Frequently asked questions

Quick answers about QR code safety, quishing, and how to use Is This QR Safe?. For longer-form material, see our knowledge base.

How do I check if a QR code is safe before scanning it?

Open Is This QR Safe? in your browser or app, point your camera at the code or upload a screenshot, and the scanner extracts the URL, follows every redirect, and checks the destination against VirusTotal and other reputation engines before you visit. The scan typically takes a few seconds.

What is quishing?

Quishing is QR code phishing — a phishing attack where the malicious link is hidden inside a QR code instead of plain text. Because email security filters parse text, not images, quishing emails routinely bypass legacy filters. Keepnet Labs reported a 587% rise in quishing in 2023, and QR codes appeared in roughly 12% of all phishing attacks in 2025.

Can a QR code give me malware just by scanning it?

Scanning a QR code does not by itself install anything — it just decodes a URL. The danger starts when you visit that URL: the destination can ask for credentials, trigger a payment flow, or attempt a drive-by download. That is why previewing the URL before opening it is critical.

Is Is This QR Safe? free?

Yes. The web scanner at isthisqrsafe.com and the iOS and Android apps are free for personal QR safety checks.

Does the scanner work on iPhone and Android?

Yes. The web scanner works in any modern mobile browser, including Safari on iOS and Chrome on Android. We also publish native iOS and Android apps that integrate with the system camera and run faster.

Do you store the QR code images I upload?

No. QR codes are decoded entirely in your browser; the image itself is never uploaded or stored. The extracted URL plus standard request metadata (IP, user-agent, approximate location) are logged so we can show your scan history and improve detection of malicious QR campaigns.

Why does Is This QR Safe? require a sign-in?

A signed-in account lets us attribute scans to a user, show your scan history, and prevent abuse of the URL-reputation API quota. Anonymous public scanning is not currently offered.

What URL reputation engines do you check?

We submit the destination URL to VirusTotal, which aggregates verdicts from 70+ URL and domain reputation engines (Google Safe Browsing, BitDefender, Sophos, Fortinet, Kaspersky, and many others). When a quota allows, we also cross-check against Urlscan.io.

Is a QR code at a restaurant menu safe?

Usually yes, but quishing attackers commonly sticker over real menu codes with malicious ones. Before scanning, look for a sticker placed on top of the printed code, peeling edges, or codes glued to a card rather than printed on the menu. When in doubt, scan with Is This QR Safe? and confirm the URL matches the restaurant.

What should I do if I already scanned a malicious QR code?

If you only opened the URL: close the page, clear browser cookies for that site, and run an antivirus scan. If you entered credentials: change that password immediately, enable 2-factor authentication, and watch the account for unauthorized activity. If you entered a payment, contact your bank or card issuer to dispute and freeze the card.

How accurate is the safety verdict?

Verdicts inherit the accuracy of the underlying reputation engines. Newly-registered phishing domains can briefly evade detection until at least one engine sees them. We mitigate this by following all redirects and inspecting the final landing URL, which catches a large share of campaigns that hide behind a clean shortener.