Why QR codes are a scammer's favourite trick
With a normal link you can at least glance at the web address before you tap it. A QR code hides the address completely until your phone opens it, and by then you may already be on the scam page. Scammers also know that people scan QR codes in a hurry, in public, without thinking. That combination of "hidden destination" and "quick, distracted tap" is exactly what they want.
There are two main flavours. The first is a QR code sent to you (in an email, text, or flyer) that leads somewhere bad. The second is a fake QR sticker placed over a real one in a public place.
1. The sticker placed over the real code
This is the one most people have never heard of. Scammers print their own QR sticker and stick it directly on top of a legitimate one. Common targets: parking meters, restaurant menus and table tents, posters and flyers, charity donation signs, and electric-vehicle chargers.
Before you scan a code in a public place, look at it for a second:
- Is it a sticker on top of something else? Peeling edges, a slightly raised square, or a code that covers part of the printed design are all signs one was added later.
- Does it match the surroundings? A crisp white sticker on a weathered old sign, or a code in a slightly different style to the rest of the poster, is worth a second look.
- Is there any tampering? If the official code looks like it has been covered, scratched, or replaced, do not scan it. Pay or check in another way.
2. The QR code that arrives uninvited
If a QR code turns up in an email, text message, or direct message and wants you to scan it, slow down. Real organisations rarely need you to scan a code from a message, because they could just give you a normal link or ask you to log in the usual way. Treat these the same way you would treat any unexpected link:
- A message claiming your account is locked, a parcel is held, or a fine is owed, with a QR code to "fix it".
- An email that puts the QR code in an attached image, which is a way of slipping past some email filters.
- Anything that pushes you to scan quickly to avoid a consequence. Real consequences do not have countdowns.
3. Check the destination before you act on it
Most phone cameras show a preview of the web address when they read a QR code, before they open it. That preview is your moment to check. Read it the same way you would read any link:
- Does the address match the brand? A code on a bank's poster should lead to the bank's own address, not a stranger's site or a random string of letters.
- Is it a shortened link hiding the real destination? Scammers often put a link-shortener behind a QR code so even the preview tells you nothing. If you can't tell where it really goes, don't go there.
- Does the page ask for too much? If scanning a code drops you on a page asking for your password, card number, or a crypto wallet's recovery phrase, stop. A menu or a parking payment does not need your bank login.
When you can't tell, copy the address from the preview and paste it into AVA before you open it. If your phone has already opened the page, you can paste the address from the browser bar instead.
Simple habits that keep you safe
- Prefer typing an address yourself, or using an app you already trust, over scanning a code someone handed you.
- For payments, use the official app or the address printed in your own paperwork, not a code on a sign you can't verify.
- Use your phone camera's built-in scanner, which shows the address preview, rather than a random "QR scanner" app that may open links instantly.
- If a code in a public place looks added or tampered with, report it to whoever owns the location.
When in doubt, check
You do not have to figure out every QR code by eye. Paste the address it points to into the main check tool and let AVA score it. Free for the first five checks a day, no signup required. AVA follows the link to where it actually leads, so a shortened or redirected address still gets checked against its real destination. If you have already entered details into a page you reached by scanning, change that password on the real site, tell your bank if money is involved, and report it so others can be warned.