Can I check a QR code without scanning it?

Yes. Take a photo or screenshot of the QR code and upload it to Is This QR Safe?. Only the decoded URL gets sent to the server for processing.

Does my phone preview QR code URLs automatically?

Modern iOS Camera and Android Google Lens both show the URL preview before opening it. The preview alone is not a safety check — shortened URLs and lookalike domains can still appear harmless. Use a reputation-checking scanner for that.

Is it safe to scan a QR code from a sticker?

Be cautious. Stickered-over QR codes are one of the most common quishing vectors — attackers print malicious codes on adhesive labels and slap them over real ones at parking meters, restaurant tables, and EV chargers. If a code looks like a sticker, do not scan it without a safety check.

How to Check if a QR Code Is Safe Before Scanning (2026 Guide)

How-to9 min readPublished Apr 27, 2026

Short answer: to check if a QR code is safe, do not rely on the QR pattern itself. Instead, (1) inspect the physical code for stickers or tampering, (2) preview the URL using your phone's built-in camera before tapping, and (3) run the URL through a reputation-checking scanner like Is This QR Safe? that follows redirects and queries VirusTotal-style engines. The whole process takes under a minute and catches the vast majority of quishing attempts.

Why this matters: NordVPN's 2025 survey (reported by CNBC) found that 73% of Americans scan QR codes without verifying them (CNBC, 2025), and Keepnet Labs measured a 587% rise in quishing in 2023 alone (Keepnet Labs, 2026). The single biggest factor that turns a scan into a compromise is skipping the URL preview.

Why a QR code can be dangerous

A QR code is just a black-and-white encoding of text — almost always a URL. There is no “trust” layer in the format itself. Anyone can print a QR code that points anywhere, and there is no visual difference between a code that opens your bank's real login page and one that opens a perfect clone designed to harvest your password. That asymmetry is the entire reason quishing works.

On top of that, QR phishing routinely bypasses email security filters because the malicious URL is rendered inside an image. Most filters parse text — they cannot “see” the URL inside a PNG or PDF attachment. Industry telemetry tracked QR-bearing phishing emails climbing from roughly 46,000 in August 2025 to about 250,000 in November 2025 for that exact reason (Keepnet Labs, 2026, Acronis, 2026).

The 5-step QR safety check

1. Inspect the physical code

Most public quishing attacks rely on overlaying a real code with a sticker — that is exactly what happened to parking pay stations in Austin and San Antonio, where stickered codes pointed customers to a fraudulent “passportlab.xyz” payment site (FOX 7 Austin, 2022). Look for:

A sticker placed on top of an underlying printed code (you can sometimes feel the edge with a fingernail).
Peeling, off-center, or skewed corners.
A QR code printed on a separate card, taped or glued in place.
A code in an unexpected location — for example, on the back of a parking meter rather than its face.

If the code looks added on rather than part of the original signage, treat it as suspicious.

2. Preview the URL with your phone's camera

Both iOS and Android show the destination URL before they open it. That preview is the cheapest, fastest first defense.

iPhone: Open the built-in Camera app and frame the QR code. A yellow URL banner appears at the top — read the domain without tapping.
Android: Open Google Lens (or the Camera app on most modern Android phones) and frame the code. The URL appears as a preview chip — tap-and-hold rather than tap to inspect without opening.

A preview is not a safety check. URL shorteners (bit.ly, t.co, tinyurl, and dozens more) hide the real destination, and lookalike domains (“paypa1.com”, “rny-bank.com”) can fool a glance. The preview tells you what you are about to fetch — it does not tell you whether that URL is malicious.

3. Run the URL through a reputation engine

This is the step that turns a guess into a verdict. Open Is This QR Safe? and either point your camera at the code or upload a screenshot. The scanner:

Decodes the QR code in your browser (the image never leaves your device) and submits to our servers
Our servers follow every redirect and shortener until it reaches the final landing page.
Submits that final URL to VirusTotal, which aggregates verdicts from 70+ engines (Google Safe Browsing, BitDefender, Sophos, Fortinet, and others).
Returns a clean / suspicious / malicious verdict, plus how many engines flagged it.

If you prefer not to use a third-party scanner, you can paste the URL into VirusTotal directly at virustotal.com or Urlscan.io. The trade-off is you have to copy the URL out yourself first, which is awkward when the code is on a parking meter.

4. Verify the final domain matches expectations

Even with a clean verdict, ask: does the domain make sense for the context?

Where the code is	Domains you would expect	Red flag
Parking meter	City or paid-parking operator (paybyphone.com, parkmobile.io, your city's .gov)	Random shortener or unfamiliar TLD
Restaurant menu	Restaurant brand, or its menu host (toasttab.com, square.site)	Free hosting service like .rf.gd or .glitch.me
Shipping label	USPS, FedEx, UPS official domains	“usps-tracking-update.xyz”-style lookalikes
Crypto address	The exact wallet address you copied from the recipient	Any character difference at all — even one

5. Open only with a clean verdict and a sensible domain

If a reputation engine flags the URL, stop. If the verdict is clean but the domain looks wrong, also stop. A clean verdict only means “no engine has seen this URL act badly yet” — and brand new phishing domains can briefly evade detection until at least one engine catches up.

What to do if you already scanned a malicious QR code

If the malicious QR took you to a credential-harvesting page and you already entered something, act fast:

If you entered a password, change it immediately on the real site, then enable 2FA.
If you entered a credit card or paid through the page, call your card issuer to dispute and freeze the card.
Run an on-device antivirus scan; mobile drive-by malware is rare but possible.
Check the affected account for unauthorized logins or transactions for the next 30 days.
Report the QR location (parking lot, restaurant, etc.) to the venue and to local consumer protection so the sticker can be removed.

Frequently asked questions

Can I check a QR code without scanning it?: Yes. Take a photo or screenshot of the QR code and upload it to Is This QR Safe?. Only the decoded URL gets sent to the server for processing.
Does my phone preview QR code URLs automatically?: Modern iOS Camera and Android Google Lens both show the URL preview before opening it. The preview alone is not a safety check — shortened URLs and lookalike domains can still appear harmless. Use a reputation-checking scanner for that.
Is it safe to scan a QR code from a sticker?: Be cautious. Stickered-over QR codes are one of the most common quishing vectors — attackers print malicious codes on adhesive labels and slap them over real ones at parking meters, restaurant tables, and EV chargers. If a code looks like a sticker, do not scan it without a safety check.

Sources

CNBC — "Quishing" scams dupe millions of Americans as cybercriminals turn the QR code bad (2025).
Keepnet Labs — QR Code Phishing Statistics & Quishing Trends (2026).
Acronis — The Blind Spot in Your SEG: Why QR Code Phishing Is the New 2026 Battlefield (2026).
FOX 7 Austin — Fraudulent QR code stickers found on 29 Austin public parking meters (2022).
FTC Consumer Advice — Scammers hide harmful links in QR codes to steal your information (2023).