QR Code Safety & Security
QR codes themselves are safe — they're just data. But scammers use them to hide malicious links because people can't read a QR code the way they can read a URL. Here's what to watch for and how to stay protected, whether you're scanning or publishing.
How QR scams work
The core trick is simple: a QR code is opaque. You can't glance at it and know where it goes — you have to scan it first. Scammers exploit that gap.
- Phishing links — a QR code leads to a convincing look-alike site that steals login credentials or payment details.
- Payment redirection — a QR code at a vendor or charity opens a payment link to the wrong account entirely.
- QR tampering — a malicious sticker is placed over a legitimate QR code in a public place (restaurant menus, parking meters, charging stations).
- Malware downloads — a QR code triggers an automatic file download or prompts installing a malicious app.
⚠️ QR tampering is real. The FBI and FTC have both issued warnings about sticker-over-QR scams on parking meters, restaurant tables, and public signage. Always glance at whether a QR code looks like a sticker placed on top of something.
Safety tips for users scanning codes
- Preview the URL before tapping. Most phone cameras show the destination URL when you hover — read it before you open it.
- Check the domain carefully. Look for HTTPS and a domain you recognize. Watch for lookalikes:
paypa1.comvspaypal.com. - Be extra cautious with payments. Verify the recipient name and account number. Don't assume a QR code at a business is legitimate.
- Look for physical tampering. If a QR code looks like a sticker placed over something, be suspicious.
- Use a QR scanner with link preview. Some dedicated scanner apps will warn you about suspicious URLs before opening them.
💡 Good habit: Before tapping "open" after scanning, pause and read the URL your camera previewed. One second of checking can prevent a lot of trouble.
Safety tips for publishers
If you're creating and placing QR codes for your business, you're also responsible for making sure they stay trustworthy.
- Use short, readable domains. People can recognize
yourrestaurant.com/menuat a glance. Obscure redirect URLs look suspicious even when they're legitimate. - Protect physical placements. Use lamination, tamper-evident seals, or placement behind glass to make sticker-replacement attacks obvious.
- Recheck your codes periodically. Especially in public locations — scan them yourself every few weeks.
- Don't use unknown redirect services. If your QR code goes through a third-party redirect, make sure it's a service you trust and control.
- Keep it static when possible. Static QR codes (like those made on MakeQRCode.app) go directly to your URL — no redirect, no third-party that could be compromised.
Privacy note
MakeQRCode.app generates QR codes entirely in your browser using JavaScript. We don't receive, store, or log your URL, your generated QR image, or any input you enter. There's no account, no server processing your data, and no redirect that tracks scans. The QR code you download is yours completely.
Can QR codes install malware automatically?
Not by themselves. A QR code is just data — it can't execute code. The risk is what happens after you scan: if it opens a malicious website that exploits a browser vulnerability, or prompts you to install an app, that's where the danger is. Keep your phone OS updated to reduce browser exploit risks.
Is it safe to scan QR codes from strangers?
Be cautious. A QR code in a printed ad from a known brand is generally low risk. A QR code on a random sticker somewhere public is higher risk. Use your judgment — if something seems off, don't scan it.
Do dynamic QR codes create privacy risks?
Yes — dynamic QR codes route through a redirect service that can log every scan, including the scanner's IP address and approximate location. Static QR codes (like those from MakeQRCode.app) have no such tracking.
Generate a trustworthy QR code
Static, no redirects, no tracking. Just a direct link you own and control.