QR codes: are they safe and what are the risks?
- philviles
- Jun 12
- 3 min read
Once a convenient tool for accessing websites or menus, QR codes have now become a widespread gateway to digital services. From restaurant tables to parcel delivery notifications, they're everywhere. But with convenience comes risk—and the UK’s National Cyber Security Centre (NCSC) has flagged some important concerns around QR code security.

In this post, we’ll explore the risks of scanning QR codes, how criminals are exploiting them, and what you can do to stay safe.
What Are QR Codes and Why Are They a Target?
Quick Response (QR) codes are two-dimensional barcodes that can store URLs, contact details, or payment information. When you scan one with your phone's camera, it often takes you directly to a website or app.
This directness is also what makes them attractive to cybercriminals. A malicious QR code can lead to a phishing site, download malware, or trick you into sharing sensitive information.
Risks of Scanning QR Codes
According to guidance from the NCSC, here are the key risks:
1. Phishing and Fraudulent Websites
QR codes can easily direct users to fake websites that mimic legitimate services (like banks or delivery companies). These sites may trick users into entering personal or financial details.
For example: A QR code on a parking meter might link to a spoofed payment site that steals your card information. Spoof QR codes were seen in some Leicester City Council car parks last year.
2. Malware Installation
Some QR codes can prompt the download of apps that contain malware - especially on devices where app permissions are too lax or from outside official app stores.
3. Credential Theft
When QR codes are used in phishing campaigns, they can be embedded in emails or posters. A scanned QR code might auto-fill login forms or redirect you to a fake login page.
4. Social Engineering
Attackers can place fraudulent QR codes over legitimate ones (called "QRishing"). For example, a cybercriminal may stick a malicious QR code over an official NHS or restaurant QR code.
How Safe Are QR Codes Really?
QR codes themselves aren’t inherently dangerous - they’re just a medium. The problem is that you can’t tell where a QR code will take you until after you scan it.
That’s why the NCSC advises treating QR codes with caution, especially in public places or if they appear in unexpected messages (like unsolicited emails or text messages).
Tips for Staying Safe
Here are some practical ways to protect yourself:
Preview the Link
Most smartphones now show the URL before opening it. Always check that the domain name looks legitimate and is spelled correctly.
Don’t Scan from Untrusted Sources
Avoid scanning QR codes from unknown posters, flyers, or suspicious emails. If you weren’t expecting it, treat it with suspicion.
Use a QR Scanner with Security Features
Some apps can verify whether a link is safe before opening it. Some antivirus apps also scan QR codes for threats.
Don’t Enter Sensitive Info After Scanning
Be cautious if a QR code takes you to a login or payment page. If in doubt, manually type in the known website URL instead.
Update Your Phone’s Software
Ensure your phone's operating system and apps are up to date to reduce vulnerabilities that malware could exploit.
What Should Businesses Do?
If your organisation uses QR codes:
Avoid linking to sensitive actions (like payments or login) unless absolutely necessary.
Use branded URLs so users can verify where they're going.
Educate staff and customers on the risks of fake QR codes.
Monitor for tampering in physical locations - check if anyone has stuck a new QR code over your signage.
Conclusion
QR codes are here to stay, but they’re not risk-free. As the NCSC highlights, cybercriminals are exploiting them more often because they’re easy to manipulate and users tend to trust them.
By staying alert, being cautious of unknown QR codes, and encouraging good cyber hygiene, you can continue using this convenient technology - safely.
Reporting
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).
Kommentare