no login · no cookies · works offline

safety & scams

Are QR codes safe? How to spot a fake

Yes — the risk isn't the code, it's where it sends you. A plain-English guide to 'quishing' QR scams: how the fake-sticker trick works, and how to spot one.

The short answer

Yes. Making a QR code is safe, and scanning one is about as risky as tapping a link — which is to say, it depends entirely on where it goes. The code itself is inert: a printed grid of black and white squares that holds a bit of text, almost always a web address. It can’t run anything on your phone, install anything, or reach into your accounts. All it does is hand a link to your camera, and your camera offers to open it.

So when you read about “dangerous QR codes”, the danger isn’t in the squares. It’s the same danger as a dodgy link in an email or text: the destination is a scam, and the code is just the delivery van. Understand that one distinction and the whole subject gets a lot calmer.

What “quishing” actually is

“Quishing” is simply phishing that uses a QR code instead of a clickable link. The con almost always works the same way in the real world: a scammer prints a neat, weatherproof sticker with their own malicious code and sticks it over the top of a genuine one — on a car-park meter, an EV charger, a restaurant menu, a parcel-locker screen. You scan what looks like the official code, land on a page that mimics the real payment or login site, and hand your card details or password straight to the criminal.

It works for one specific reason: a QR code hides its destination. With a normal link you can read the URL before you tap it and think “that’s not really my bank”. A code gives you nothing to read — you point, you trust, you’re already on the page. Quishing exists to exploit that missing sanity-check.

It’s worth being clear about what a code can’t do, because scare stories blur this. A code can’t silently empty your account just from being scanned. Every real quishing loss needs a second step from you: entering a card number, typing a password, approving a payment. The code opens the door; the theft still happens on the page you land on. That’s genuinely good news, because it means a moment’s attention at the right point stops the whole thing.

How big a problem is it, really?

Real, growing, but not a reason to fear every code. In the UK, Action Fraud received 784 reports of quishing between April 2024 and April 2025, with almost £3.5 million lost — roughly £10,000 a day. Reports have climbed steeply over the past few years as scammers moved the tactic from email inboxes out onto the street.

Car parks have been hit hardest. An investigation by the Bureau of Investigative Journalism found that of 373 UK local authorities that responded, 123 — around one in three — said their car parks had been targeted in the past year, and traced one operation in Leamington Spa to an international fraud network. Several councils, including West Berkshire and Reading, have warned drivers directly: some don’t use QR codes for parking payment at all, so any code on the machine is a red flag.

The takeaway isn’t “stop scanning”. It’s “know the two or three places these scams cluster, and slow down there.”

How to spot a fake

If a code simply won’t scan, by the way, that’s usually damage or print quality rather than anything sinister — why won’t my QR code scan? covers the ordinary reasons.

If you think you’ve scanned a bad one

Don’t panic — and remember, unless you entered details on the page, you’ve very likely lost nothing. Then:

Why a dottr code has nothing to hijack

Here’s the honest tie-back. Quishing depends on a destination that can be swapped for a bad one. Some QR codes are “dynamic” — they don’t hold the real address at all, just a short redirect through a vendor’s server, and whoever controls that server decides where every scan lands. That indirection is convenient, and it’s also the seam scammers and lapsed subscriptions exploit. Our static vs dynamic guide and the piece on how short links work walk through the trade-off; it’s the same reason a redirect can quietly stop working or change.

Every code dottr makes is static and built entirely in your browser. The address you type is the code — there’s no server of ours in the middle, no account, nothing stored, and so nothing we (or anyone else) could ever re-aim. It also means the danger flows the other way round from quishing: because there’s no redirect to hijack, the only place your code can send someone is exactly where you pointed it. You can make one free in your browser and read the whole payload yourself before you print it.

The calm version

QR codes are a safe, brilliantly useful bit of technology — you use them for menus, WiFi, tickets and payments precisely because they work. The scam isn’t the code; it’s a fake link wearing a code as a disguise, and it only pays off if you type something into the page it opens. Glance at the sticker, read the link your phone shows you, and be wary of anything that wants your money or password the instant you scan. Do that, and you get all the convenience with almost none of the risk. When you want to make your own, dottr builds honest, static codes for free — and nothing you type ever leaves your device.

Someone ask where you got this?

dottr this page

Drag to your bookmarks bar — then on any site, get its QR and add it to your wallet in a tap.