QR codes are just shortcuts to links. That means attackers can use them to send you to fake login pages, malware downloads, or rogue Wi-Fi networks — and you don't see the address until it's too late.
Next time you see a QR code
- 1 Pause before you scan. Treat random QR codes (stickers, flyers, tables, restrooms) the same way you'd treat random links in email or text.
- 2 Check the URL preview. Most phones show the link before opening it. If the address is weird, misspelled, or not related to where you expect to go, cancel.
- 3 Never enter passwords or payment info on a site you reached from a random QR code. Go to the site directly instead by typing the address or using a trusted app.
Attackers love QR codes because they hide the destination and feel "harmless." Common tricks include:
- Sticker swaps: A fake QR sticker placed on top of a real one on posters, tables, menus, or parking meters.
- Fake login & payment pages: QR sends you to a site that looks like email, cloud storage, or a payment portal, but steals your credentials or card.
- Malicious downloads & apps: QR links directly to a file or app that can infect your device.
- Wi-Fi traps: QR configures your phone to join an attacker-controlled wireless network so they can watch your traffic.