing, check whether the destination and requested action match the real situation. Review the web address, payment recipient, application name, device being linked and information being requested.

A QR code used for WhatsApp or another messaging service may authorise a linked device rather than simply open a website. Only approve account linking that you personally started inside the official application.

If a suspicious code has already been scanned, the next step depends on whether information was entered, a payment was approved, software was installed or an account was linked. Scanning without continuing does not automatically mean that the device has been compromised.

QR code safety depends on layered protection. Supported devices, software updates, account controls, payment approval procedures, browser and application warnings, and independent verification all reduce different risks.

Technology and scam methods change over time. QR code controls and organisational procedures should therefore be reviewed periodically rather than treated as a permanent checklist.

Need Help With Something Covered in This Guide?

A guide can explain the issue and outline useful checks, but some situations need the actual device, account, service, website, network or supplier arrangement to be reviewed. Evening Computing can help review what is happening and advise on suitable next steps before changes are made.

Further Guidance and Support

This guide forms part of a broader layered security approach. For structured guidance on security and resilience planning, see our Security and Resilience page.

For information about practical implementation and ongoing support, you can review our IT services and local IT support coverage across London, Hertfordshire, and Essex.

Author
Elías Sánchez
IT Support Consultant
Evening Computing
London, United Kingdom

This guide was prepared by Elías Sánchez with research and drafting assistance from AI tools. All technical content has been reviewed and adapted for clarity and accuracy.

Last reviewed
24 June 2026