TheTest.com

QR Codes

How to scan and create QR codes, and how to avoid QR code phishing scams

QR codes are those square barcode patterns you see on restaurant menus, parking meters, event tickets, and product packaging. They encode information – usually a URL – that your phone can read with its camera. No extra app needed.

They're genuinely useful, but they've also become a tool for scammers. Here's how to scan them, create them, and avoid the ones trying to steal your information.

How to scan a QR code

You don't need a QR code scanner app. Your phone's built-in camera handles it.

On iPhone:

  1. Open the Camera app
  2. Point it at the QR code – you don't need to take a photo
  3. A notification banner appears at the top showing the link
  4. Tap the banner to open it

If it's not working, check that QR code scanning is enabled: Settings > Camera > Scan QR Codes should be toggled on.

On Android:

  1. Open the Camera app
  2. Point it at the QR code
  3. A link or prompt appears on screen
  4. Tap to open it

On some Android phones, you can also swipe down to open Quick Settings and tap the QR code scanner tile. Google Lens (available in the Google app or from the camera) also scans QR codes and shows you where the link goes before you open it.

From a screenshot or image:

If someone sends you a QR code as a photo or you have a screenshot, you can scan it without a second phone:

  • iPhone: Open the image in Photos, and if iOS detects a QR code it will show a Live Text button. You can also long-press the QR code in the image
  • Android: Open the image in Google Photos and tap the Lens icon, or open Google Lens directly and choose the image
  • Desktop: Use your browser – Google Lens in Chrome can read QR codes from images. Or paste the image into an online QR code reader

How to create a QR code

You can generate a QR code for any URL, text, Wi-Fi network, or contact info.

Free online generators:

  • qr-code-generator.com – Simple, no account needed
  • Chrome browser: On desktop, click the share icon in the address bar and select Create QR Code to generate one for the current page

What you can encode:

  • A website URL (most common)
  • Plain text
  • Wi-Fi network credentials (so guests can scan to join your Wi-Fi)
  • Contact information (vCard)
  • Email address or phone number

QR codes are static by default – the encoded data is baked into the pattern. Some paid services offer "dynamic" QR codes where you can change the destination URL later, which is useful for marketing but also how some scams work.

QR code phishing (quishing)

Scammers are increasingly using QR codes to get around email filters and trick people into visiting malicious sites. This is called "quishing" – QR code phishing.

How it works:

  • You receive an email, letter, or flyer with a QR code
  • The message creates urgency: "Scan to verify your account," "Scan to avoid a parking fine," "Scan to update your payment method"
  • The QR code sends you to a fake website that looks like a legitimate service (your bank, Microsoft, a government agency)
  • You enter your credentials on the fake site, and the attacker now has them

Email filters are good at catching malicious links in text, but a QR code is just an image – harder for automated systems to analyze.

Real-world quishing examples:

  • Fake parking meter stickers placed over real QR codes, sending you to a phishing payment site
  • Emails from "IT" asking you to scan a QR code to "re-authenticate" your company account
  • Physical mail claiming to be from your bank with a QR code to "verify your identity"
  • Restaurant table stickers redirecting to credit card skimming sites instead of the real menu

When to be cautious with QR codes

Check the URL before you tap it. When you scan a QR code, your phone shows you the link before opening it. Take a second to actually read it:

  • Does the domain look right? yourbank.com is fine. yourbank.secure-login.com is not – that's a subdomain of secure-login.com, not your bank
  • Is it a shortened URL (bit.ly, t.co)? Be cautious – these hide the real destination. If possible, use a URL expander to see where it actually goes
  • Does it use HTTP instead of HTTPS? Legitimate services use HTTPS

Be suspicious when:

  • A QR code appears on a sticker placed over another QR code (especially on parking meters, restaurant tables, or vending machines)
  • An email tells you to scan a QR code instead of clicking a link – this is often done specifically to bypass security filters
  • The QR code leads to a login page you weren't expecting
  • Someone sends you an unsolicited QR code via text, email, or social media
  • A printed QR code in a public place looks tampered with or recently applied

Safer alternatives:

  • Instead of scanning a QR code to "log in" to a service, open the app or website directly by typing the address
  • For parking meters and payments, use the official app mentioned on the meter itself
  • If a QR code at a restaurant seems off, ask the server for a physical menu or look up the restaurant's website yourself

Frequently Asked Questions

Do I need a QR code scanner app?

No. Both iPhone and Android have built-in QR code scanning in the camera app. Third-party QR scanner apps are unnecessary and some are actually adware. Delete them if you have any installed.

Can a QR code install malware on my phone?

A QR code itself is just a link – it can't directly install anything. But it can send you to a website that tries to trick you into downloading malware or entering your credentials. The risk is the destination, not the QR code. Always check the URL before interacting with the page.

How do I know if a QR code is safe?

Check the URL your phone shows before tapping. Look for a legitimate domain, HTTPS, and a URL that makes sense for the context. If a QR code on a parking meter sends you to a random domain instead of the city's official payment site, don't proceed. When in doubt, navigate to the service directly instead of using the QR code.

Can QR codes steal my information just by scanning?

No. Scanning a QR code with your camera only reads the encoded data (usually a URL). It doesn't transmit any of your information. The risk comes after you tap the link and interact with the destination site – entering passwords, payment info, or downloading files.

What's the difference between static and dynamic QR codes?

A static QR code has the URL permanently encoded in the pattern – it always goes to the same place. A dynamic QR code redirects through a service that can change the destination URL at any time. Dynamic codes are useful for businesses but can be abused: a code that was safe yesterday could redirect somewhere malicious today. Prefer scanning codes from trusted, permanent sources.