How to check a QR code before scanning it

A QR code is a link with its destination hidden. You cannot read where it goes just by looking at it, which makes it a useful tool for scammers - and a reason to pause before scanning one you weren't expecting.

Quishing - QR code phishing - has grown sharply in recent years. The approach is simple: replace a visible suspicious link with a QR code that hides it. Most people scan first and ask questions later.

Here is how to check before you do.

Why QR codes need checking

When you receive a suspicious link in an email or text, you can read the URL before clicking. With a QR code, you cannot. That gap is exactly what scammers exploit.

QR codes are used in legitimate contexts constantly - restaurant menus, payment terminals, event check-ins, marketing materials. That familiarity works in the scammer's favour. Scanning a QR code feels routine now, which means the scepticism most people apply to suspicious links often doesn't kick in.

The risk is the same: a convincing fake website designed to steal your login credentials, payment details, or personal information.

Method 1: Read the URL preview before tapping

When you point your phone camera at a QR code, most smartphones show a preview of the destination URL before you tap it. This is your first and easiest check.

What to look for:

• Does the domain match the organisation the QR code claims to be from? A QR code on a Royal Mail notice should go to royalmail.com. A QR code on a parking machine should go to the official parking operator's domain.
• Are there extra words, hyphens, or slight misspellings? royal-mail-customs.com is not Royal Mail. hmrc-refund.net is not HMRC.
• Is it a short URL that hides the real destination? bit.ly or similar shorteners should be treated with extra caution - they disguise the final destination.

If anything looks off, do not tap.

Method 2: Upload the QR code to SniffTest

If you have a photo of a QR code - from a message, a document, or a screenshot - you can upload it directly to SniffTest.

SniffTest decodes the QR code, extracts the destination URL, and runs it through 17 checks - domain age, Google Safe Browsing, phishing blocklists, brand impersonation detection, and more - before you visit anything.

How to use it:

1. Go to doasnifftest.com
2. Tap the camera/QR icon in the checker
3. Upload a photo or screenshot of the QR code
4. SniffTest decodes the URL and returns a verdict

This works for QR codes you've received in emails, messages, or documents. It's the most thorough check available before visiting the destination.

Method 3: Scan with a dedicated QR scanner app

Some QR scanner apps show you the full destination URL before opening it, giving you a chance to check it manually. The built-in camera app on most smartphones does this too - look for the URL preview that appears at the bottom of the screen before you tap.

The key habit: always read the URL preview before tapping, every time.

QR codes in the physical world: extra considerations

QR codes in physical locations carry a specific risk - a scammer can print a sticker and place it over a legitimate QR code. The surrounding signs and branding look real; only the code has been tampered with.

Before scanning a QR code in a public place:

• Look closely at the code itself. Is there a sticker on top of another code? Does it look like it was added after the fact?
• Does the code look like it belongs - is it professionally printed as part of the signage, or stuck on as an afterthought?
• For parking payments, restaurant payments, and anything involving money - use the official app or pay at the machine if you have any doubt

Scammers have targeted parking meters, charity donation points, and restaurant payment QR codes in the UK and elsewhere. Physical tampering is harder to spot than digital manipulation, so the threshold for caution should be higher.

What to do if you've already scanned a suspicious QR code

If you scanned but didn't tap through or enter anything - you're likely fine. Note the URL the QR code pointed to and run it through SniffTest to confirm.

If you tapped through but didn't enter anything - close the browser tab and check the URL in SniffTest. You're probably fine, but worth verifying.

If you entered login credentials - change your password immediately on any account using the same credentials, and enable two-factor authentication if you haven't already.

If you entered payment details - call your bank immediately on the number on the back of your card. Ask them to cancel the card and flag your account.

For a full step-by-step guide based on what happened after you clicked, see what to do after clicking a phishing link.

Quick checklist before scanning any QR code

1. Were you expecting this QR code, or did it arrive unsolicited?
2. Does the URL preview match the organisation it claims to be from?
3. Is it a shortened URL that hides the real destination?
4. If it's physical - does the code look like it belongs, or could it be a sticker?
5. If you're still unsure - upload it to SniffTest before visiting

If any of those give you pause, check before you tap.

Frequently asked questions

Q: Can scanning a QR code give my phone a virus?

A: Scanning the code itself is generally safe - it's the equivalent of reading a URL. The risk comes from visiting the destination. A malicious QR code sends you to a phishing page or a site designed to steal your information, but only once you've tapped through and interacted with it. Check the URL before you tap.

Q: How can I check a QR code without scanning it on my phone?

A: Take a photo or screenshot of the QR code and upload it to SniffTest. It will decode the destination URL and check it for you before you visit anything.

Q: Are QR codes on parking meters safe?

A: Not always. Scammers have placed fake QR code stickers over legitimate ones on parking meters in the UK and other countries. Before scanning, look closely for signs of tampering. When in doubt, use the official parking app or pay at the machine directly.

Q: What does a phishing QR code look like?

A: The QR code itself looks identical to any other - there is no visual difference. The tell is the destination URL it points to. Use your camera app to preview the URL before tapping, or upload the code to SniffTest to check the destination before visiting it.

Q: Is it safe to scan QR codes in restaurants?

A: Usually yes, but it's still worth checking the URL preview before tapping - particularly if the code looks like it could have been added after the fact. Legitimate restaurant QR codes go to the restaurant's own domain or a known menu platform. If the URL looks unrelated to the restaurant or involves a payment, verify before proceeding.