How do I know if a QR code is safe to scan?

Check for physical tampering (stickers placed over originals), verify brand consistency, use a security scanner like susQR to analyze the URL against 90+ security vendors, preview the destination URL, confirm HTTPS encryption, and check for suspicious redirect chains.

Can a QR code give my phone a virus?

Scanning a QR code alone typically won't infect your phone, but visiting the malicious URL it contains can lead to malware downloads or credential theft. Always scan QR codes through a security tool before visiting the link.

What should I do if I already scanned a suspicious QR code?

Close the website immediately, change passwords for any accounts you may have entered credentials for, monitor your accounts for unauthorized activity, run a security scan on your device, and report the incident to relevant authorities.

QR Code Safety Checklist

7 steps to verify any QR code before you scan

Last updated: March 2026 · By the susQR security team

QR codes are convenient — but you can't tell a safe one from a dangerous one just by looking at it. Use this checklist every time you encounter a QR code in the wild.

Quick rule: If you wouldn't click a random link in a text message, don't scan a random QR code without checking it first.

✅ Step 1: Check the physical placement

Before you even scan, look at the QR code itself. Is it printed on official signage, or does it look like a sticker placed on top of something? Attackers physically place fake QR code stickers over legitimate ones — this is the most common quishing technique in public spaces.

Common targets: parking meters, restaurant table tents, public transit signs, event posters, mail packages.

✅ Step 2: Look for brand consistency

A legitimate QR code from a business is usually printed on branded material — matching fonts, colors, and logos. A random sticker with just a QR code and no branding should raise suspicion.

✅ Step 3: Use a security scanner

Don't let your phone open the link directly. Instead, photograph the QR code and scan it through susQR or another security scanner. susQR checks the URL against 90+ security vendors, the URLhaus malware database, and our own risk analysis engine — all before you click.

✅ Step 4: Preview the URL

Look at where the QR code actually points. Ask yourself:

Does the domain match the expected company? (e.g., "paypal.com" vs "paypa1-verify.com")
Is it using a suspicious TLD? (.tk, .ml, .xyz, .top are common in phishing)
Is it a raw IP address instead of a domain name?
Does it use a URL shortener (bit.ly, t.co) to hide the real destination?

✅ Step 5: Check for HTTPS

The URL should start with https:// (not http://). While HTTPS alone doesn't guarantee a site is safe, any site asking for personal information over plain HTTP is a red flag.

✅ Step 6: Verify redirects

Phishing attacks often use redirect chains — the QR code points to one URL, which redirects to another, then another, before landing on a fake page. susQR's redirect tracing reveals the entire chain so you can see where the link actually ends up.

✅ Step 7: Don't enter sensitive information

If a QR code sends you to a page asking for login credentials, payment info, Social Security numbers, or other personal data — stop. Go directly to the company's official website or app instead of trusting a QR code.

⚠️ Red flags that should stop you immediately:

QR code on a sticker placed over the original
URL doesn't match the expected company domain
Page immediately asks for login, payment, or personal info
Multiple redirects before reaching the final page
Site uses HTTP (not HTTPS) and asks for sensitive data

Scan a QR Code Now What Is Quishing? 10 QR Code Scams