Are QR codes safe? A practical security guide

QR codes carry a quiet trust problem: a human can’t read one. You point a camera and obey whatever appears. That gap between scanning and understanding is what attackers target — but a few habits remove almost all of the risk.

What a QR code can and can’t do

A QR code is a container for data — most often a URL, but also plain text, WiFi credentials or contact details. It cannot, on its own, install anything, run a program, or infect your phone. Scanning merely decodes the data and usually offers to act on it: open a link, join a network, save a contact. Every genuine risk comes from that action, not from the scan itself.

So the danger isn’t the code — it’s the destination. The same way a printed link in an email can lead somewhere hostile, a QR code can encode a hostile link. The difference is you can’t hover over a QR code to preview it.

“Quishing”: QR code phishing

The main threat is phishing delivered by QR code, nicknamed quishing. A code leads to a convincing fake — a cloned bank login, a parking-payment page, a delivery “redelivery fee” form — designed to harvest credentials or card details. Because the code hides the URL and often sits on official-looking signage, people trust it more than they would a link in a text message.

Real-world patterns to know:

• Sticker overlays. A fraudulent code printed on a sticker is stuck over a legitimate one — on parking meters, restaurant tables, posters. If a code looks like an add-on sticker, be suspicious.
• Fake notices. Posters or letters claiming an unpaid fine, missed parcel or account problem, with a QR code to “resolve” it.
• Email and PDF codes. Attackers put QR codes in emails to dodge link-scanning filters, pushing you onto a phone where security tooling is weaker.

How to scan safely

• Preview the URL before opening it. Both iPhone and Android show the link after scanning rather than opening it automatically. Read the domain. Does it match the organisation you expect? Watch for look-alikes (paypa1.com, extra words, odd country endings).
• Distrust codes that demand urgency or payment. Genuine services rarely force you to settle a fine or fee through a random scanned code.
• Check the physical code. Peeling edges or a sticker over a printed code is a red flag.
• Never enter passwords or card details on a page you reached by scanning unless you’re certain of the domain. When in doubt, type the address yourself.
• Keep your phone updated. Browser and OS updates close the vulnerabilities a malicious page might try to use.

Security when you generate codes

Creating codes has its own privacy dimension, and it’s where this tool is deliberately built to be safe. Some online generators send whatever you type — WiFi passwords, contact details, private URLs — to a server to render the image. That puts sensitive data on someone else’s machine.

Our generator runs entirely in your browser. The data you enter is turned into a QR code locally; it is never transmitted to us, never stored, and never logged. Close the tab and it’s gone. For a WiFi code or a vCard this matters — those carry credentials and personal details you don’t want sitting in a third party’s logs.

Two more generation habits:

• Use static codes for anything you publish. A static code can’t be silently repointed later; a dynamic one can, if the platform is compromised. See static vs dynamic.
• Always encode HTTPS links. It ensures the connection to your destination is encrypted.

The balanced takeaway

QR codes are no more dangerous than the links they contain — which is to say, safe when you check where they lead and cautious when you don’t. Generating them is completely safe, especially with a tool that keeps your data on your own device. Treat an unexpected code from an unknown source exactly as you’d treat an unexpected link from a stranger: look before you tap.