How to spot fake QR codes and keep your data safe

QR codes seem pretty harmless until you scan a bad one and get something nasty thrown at your system. If you want to keep your phone and data safe, there are a few ways you can spot a fake QR code.

Check if the QR code has been physically altered

Companies use QR codes for all sorts of legitimate purposes, from menus to paid parking meters. However, some crafty scammers have learned that they can superimpose another QR code over the original QR code. This new QR code often leads to a fake website designed to steal information or download malware, and if you're not careful, you might end up scanning one of these sites.

To make sure you're not scanning a fake QR code, always double-check the code itself. Sometimes scammers will paste their own QR code over the original, so if you see someone has added a code to something, be cautious. However, there's no guarantee it's a scam. For example, a restaurant might have placed a new QR code over existing ones for a new menu, but it's worth being cautious regardless.

Analyze the context surrounding the QR code

If you're looking at a QR code and wondering if it's fake, try looking at the context around it. Sometimes the "environment" the QR code is in can tell you whether it's a scam or not.

For example, does the QR code seem out of place? Maybe you get an email asking you to visit a website, but instead of giving the URL , it asks you to scan a code. This could be a trick to get you to visit a website while hiding the URL. Or maybe the email is very vague and doesn't actually tell you what you're scanning — that's also suspicious.

Likewise, if the QR code is part of an email or flyer and something about the text just doesn't seem right, that's another red flag. For example, if the message asking you to scan a QR code matches some of the most common examples of phishing and scam attacks, then chances are the QR code isn't going to take you anywhere good. Is that QR code at a bus stop? Or plastered on the wall of a shopping mall? It's probably a scam.

Double check the website the QR code leads to

Fortunately, a malicious QR code won't immediately infect your phone and steal your data as soon as you scan it. You still have the opportunity to analyze where the code takes you and determine whether it's legitimate.

Some QR code scanners will show you the URL it is trying to send you. From here, you can use some common ways to identify a phishing site by analyzing the URL and looking for anything suspicious.

If a QR code claims to take you to download an app, make sure it takes you to the real Google Play or Apple App Store. Scammers create fake websites that look real, but the apps actually contain malware. If in doubt, note the app the QR code wants you to download, then open your app store of choice and manually download it from there. That way you know you have the real thing and not a fake.

Use a secure QR code scanning app

If you're worried that you might accidentally visit a bad website or download a malicious app, you can try using a safe QR code scanner app. Unlike regular QR code scanners, these scanners will check what you've scanned and look for any malicious content. If it detects something wrong, it will warn you before proceeding. For example, the Trend Micro QR code scanner will check everything you scan to make sure it's taking you to a good place.

While QR codes can be malicious, there are many precautions you can take before scanning a QR code. Check for tampering, consider the context surrounding the QR code, and double-check where the code will take you before entering any personal information or downloading any files to your phone.

Lesley Montoya

Update 26 May 2025