susQR QR code safety scanner

How to Safely Scan a QR Code

A step-by-step guide to checking any QR code for phishing, malware, and scams

Last updated: March 2026 · By the susQR security team · 8 min read

QR codes are everywhere — restaurant menus, parking meters, product packaging, event tickets, and email attachments. But here's the problem: you can't tell the difference between a safe QR code and a malicious one just by looking at it. A QR code that takes you to a restaurant menu looks identical to one that steals your bank login.

In 2025, QR code phishing attacks (called quishing) rose by over 400%. Criminals are placing fake QR code stickers over real ones in public spaces, embedding them in phishing emails, and even printing them on fake parking tickets.

This guide shows you exactly how to safely scan any QR code — step by step — so you never accidentally visit a malicious link again.

📋 In This Guide

  1. Why QR codes can be dangerous
  2. Inspect the QR code physically
  3. Photograph it — don't scan it directly
  4. Upload to a QR code security scanner
  5. Review the security scan results
  6. Check for red flags in the URL
  7. Verify HTTPS and redirect chains
  8. Only visit the link if the scan is clean
  9. How to use susQR to scan safely (walkthrough)
  10. susQR vs. your phone's built-in scanner
  11. What to do if you already scanned a bad QR code
  12. Frequently asked questions

Why QR Codes Can Be Dangerous

A QR code is just a visual encoding of a URL (or other data). When you scan one, your phone decodes it and usually opens the link in your browser. The problem is that there's no way to "preview" a QR code with your eyes — unlike a text link where you can at least see the URL before clicking, a QR code hides the destination completely.

This makes QR codes the perfect attack vector for criminals:

  • Sticker swaps: Fake QR codes are placed over real ones on parking meters, restaurant tables, and public signage
  • Phishing emails: QR codes in emails bypass link-scanning filters because the URL is hidden in an image
  • Fake invoices and parking tickets: Scammers leave fake tickets or notices with QR codes that lead to credential-harvesting sites
  • Malware downloads: Some QR codes point to files that install malware, keyloggers, or spyware on your device
  • Wi-Fi credential theft: QR codes can automatically connect your phone to malicious Wi-Fi networks
⚠️ Key fact: According to recent data, QR code phishing attacks have surged over 400% since 2023. 1 in 4 QR codes scanned in public spaces now leads to a suspicious or outright malicious URL.
1

Inspect the QR Code Physically

Before you even think about scanning, look at the QR code itself. This 5-second visual check catches the most common real-world attack: sticker overlays.

Ask yourself:

  • Is the QR code printed directly on the material, or is it a sticker placed on top?
  • Can you peel up the corner? If there's another QR code underneath, it's been tampered with.
  • Does the QR code match the surrounding branding? (Correct fonts, colors, logos)
  • Is it on official signage from a recognizable business?
💡 Where to be especially cautious: Parking meters, restaurant table tents, public transit posters, EV charging stations, event flyers, and mail packages. These are the most common targets for sticker-swap attacks.
2

Photograph It — Don't Scan It Directly

Most smartphones are configured to automatically open URLs when you point your camera at a QR code. This is exactly what you don't want — it gives you zero time to check the link before your browser loads a potentially dangerous page.

Instead:

  1. Open your regular camera app (not a QR scanner)
  2. Take a photo of the QR code
  3. Upload that photo to a security scanner like susQR

This puts you in control. The QR code is decoded, the URL is analyzed, and you decide whether to visit it — after seeing the security results.

3

Upload to a QR Code Security Scanner

This is the most important step. A QR code security scanner decodes the QR code and analyzes the destination URL against known threat databases — all before you visit the link.

susQR is a free, browser-based scanner that checks every QR code against:

🛡️ VirusTotal 90+ antivirus engines scan the URL simultaneously
🔍 URLhaus Real-time malware URL database from abuse.ch
🌐 Snort IDS Network intrusion detection rules flag known attack patterns
📊 Risk Scoring Proprietary algorithm weighing multiple threat signals

No other free tool gives you this many layers of protection for a single QR code scan.

4

Review the Security Scan Results

After uploading your QR code to susQR, you'll see a comprehensive security report that includes:

  • The decoded URL — see exactly where the QR code points before visiting
  • Risk score — a 0–100 rating based on multiple threat signals (how it's calculated)
  • VirusTotal results — how many of 90+ security vendors flag the URL
  • Redirect chain — every hop the URL takes before reaching the final destination
  • Domain age and registration — newly registered domains are a common phishing indicator
  • URLhaus status — whether the URL appears in active malware databases
✅ Key takeaway: If the risk score is low and no security vendors flag the URL, it's likely safe to visit. If anything looks off — even one flag from a single vendor — proceed with extreme caution.
5

Check for Red Flags in the URL

Even with a security scan, you should personally inspect the URL. Human judgment catches things automated scanners sometimes miss — especially brand-new phishing domains that haven't been reported yet.

Watch for these red flags:

Red Flag Example
Misspelled domains paypa1-verify.com instead of paypal.com
Suspicious TLDs .tk, .ml, .xyz, .top, .click
Raw IP addresses http://192.168.1.1/login
URL shorteners bit.ly/abc123 — hides the real destination
Excessive subdomains secure.login.paypal.com.evil-site.tk
Random character strings abc123xyz.com/j8k2m
6

Verify HTTPS and Redirect Chains

Two things to check:

1. HTTPS encryption: The URL should start with https://. While HTTPS alone doesn't guarantee a site is safe, any site asking for personal information over plain HTTP is a definite red flag.

2. Redirect chains: Phishing attacks commonly use redirect chains — the QR code points to URL A, which redirects to URL B, then to URL C, before finally landing on a fake login page. Legitimate businesses rarely chain more than one redirect.

susQR automatically traces the full redirect chain and shows you every hop, so you can see the actual final destination — not just the first URL in the chain.

7

Only Visit the Link If the Scan Is Clean

After completing steps 1–6, you should have a clear picture of whether the QR code is safe:

✅ Safe to visit if:
  • Physical QR code looks legitimate (printed, not a sticker)
  • Risk score is low (green)
  • No security vendors flag the URL
  • URL matches the expected domain
  • Uses HTTPS
  • No suspicious redirect chains
🚫 Do NOT visit if:
  • QR code appears to be a sticker placed over the original
  • Any security vendors flag the URL
  • Risk score is medium or high
  • URL doesn't match the expected business domain
  • Multiple redirects before reaching the final page
  • Site immediately asks for login, payment, or personal info

How to Use susQR to Scan Safely (Walkthrough)

Here's exactly how to use susQR to check a QR code in under 30 seconds:

Option A: Upload a photo

  1. Take a photo of the QR code with your regular camera
  2. Go to susqr.com
  3. Tap "Upload QR Code Image" and select your photo
  4. susQR decodes the QR code, scans the URL, and shows your results

Option B: Use the built-in camera

  1. Go to susqr.com on your phone
  2. Tap the camera icon
  3. Point your camera at the QR code
  4. susQR scans the code in real-time and analyzes it — without opening the link

Option C: Paste a URL directly

  1. If you already have the URL from a QR code, go to susqr.com
  2. Paste the URL into the scan field
  3. Get instant security analysis without visiting the link

susQR works entirely in your browser — no app installation required. It works on iPhone, Android, and desktop.

susQR vs. Your Phone's Built-in QR Scanner

Every smartphone has a built-in QR scanner, but it wasn't designed for security. Here's how it compares:

Feature Phone Camera susQR
Decodes QR code
Shows URL before opening Partial ✓ Full URL
Scans URL against 90+ security vendors
Checks malware databases (URLhaus)
Snort IDS analysis
Traces redirect chains
Risk score
Works without installing an app ✓ Built-in ✓ Browser-based
Free
Prevents auto-opening malicious links

Your phone's camera is fine for QR codes you trust — like a code on your own product or a known app. For anything you encounter in the wild, use susQR first.

🔒 Scan a QR Code Safely — Right Now

Upload, scan, or paste any QR code to check it against 90+ security vendors before visiting the link.

Start Free Scan

What to Do If You Already Scanned a Suspicious QR Code

If you scanned a QR code and now suspect it was malicious, take these steps immediately:

  1. Close the browser tab — don't interact with the page any further
  2. Change your passwords — especially if you entered any credentials on the site
  3. Enable two-factor authentication — on any accounts that could be affected
  4. Monitor your accounts — check bank statements, credit card activity, and email for unauthorized access
  5. Run a device security scan — use your phone's built-in security features or a reputable antivirus app
  6. Report the QR code — notify the business whose QR code was replaced, and report the URL to IC3 (FBI's Internet Crime Complaint Center)
💡 Pro tip: Going forward, you can bookmark susQR or install it as a web app on your phone for instant access whenever you encounter a QR code.

Frequently Asked Questions

How can I safely scan a QR code?

The safest approach: photograph the QR code, upload it to a security scanner like susQR, review the security results, and only visit the link if it comes back clean. This prevents your phone from automatically opening a malicious URL.

Can scanning a QR code hack my phone?

Scanning the QR code itself doesn't hack your phone. The danger is visiting the URL it contains — which could lead to phishing pages, malware downloads, or credential theft. Always check the URL with a security scanner before visiting.

Is there a free tool to check if a QR code is safe?

Yes — susQR is free and checks QR code URLs against VirusTotal's 90+ antivirus engines, the URLhaus malware database, and Snort IDS rules. No app install required — it works in your browser on any device.

What is quishing?

Quishing is QR code phishing — a cyberattack where scammers use QR codes to redirect victims to fake websites. These sites steal login credentials, payment information, or install malware. Quishing attacks increased over 400% between 2023 and 2025.

Should I use my phone's built-in QR scanner or a separate tool?

Your phone's built-in scanner is convenient but offers zero security analysis. For any QR code you encounter in public, use susQR first — it checks the URL against 90+ threat databases before you visit. See the full comparison.

What should I do if I already scanned a suspicious QR code?

Close the browser immediately. Change passwords for any accounts where you entered credentials. Enable two-factor authentication. Monitor your bank and email accounts for unauthorized activity. Report the QR code to the relevant business and authorities.

Can a QR code install malware on my phone?

A QR code can link to a malware download, but simply scanning the code doesn't install anything. The risk comes from visiting the URL and downloading/running files. Using a security scanner like susQR stops this chain by checking the URL before you visit it.

Are QR code scanner apps safe?

Many free QR scanner apps contain ads, trackers, or even malware themselves. Your phone's built-in camera app is safer than third-party scanner apps, but neither provides security analysis of the URL. susQR is browser-based (no install), ad-free, and focused entirely on security. Full comparison here.

Scan a QR Code Now Safety Checklist 10 QR Code Scams

susQR is a free, open-source QR code security scanner. No account required. No data stored. Learn more about susQR.