Skip to main content

    How QR Codes Work

    QR (Quick Response) codes are two-dimensional barcodes that can store various types of data—URLs, text, contact information, WiFi credentials, payment information, and more. When you scan a QR code with your phone's camera, it decodes this data and typically offers to take an action, like opening a website or connecting to WiFi.

    The technology was invented by Denso Wave in 1994 for tracking automotive parts, but it's since become ubiquitous for everything from restaurant menus to cryptocurrency transfers. Unlike traditional barcodes, QR codes can store thousands of characters and include error correction, meaning they work even when partially damaged.

    The simplicity and power of QR codes is precisely what makes them attractive to attackers. They're opaque by design—you can't tell what a QR code contains just by looking at it. This creates opportunities for social engineering and technical attacks.

    Security Risks of QR Codes

    While QR codes themselves are just data containers, they can be vectors for several types of attacks. Understanding these risks helps you stay protected.

    Phishing Attacks (Quishing)

    The most common QR code attack is phishing—sometimes called "quishing" when done via QR codes. A malicious QR code directs you to a fake website that looks legitimate—like your bank's login page—but actually steals your credentials.

    Unlike typed URLs where you might spot typos or suspicious domains, QR codes hide the destination entirely. Attackers exploit this opacity to bypass your normal vigilance. You might scan a code expecting to see a restaurant menu and instead land on a credential-harvesting site.

    Malware Distribution

    QR codes can link to websites that attempt to download malicious apps or exploit browser vulnerabilities. This is especially concerning on mobile devices where users may be more likely to approve app installations from unfamiliar sources.

    Some attacks prompt you to install a "required" app to complete an action—like viewing a menu or making a payment. These apps may request excessive permissions and contain malware, spyware, or ransomware.

    Payment Fraud

    Criminals place fake QR codes over legitimate payment terminals, parking meters, or donation boxes. You think you're paying for parking, donating to charity, or paying a vendor, but you're actually sending money to a scammer's account.

    This attack is particularly effective because it exploits trust in physical locations. You expect the QR code at a parking meter to be legitimate because it's on official-looking infrastructure. Attackers take advantage of this assumption.

    QR Code Replacement (Sticker Attacks)

    Perhaps the simplest attack: criminals print a sticker with a malicious QR code and place it over a legitimate one. This happens at restaurants, parking lots, public transit stations, event venues, and anywhere QR codes are used.

    The attack requires minimal technical skill—just print a sticker. But it's highly effective because victims have no reason to suspect the QR code isn't genuine. Always look for signs of tampering before scanning.

    Data Harvesting

    Even "legitimate" QR codes can harvest more data than you expect. When you scan a QR code linking to a website, the destination receives your IP address, device type, browser information, and potentially location data. This information can be used for tracking, profiling, or sold to data brokers.

    Some QR campaigns use unique codes for each flyer or location, allowing detailed tracking of where and when codes are scanned. While not malicious per se, it's worth being aware of the privacy implications.

    Safe Scanning Practices

    You don't need to avoid QR codes entirely—they're convenient and often the only option. But following these practices significantly reduces your risk.

    1. Preview Before You Visit

    Use a QR scanner that shows you the URL before opening it. Most modern phone cameras do this by default—look at the preview before tapping. If the URL looks suspicious, doesn't match what you expect, or uses a strange domain, don't proceed.

    Watch for URL shorteners (bit.ly, tinyurl.com, etc.) which hide the true destination. While not inherently malicious, they prevent you from verifying where you're going. Legitimate businesses typically use their own domains.

    2. Check for Physical Tampering

    Before scanning, examine the QR code itself. Look for signs that a sticker has been placed over another one—raised edges, different paper quality, misalignment with surrounding design, or adhesive residue.

    In restaurants or businesses, verify the QR code appears to be part of the original signage, not a stuck-on addition. If something looks off, ask staff for an alternative or type the URL manually.

    3. Be Extra Cautious with Unknown Sources

    QR codes in emails, text messages, random flyers, or stuck on lamp posts deserve extra scrutiny. Legitimate businesses rarely send QR codes via email for sensitive actions like password resets, payment verification, or account updates.

    The more unsolicited the QR code, the more suspicious you should be. A QR code in a printed magazine ad is more trustworthy than one on a street sticker. Consider the context and source before scanning.

    4. Verify the Domain Carefully

    Before entering any sensitive information on a site accessed via QR code, check the URL carefully. Verify:

    • The connection is HTTPS (padlock icon)
    • The domain matches the legitimate business exactly
    • There are no subtle misspellings (yourbank.com vs yourb4nk.com)
    • There are no suspicious subdomains (yourbank.malicious-site.com)

    5. Never Download Apps from QR Codes

    Be extremely suspicious if a QR code prompts you to download an app or file. Legitimate apps should be installed from official app stores (App Store, Google Play), not from websites reached via QR code.

    If an app is required for a service, go to the app store directly and search for it. Don't trust QR codes that claim to lead to app downloads, even if they appear to be on official materials.

    6. Use a Dedicated QR Scanner App

    While your phone's camera works fine for basic scanning, dedicated QR scanner apps often provide additional security features like URL preview, safety checks against known malicious sites, and the ability to view encoded data without taking action.

    QR Codes in Multi-Factor Authentication

    QR codes play a legitimate and important role in setting up authenticator apps for two-factor authentication (2FA). When you enable 2FA on an account, you typically scan a QR code to share a secret key with your authenticator app.

    This use case is safe because:

    • You're initiating the process from within a logged-in account
    • The QR code is displayed by the service itself, not from an external source
    • It encodes a secret key, not a URL
    • Your authenticator app processes it locally, not via the web

    However, be wary of unsolicited messages claiming you need to "scan this QR code to verify your account" or similar—legitimate services don't operate this way. Learn more in our Two-Factor Authentication Guide.

    Legitimate Uses for QR Codes

    Despite the risks, QR codes have many legitimate and convenient uses:

    • Restaurant menus: Touch-free menu access that's now standard
    • Event tickets: Easy entry scanning for concerts, flights, and events
    • Payments: Through verified payment apps like Apple Pay, Google Pay, Venmo
    • Two-factor authentication: Setting up authenticator apps securely
    • WiFi sharing: Quick network credential sharing without typing
    • Business cards: Digital contact information exchange
    • Product information: Extended details, manuals, and support links
    • Boarding passes: Mobile tickets for airlines and transit

    The key is to be thoughtful about context. A QR code at a restaurant table is probably safe. A QR code on a random sticker stuck to an ATM is definitely not.

    Creating Safe QR Codes

    If you're creating QR codes for your business or personal use, follow these best practices:

    • Use a trusted generator: Choose generators that process data client-side and don't log your information
    • Use your own domain: Don't use URL shorteners for sensitive links—they reduce trust and can be compromised
    • Test before deploying: Scan your QR codes to verify they work and lead where expected
    • Print permanently when possible: Integrate QR codes into printed materials rather than using stickers that can be replaced
    • Consider adding context: Include the destination URL in text near the QR code so users can verify

    Malware Distribution via QR Codes

    QR codes can be used to distribute malware by linking to malicious websites or downloadable files. Scanning a compromised QR code might automatically download a harmful app or redirect you to a fake login page. Attackers often use QR codes in 'smishing' (SMS phishing) campaigns, embedding them in text messages or emails that appear legitimate. To protect yourself, avoid scanning QR codes from unknown sources and ensure your device's security software is up to date. For businesses, use digital signature verification tools to authenticate QR codes before deployment.

    Best Practices for Creating Secure QR Codes

    When generating QR codes for your organisation or personal use, follow these security guidelines: 1) Use HTTPS links to ensure encrypted connections, 2) Avoid embedding sensitive data directly in the QR code, and 3) Consider dynamic QR codes that allow URL changes without updating the physical code. For payment systems, always verify with your bank's QR code authentication protocols. SecureTools' QR generator includes a built-in URL validation feature to help you create safer codes. Regularly audit your QR codes for tampering, especially those used in public spaces.

    Data Privacy Considerations

    QR codes can inadvertently expose sensitive information if not properly secured. For example, a QR code containing WiFi credentials or personal data could be scanned by unintended users. When creating QR codes for business use, implement access controls and consider encrypting the payload data. For end users, avoid sharing QR codes that include personal information. Note that some 'QR code tracking' services may collect user data through the scanning process, so always review the privacy policy of any QR code service you use. SecureTools recommends using open-source QR code generators for maximum transparency.

    type html> SecureTools — Privacy-First Security Utilities