QR Code Safety Scanner
Decode QR codes safely before opening. Upload an image containing a QR code to see the hidden content — URLs, text, WiFi credentials, or contact cards. Flags suspicious domains, phishing patterns, and non-HTTPS links. 100% browser-based using the jsQR library.
QR code decoding runs entirely in your browser using the jsQR JavaScript library. No images or decoded data are transmitted to any server.
JPEG, PNG, WebP • Screenshot or photo • Never uploaded
Key Facts
- Quishing Threat: QR code phishing (quishing) attacks increased 587% between 2022 and 2023 (SlashNext 2023 Report)
- Hidden Danger: Unlike visible text links, QR codes completely hide their destination. You cannot tell what a QR code contains just by looking at it
- Content Types: QR codes can contain URLs, plain text, WiFi credentials, email addresses, phone numbers, vCards, calendar events, and cryptocurrency addresses
- Safety Checks: Our scanner flags IP-based URLs, non-HTTPS links, URL shorteners, suspicious TLDs, unusual ports, and excessively long URLs
- Decoder: Uses the jsQR library (open source), loaded on demand. All processing happens in browser memory
Common QR Code Scams to Watch For
- Parking Meter Stickers: Fake QR codes placed over legitimate payment codes on parking meters, redirecting to phishing payment pages
- Restaurant Menu Overlays: Malicious QR stickers placed over real restaurant menu codes, leading to fake sites that steal payment info
- Package Delivery Scams: QR codes in fake delivery notifications leading to credential-harvesting sites
- Crypto Scams: QR codes that redirect payment to attacker wallets instead of legitimate merchant addresses
- WiFi Credential Theft: QR codes that connect your device to attacker-controlled WiFi networks for man-in-the-middle attacks
- Fake Event Tickets: Counterfeit QR codes on tickets that redirect to payment pages or malware downloads
How to Stay Safe with QR Codes
- Always preview: Use a safety scanner (like this tool) to decode QR codes before visiting the URL
- Check the URL: Look for HTTPS, verify the domain matches the expected brand, watch for typosquatting (paypa1.com vs paypal.com)
- Beware of stickers: If a QR code appears to be a sticker placed over another code, it is likely a scam
- Avoid URL shorteners: bit.ly, tinyurl, and similar services hide the real destination. Expand them first
- Never enter credentials: Legitimate services rarely ask for login credentials through QR-redirected pages
- Check the context: An unexpected QR code in an email, text message, or public place deserves extra scrutiny
Frequently Asked Questions
Why should I check QR codes before scanning?
QR codes can contain malicious URLs leading to phishing sites, malware downloads, or fake payment pages. Unlike visible links, QR codes completely hide their destination. Quishing (QR phishing) attacks increased 587% between 2022 and 2023 according to SlashNext. Always decode and inspect the URL before visiting.
What types of content can QR codes contain?
QR codes can encode URLs, plain text, email addresses (mailto:), phone numbers (tel:), WiFi credentials (WIFI:), calendar events, contact cards (vCard), geographic coordinates, SMS messages, and cryptocurrency payment requests. Our scanner identifies the content type and flags potentially dangerous payloads.
How does this tool detect suspicious QR codes?
The scanner checks decoded URLs for common phishing patterns including IP-address-based URLs (e.g., http://192.168.1.1), unusual port numbers, suspicious TLDs, URL shortener services that hide the real destination, non-HTTPS links, data: URIs, and excessively long URLs designed to obscure the real domain.
Is the QR code image uploaded to your server?
No. The image is processed entirely in your browser using the jsQR JavaScript library. The image data and decoded content never leave your device. You can verify by checking the Network tab in developer tools during scanning.
Can I use my phone camera to scan?
This tool accepts uploaded images (screenshots, photos of QR codes). On mobile, tapping "browse" opens your camera roll or allows you to take a photo. For real-time camera scanning, most phone cameras have built-in QR reading — but they often auto-open URLs without safety checks, which is exactly the risk this tool helps you avoid.