safety & scams
Are QR codes safe? How to spot a fake
Yes — the risk isn't the code, it's where it sends you. A plain-English guide to 'quishing' QR scams: how the fake-sticker trick works, and how to spot one.
The short answer
Yes. Making a QR code is safe, and scanning one is about as risky as tapping a link — which is to say, it depends entirely on where it goes. The code itself is inert: a printed grid of black and white squares that holds a bit of text, almost always a web address. It can’t run anything on your phone, install anything, or reach into your accounts. All it does is hand a link to your camera, and your camera offers to open it.
So when you read about “dangerous QR codes”, the danger isn’t in the squares. It’s the same danger as a dodgy link in an email or text: the destination is a scam, and the code is just the delivery van. Understand that one distinction and the whole subject gets a lot calmer.
What “quishing” actually is
“Quishing” is simply phishing that uses a QR code instead of a clickable link. The con almost always works the same way in the real world: a scammer prints a neat, weatherproof sticker with their own malicious code and sticks it over the top of a genuine one — on a car-park meter, an EV charger, a restaurant menu, a parcel-locker screen. You scan what looks like the official code, land on a page that mimics the real payment or login site, and hand your card details or password straight to the criminal.
It works for one specific reason: a QR code hides its destination. With a normal link you can read the URL before you tap it and think “that’s not really my bank”. A code gives you nothing to read — you point, you trust, you’re already on the page. Quishing exists to exploit that missing sanity-check.
It’s worth being clear about what a code can’t do, because scare stories blur this. A code can’t silently empty your account just from being scanned. Every real quishing loss needs a second step from you: entering a card number, typing a password, approving a payment. The code opens the door; the theft still happens on the page you land on. That’s genuinely good news, because it means a moment’s attention at the right point stops the whole thing.
How big a problem is it, really?
Real, growing, but not a reason to fear every code. In the UK, Action Fraud received 784 reports of quishing between April 2024 and April 2025, with almost £3.5 million lost — roughly £10,000 a day. Reports have climbed steeply over the past few years as scammers moved the tactic from email inboxes out onto the street.
Car parks have been hit hardest. An investigation by the Bureau of Investigative Journalism found that of 373 UK local authorities that responded, 123 — around one in three — said their car parks had been targeted in the past year, and traced one operation in Leamington Spa to an international fraud network. Several councils, including West Berkshire and Reading, have warned drivers directly: some don’t use QR codes for parking payment at all, so any code on the machine is a red flag.
The takeaway isn’t “stop scanning”. It’s “know the two or three places these scams cluster, and slow down there.”
How to spot a fake
- Look at the code physically. A fraudulent code is usually a sticker laid over the real one. Check for a peeling edge, an air bubble, a raised or slightly-off surface, or a code that’s a different finish from the sign it’s on. If it looks stuck-on, don’t scan it — pick at the corner and you may find the genuine one underneath.
- Read the link before you open it. This is the big one. Your phone’s built-in camera shows the web address before it goes anywhere — a yellow banner at the top on iPhone, a tappable chip on Android. Actually read it. Does the domain match the company you expect, spelled correctly, with no odd extra words or random characters? A lookalike like
westberks-parking-pay.comis the whole scam in one glance. (Third-party “QR scanner” apps often skip this preview — another reason to just use your normal camera.) - Be suspicious of what it asks for. Landing straight on a login, a card-payment form, or a request for a bank one-time passcode — from scanning a sticker in the street — is the classic pattern. Legitimate parking and menus rarely need your card the instant you scan. Urgency (“pay within 10 minutes or be fined”) is a pressure tactic, not a real deadline.
- When in doubt, don’t use the code at all. For parking, the safest habit is to ignore the sticker and pay through the official app — search for it by name in the App Store or Google Play, or type the operator’s known web address yourself. For a bank or delivery, go to the app or site you already use. Reaching a real service another way costs you thirty seconds and removes the risk entirely.
If a code simply won’t scan, by the way, that’s usually damage or print quality rather than anything sinister — why won’t my QR code scan? covers the ordinary reasons.
If you think you’ve scanned a bad one
Don’t panic — and remember, unless you entered details on the page, you’ve very likely lost nothing. Then:
- Entered card details? Contact your bank straight away (there’s usually a number on the back of your card) and ask them to stop the card. UK banks have fraud teams for exactly this.
- Typed a password? Change it now, and anywhere else you reused it. Turn on two-factor authentication if it wasn’t already.
- Report it. In the UK, report to Action Fraud at actionfraud.police.uk or 0300 123 2040 (in Scotland, call Police Scotland on 101). Suspicious texts can be forwarded free to 7726. And tell whoever owns the location — the council or car-park operator can pull the sticker so the next person doesn’t fall for it.
Why a dottr code has nothing to hijack
Here’s the honest tie-back. Quishing depends on a destination that can be swapped for a bad one. Some QR codes are “dynamic” — they don’t hold the real address at all, just a short redirect through a vendor’s server, and whoever controls that server decides where every scan lands. That indirection is convenient, and it’s also the seam scammers and lapsed subscriptions exploit. Our static vs dynamic guide and the piece on how short links work walk through the trade-off; it’s the same reason a redirect can quietly stop working or change.
Every code dottr makes is static and built entirely in your browser. The address you type is the code — there’s no server of ours in the middle, no account, nothing stored, and so nothing we (or anyone else) could ever re-aim. It also means the danger flows the other way round from quishing: because there’s no redirect to hijack, the only place your code can send someone is exactly where you pointed it. You can make one free in your browser and read the whole payload yourself before you print it.
The calm version
QR codes are a safe, brilliantly useful bit of technology — you use them for menus, WiFi, tickets and payments precisely because they work. The scam isn’t the code; it’s a fake link wearing a code as a disguise, and it only pays off if you type something into the page it opens. Glance at the sticker, read the link your phone shows you, and be wary of anything that wants your money or password the instant you scan. Do that, and you get all the convenience with almost none of the risk. When you want to make your own, dottr builds honest, static codes for free — and nothing you type ever leaves your device.