QR Code Security: What Can and Cannot Be Hacked

QR codes are everywhere — on parking meters, restaurant tables, event posters, and product packaging. Their convenience is undeniable, but that same convenience has made them an attractive target for criminals. The good news is that QR codes themselves are not inherently dangerous. The bad news is that what they link to absolutely can be. Understanding the difference is the key to scanning safely.

Can a QR Code Be Hacked?

The short answer is no — not in the way most people imagine. A QR code is just an image containing text. It cannot execute code, install software, or access your phone’s data on its own. It is fundamentally passive, like a written note. When you scan a QR code, your phone translates the pattern into text — typically a URL — and then asks you whether you want to open it.

However, this does not mean QR codes are harmless. The danger lies entirely in the destination. A malicious QR code is simply a code that links to a malicious website. The code itself is not infected; it is just a delivery mechanism. Think of it like a letter bomb — the envelope is innocent, but what is inside is dangerous. This distinction matters because it tells you exactly what you need to protect yourself from: the destination, not the code.

Quishing: The QR Code Phishing Threat

Security researchers have coined the term "quishing" — QR phishing — to describe attacks that use QR codes to direct victims to fraudulent websites. The technique works because QR codes hide the destination URL. Unlike a hyperlink in an email, which you can hover over to preview, a QR code gives you no visual indication of where it leads until you scan it. Criminals exploit this opacity.

Real-world quishing attacks have taken many forms. In 2022, criminals in several cities placed fraudulent parking meter stickers over legitimate QR codes. Drivers scanning the codes to pay for parking were redirected to fake payment pages that stole credit card details. In another widespread scheme, attackers email fake "package delivery failure" notices containing QR codes that lead to credential-harvesting login pages mimicking Amazon or DHL.

What a QR Code Cannot Do

Before discussing threats, it is worth clearing up common misconceptions about QR code capabilities. A QR code cannot automatically install an app on your phone. It cannot download malware without your permission. It cannot access your camera, microphone, contacts, or location data. It cannot make phone calls or send text messages without you pressing a confirmation button. And it cannot drain your bank account simply by being scanned.

Every action a QR code initiates requires your explicit approval. When you scan a URL code, your phone shows the link and asks if you want to open it. When you scan a phone number code, your phone opens the dialer but does not place the call. When you scan a WiFi code, your phone shows the network details but does not connect until you tap. These built-in confirmation steps are your safety net.

• QR codes cannot install apps automatically — app installation always requires your confirmation.
• QR codes cannot access your camera, contacts, or location without permission prompts.
• QR codes cannot make payments or transfers — payment apps require biometric or password verification.
• QR codes cannot self-replicate or spread like computer viruses — they are static images.

How to Spot a Suspicious QR Code

Not every QR code is trustworthy, and some warning signs are visible before you even scan. Be especially cautious of codes placed as stickers over other codes — this is the most common physical tampering technique. If a parking meter, menu, or poster has a QR code sticker slapped on top of the original printed code, the sticker is almost certainly fraudulent.

Context matters too. A QR code printed on official signage inside a bank is probably legitimate. A QR code on a random flyer taped to a lamppost probably is not. Codes received unsolicited via email or text message should be treated with extreme skepticism, especially if the message creates urgency — "Your package will be returned today, scan now to reschedule" is a classic quishing lure.

Safe Scanning Habits

The most important safety habit is also the simplest: always preview the URL before opening it. Both iPhone and Android display the destination URL as a notification before navigating to the website. Take two seconds to read it. Does it match the organization you expect? Is it a legitimate domain, or a suspicious misspelling like "amaz0n-security.com" instead of "amazon.com"?

If you are scanning a payment QR code, verify the recipient name in your payment app before confirming the transfer. Never scan a QR code sent by an unknown contact via messaging apps. And if you are a business owner displaying QR codes for customers, consider placing them behind protective covers or printing them directly onto materials rather than using stickers that can be easily replaced.

The key takeaway is simple: QR codes are not dangerous technology. They are a neutral delivery mechanism, like a hyperlink or a phone number. The risk comes entirely from what they point to — and from users who scan without checking the destination first. Preview the URL, verify the source, and treat unsolicited codes with the same caution you would apply to an unknown email link.

The Bottom Line

QR codes are not dangerous technology. They are a neutral tool, like a hyperlink or a phone number. The risk comes from how criminals misuse them — and from users who scan without thinking. By treating QR codes with the same caution you would apply to an unknown email attachment or an unsolicited link, you can enjoy their convenience without falling victim to the small but growing threat of quishing.

For businesses and marketers, the security responsibility runs in both directions. You need to protect your customers by ensuring your QR codes link to legitimate, secure destinations. And you need to protect your brand by monitoring for fake QR codes that impersonate your business. The best defense is awareness — and now that you know how QR code attacks work, you are already significantly safer than the average scanner.