Fake QR code
A code intentionally generated by a bad actor for a malicious website, fake payment page, or credential-harvesting form.
Руководство по безопасности QR-кодов
Поддельные QR-коды: как распознать их, защититься и обезопасить бизнес
Поддельный QR-код может выглядеть как настоящий, поэтому лучший ответ - не паника, а проверка. Руководство объясняет, как работают поддельные QR-коды, наклейки-подмены и quishing-атаки, и дает практический порядок действий.
Поддельный QR-код - это QR-код, созданный или измененный так, чтобы перенаправить сканирующего на вредоносный сайт, страницу сбора учетных данных или загрузку malware. Часто такие коды выглядят как наклейки поверх настоящих объявлений.
Last reviewed in 2026 for current QR phishing and quishing patterns.
What should you know about fake QR codes?
A QR code is a matrix barcode that encodes a URL or action; the code format is not inherently unsafe. The risk comes from a malicious destination, a physical overlay sticker, or a compromised redirect account that sends scanners somewhere unexpected.
Preview the URL before opening it and confirm the domain matches the brand or place you expect.
Inspect public QR codes for raised edges, misalignment, sticker borders, or signs that a code was placed over another code.
Businesses should use branded dynamic QR codes, redirect control, scan analytics, and tamper-evident placement for customer-facing codes.
Поддельный QR-код
Поддельный QR-код - это QR-код, созданный или измененный так, чтобы перенаправить сканирующего на вредоносный сайт, страницу сбора учетных данных или загрузку malware. Часто такие коды выглядят как наклейки поверх настоящих объявлений.
A QR code is a matrix barcode that can encode a URL, text, contact card, payment instruction, or other action. A fake QR code abuses that convenience by making a harmful destination look like an ordinary scan.
A fake code is different from a tampered code. A fake code may be created from scratch for a phishing email or fraudulent flyer, while a tampered code is a legitimate printed QR code that has been physically covered with another code.
QR codes themselves are not the threat. The risk comes from the URL redirect, the website that opens after the scan, and the context in which the QR code appears. For a broader taxonomy of QR formats, see types of QR codes.
Tampered QR code
A real code that has been physically covered, replaced, or relabeled so scanners visit a destination controlled by someone else.
Quishing
A QR code phishing attack that places a malicious QR image in an email, document, or message instead of using a normal hyperlink.
How do fake QR code scams work?
Fake QR code scams work by breaking the trust between the visible code and the destination it opens. The scanner expects a menu, payment page, or login screen, but the QR code sends them to a fraudulent destination controlled by the attacker.
Based on our review, the most practical way to understand QR code scams is as a spectrum: created fake codes, physical overlay attacks, email-based quishing, and social engineering through printed materials or packages.
Sticker overlay attacks
An overlay sticker attack is a physical fraud technique where a malicious QR code sticker is placed over a legitimate code on a parking meter, restaurant menu, retail payment terminal, or public sign. The user sees the original context and assumes the code belongs there.
Quishing through email
Quishing is QR code phishing that uses a QR image instead of a hyperlink. Because many email filters inspect text links more reliably than embedded images, a QR code in a phishing email can bypass defenses that would catch a visible URL.
Malicious print ads or flyers
A malicious QR code on a flyer, poster, or print ad can imitate a discount, event registration page, or support portal. The code looks ordinary because the fraud is in the destination, not the visual pattern.
Social engineering through packages
Package inserts, delivery notices, and unsolicited mail can use QR codes to pressure people into scanning for tracking, refunds, or account verification. A legitimate delivery company rarely requires a QR scan to enter credentials.
How can you tell if a QR code is fake?
Before scanning any QR code, inspect the physical label, preview the destination URL, and verify that the URL matches the expected brand domain with HTTPS enabled. If the URL is random, shortened, misspelled, or contextually strange, do not proceed.
Use this table as a quick field check. No single signal proves a QR code is safe, but multiple warning signs should be treated as a stop condition.
| Signal | Safe QR code | Suspicious QR code |
|---|---|---|
| URL preview | The preview matches the expected brand domain. | The preview shows a random string, URL shortener, misspelled domain, or unusual top-level domain. |
| Physical condition | The code is printed cleanly and flat on the surface. | The code has raised edges, a sticker border, misalignment, or visible layering. |
| Source | The code appears on official signage, packaging, receipts, or a known business channel. | The code appears in unsolicited email, unknown flyers, unexpected mail, or unofficial signage. |
| Redirect behavior | The scan opens the expected destination with minimal redirect steps. | The scan jumps through multiple redirects before landing on the final page. |
| HTTPS | The destination uses HTTPS and a recognizable certificate-backed domain. | The destination lacks HTTPS or presents a certificate warning. |
| Brand design | The QR code, frame, and nearby copy match the business's visual style. | The code is generic, unbranded, or inconsistent with surrounding materials. |
| Permission requests | The destination does not request unusual access for the task. | The destination asks for camera, contacts, location, payment, or login access without a clear reason. |
We recommend inspecting QR codes in public spaces the same way you would inspect an ATM card slot: look for anything that does not belong before you interact.
How do you check if a QR code is safe before scanning?
The safest QR code workflow is to inspect the physical placement, preview the URL, verify the destination domain, confirm HTTPS, and stop if the context feels wrong. The UK's National Cyber Security Centre advises users to preview URLs before tapping.
-
Step 1
Inspect the physical placement
Look for sticker overlays, raised edges, misalignment, or a code that appears newer than the surrounding sign. Legitimate permanent codes are usually printed flat or held in a branded frame.
-
Step 2
Use a scanner that previews the URL
Use a phone camera or QR scanner that displays the destination URL before opening it. In our testing, scanners that show the full domain provide the clearest pre-tap warning.
-
Step 3
Verify the destination URL before tapping
Confirm that the URL matches the brand, venue, or service you expected. Avoid lookalike domains, random strings, and generic URL shorteners with no brand context.
-
Step 4
Confirm HTTPS and a recognizable domain
HTTPS is a secure connection indicator in the destination URL, but HTTPS alone does not prove a site is legitimate. Treat HTTPS as necessary but not sufficient.
-
Step 5
Trust context if something feels off
If the QR code appears in an unsolicited email, unexpected flyer, or high-pressure message, navigate to the official website directly instead of scanning.
What should you do if you already scanned a fake QR code?
Immediately close any opened browser tabs, avoid entering credentials or payment information, and disconnect from Wi-Fi if you suspect a malicious site loaded. If personal or financial data may have been exposed, contact your bank and report the incident.
Stop interaction first
Close the tab, do not install apps or profiles, and do not enter passwords, payment details, one-time codes, or identity information.
Secure affected accounts
Change exposed passwords from a trusted device, enable two-factor authentication, and contact your bank or card issuer if payment information was entered.
Report the incident
Report consumer fraud to the FTC at reportfraud.ftc.gov, report cybercrime patterns to the FBI IC3 at ic3.gov, and notify local law enforcement when money or identity documents are involved.
What makes a business QR code more trustworthy?
- Use a branded short domain so customers can recognize the URL preview.
- Use dynamic QR codes when a printed code may need a destination update.
- Monitor QR code scan analytics for unusual spikes, geography shifts, or scan times.
- Place printed QR codes in tamper-evident frames or holders.
- Tell customers what your official QR codes and domains look like.
- Secure the QR management account with strong credentials and two-factor authentication.
How can businesses protect their own QR codes?
Businesses protect QR codes by making the destination recognizable before the tap and monitorable after deployment. Branded short domains, dynamic redirect control, scan analytics, tamper-evident holders, and customer education reduce impersonation risk.
QR-Build is a QR code generator at qr-build.com that produces dynamic, branded, analytics-enabled QR codes. Many QR code generators, including free tools, produce functional codes; the difference is whether you retain control of the destination after deployment.
Dynamic QR codes
A dynamic QR code is a QR code whose destination URL can be changed after printing, without generating a new code. Learn more in our guide to static vs. dynamic QR codes.
Scan analytics
Scan analytics are real-time data about how many times a QR code was scanned, from which location, and on what device. Use QR code scan analytics to detect abnormal activity early.
Branded short domains
A branded short domain is a custom redirect host, such as go.yourbrand.com, that appears in the URL preview before a customer taps. This creates a recognizable trust signal at scan time.
Physical controls
Tamper-evident frames, locked menu holders, and regular visual audits help prevent sticker overlay attacks. Dynamic QR codes do not prevent physical stickers; they help you recover and monitor when something goes wrong.
Create a safe, branded QR code you control.
Start free with QR-Build and create dynamic QR codes with redirect management, branded design, and real-time scan analytics.
Create Free Dynamic QR CodeWhy are dynamic QR codes safer for business use?
Dynamic QR codes are safer for business use because the destination can be updated after printing and scan analytics can reveal abnormal behavior. They are not a cure-all, but they give businesses a redirect layer they can control.
A static QR code permanently encodes its destination URL and cannot be changed after creation. Static codes are fine for low-risk personal uses, but they leave businesses with no recovery path if a destination changes or a printed code is compromised.
A dynamic QR code routes through a managed redirect layer. That redirect layer connects the printed QR code to destination control, scan analytics, anomaly detection, and campaign ROI measurement.
Always verify pricing, domain, analytics, and security features on each vendor's website before choosing a QR code platform, because plan limits can change.
| Situation | Recommended approach |
|---|---|
| One-time personal use, such as Wi-Fi sharing or a contact card | A static QR code is usually fine when the destination is low-risk and does not need future updates. |
| Business signage, menus, payment counters, or customer-facing print | Use a dynamic QR code with a branded domain, visible branding, and a tamper-evident physical placement. |
| Marketing campaigns across flyers, posters, ads, and product packaging | Use dynamic QR codes with analytics so campaign destinations can be updated and scan patterns can be reviewed. |
| High-security environments, including finance, healthcare, and internal IT | Use dynamic QR codes with account two-factor authentication, access controls, scan monitoring, and documented review procedures. |
This decision framework is based on our 2026 review of QR code safety workflows. Verify current platform features and plan limits on the vendor's website before purchase decisions.
What mistakes make a QR code easier to fake?
The mistakes that make QR codes easier to fake are mostly visibility and control failures: anonymous destinations, static links, unbranded designs, and no monitoring. A QR code that gives users no recognizable signal is easier to impersonate.
Using anonymous generators with no redirect control
Anonymous tools can create functional QR codes, but they may not give a business account control, audit history, or a recovery path when the destination changes.
Pointing static codes at long, unbranded URLs
A long URL is hard for a scanner to evaluate in a preview. Branded short domains make the expected destination easier to recognize.
Publishing codes with no visual branding
A branded QR frame, logo, and consistent nearby copy help customers know what your official QR codes should look like.
Skipping scan monitoring
No monitoring means unusual scan spikes, unexpected regions, and off-hour activity may go unnoticed until a customer complains.
How did we evaluate QR code safety guidance?
We reviewed fake QR code risk through consumer safety, business operations, and security-team training lenses. Our comparison focused on what a scanner can verify before tapping and what a business can control after printing.
Based on our analysis, fake QR code risk has three layers: the physical code, the URL preview, and the destination management account. A useful safety guide must address all three layers rather than treating QR codes as inherently unsafe.
We tested the workflow against four common scenarios: parking meter sticker replacement, restaurant menu sticker overlays, phishing emails with QR images, and retail payment QR replacement. Each scenario was evaluated for consumer warning signs and business recovery options.
In our review, dynamic QR codes provide business owners active control over redirect destinations and visibility into scan behavior. That control does not remove the need for secure accounts, physical inspection, or customer education.
Glossary: key fake QR code terms
The core terms are quishing, QR phishing, overlay sticker attack, redirect hijacking, static QR code, dynamic QR code, scan analytics, branded short domain, and HTTPS. Defining these terms makes QR code safety easier to discuss precisely.
- Quishing
- Quishing is a phishing attack that uses a QR code image as the payload delivery mechanism instead of a hyperlink. It is designed to bypass filters that parse text URLs but may not decode matrix barcodes.
- QR phishing
- QR phishing is any phishing attempt that uses a QR code to send the scanner to a credential-harvesting page, fake payment form, or malicious download.
- Overlay sticker attack
- An overlay sticker attack is a physical fraud technique in which a malicious QR code sticker is placed directly over a legitimate printed QR code on signage, menus, or payment terminals.
- Redirect hijacking
- Redirect hijacking in QR code contexts is the unauthorized modification of the destination URL associated with a dynamic QR code, usually after the management account is compromised.
- Dynamic QR code
- A dynamic QR code is a QR code whose destination URL can be changed after printing through a managed redirect layer.
- Static QR code
- A static QR code permanently encodes the destination URL or content and cannot be edited after it is created.
Which authorities warn about QR code scams?
Authoritative safety guidance commonly points users to the FTC for consumer fraud reporting, the FBI IC3 for cybercrime reports, and the UK's NCSC for practical cyber hygiene. These sources treat QR fraud as a phishing and social engineering risk.
FTC
The Federal Trade Commission operates reportfraud.ftc.gov for consumer fraud reports, including scams that collect payment or personal information.
FBI IC3
The FBI's Internet Crime Complaint Center tracks cybercrime complaints and flagged QR code fraud as a growing threat beginning in 2022.
NCSC
The UK's National Cyber Security Centre advises users to verify links and preview destinations before opening unknown QR code URLs.
What should you read next about QR code safety?
The most useful next topics are QR code types, static versus dynamic QR codes, scan analytics, restaurant QR codes, sign placement, and QR code creation. These topics connect the safety problem to practical QR code deployment decisions.
Static vs. dynamic QR codes Understand when editable dynamic QR codes are worth using. QR code scan analytics Learn how scan monitoring helps detect unusual QR code activity. Types of QR codes Review the QR code formats businesses commonly publish. Create a free QR code Create a legitimate QR code with QR-Build. QR-Build dynamic QR plans Compare plan options for dynamic QR codes and business use. Restaurant QR codes Create menu QR codes with customer-facing trust signals.
Часто задаваемые вопросы
What is a fake QR code?
A fake QR code is a matrix barcode created or physically modified by a malicious actor to redirect the scanner to a harmful destination, such as a phishing site, malware download, or credential-harvesting form. The term includes both entirely fabricated codes and real codes that have been covered with a fraudulent sticker overlay. The code itself looks identical to a legitimate one; the danger is in where it leads.
How can I tell if a QR code is safe before scanning?
Before scanning, inspect the physical placement for sticker overlays or misalignment, and use a QR scanner app that displays the destination URL before opening it. Verify the URL begins with HTTPS and matches a brand domain you recognize; a random string, URL shortener, or unfamiliar top-level domain are warning signs. When in doubt, visit the business's official website directly instead of scanning.
What is quishing?
Quishing, a portmanteau of QR code and phishing, is a cyberattack that embeds a malicious QR code in an email, document, or image to bypass security filters that scan for suspicious hyperlinks. Because many email filters parse text more reliably than images, QR codes in phishing emails can evade detection. The FBI IC3 flagged quishing as an increasing threat from 2022 onward as QR code adoption accelerated.
Can a QR code give you a virus?
A QR code cannot execute code on its own; it is a passive data container that encodes a URL or text string. However, scanning a malicious QR code can direct your device to a webpage that attempts to install malware, initiate an automatic download, or display a credential-harvesting form. The threat comes from the destination, not the code format itself.
What should I do after scanning a suspicious QR code?
Immediately close any browser tabs that opened, disconnect from Wi-Fi if you suspect a malicious page loaded, and avoid entering credentials, personal information, or payment details. If you may have exposed financial information, contact your bank or card issuer. Report the incident to the FTC at reportfraud.ftc.gov or the FBI IC3 at ic3.gov, and run a mobile security scan as a precaution.
What is an overlay sticker attack?
An overlay sticker attack is a physical fraud technique where a criminal prints a malicious QR code on a sticker and places it over a legitimate code on existing signage, commonly seen on parking meters, restaurant table tents, and retail payment terminals. The sticker appears to belong to the original surface, so most users scan without suspecting tampering. Inspecting a QR code label for raised edges, a sticker border, or misalignment helps identify this attack.
Can dynamic QR codes be hacked?
Dynamic QR codes cannot be altered at the code level once printed, but the destination URL they point to is controlled through an online account. If that account's credentials are compromised through weak passwords or reused credentials, an attacker could change the redirect destination. Strong unique passwords and two-factor authentication on the QR code management account reduce this risk.
How can a business make its QR codes tamper-proof?
No QR code is entirely tamper-proof against physical overlay attacks, but several measures reduce risk significantly. Use dynamic QR codes with a branded short domain so users can verify the URL preview before tapping, deploy tamper-evident physical frames on high-risk placements, monitor scan analytics for sudden geographic or volume anomalies, and educate customers on what official QR codes look like.
Are QR codes in emails safe?
QR codes sent via email should be treated with elevated caution because quishing is specifically designed to exploit the email channel. Legitimate companies rarely require you to scan a QR code to log in, verify your identity, or update payment information. If you receive an email with a QR code from a known brand, navigate to the brand's official website directly instead of scanning.
What is redirect hijacking in QR codes?
Redirect hijacking refers to the unauthorized modification of the destination URL tied to a dynamic QR code, usually through compromise of the account that controls the redirect. This is distinct from a physical overlay attack because the original printed code is unchanged; only the backend destination is altered. Businesses prevent this by securing QR code management accounts with strong credentials and monitoring for unauthorized changes.
How do I know if a QR code is from a legitimate business?
Legitimate business QR codes typically appear on official printed materials with consistent branding, lead to the business's known domain with HTTPS enabled, and do not request unusual device permissions. A QR scanner that previews the URL lets you verify the destination before committing. If a QR code appears on an unofficial flyer, unsolicited mail, or email attachment, apply extra scrutiny.
Why are QR code scams more common now?
QR code scam visibility increased after 2020 through 2022, when QR codes became mainstream for contactless menus, payments, and account workflows. That adoption created a large population of users willing to scan codes without verification, which fraudsters exploit. The FBI IC3 and the UK's NCSC have both issued warnings about QR code fraud during this period.
Готовы создать QR-код, которому можно доверять?
Create a safe, verified QR code with QR-Build, including branded design, redirect control, and real-time scan analytics for business placements.
Создать бесплатный динамический QR-код
Создать проверяемый QR-код