QR Code Safety and Privacy
QR codes are just a way of encoding a link or a piece of text. They are not inherently dangerous, but they do remove a step that normally helps people spot something suspicious: seeing the actual URL before they visit it. This guide covers what to check as a scanner, and what to know as a business displaying codes.
For people scanning a QR code
Look at the link preview before opening it
Most phone cameras show a preview of the destination URL before you tap through. Read it. A mismatch between what the code claims to be (a parking payment, a menu, a login page) and the actual domain in the preview is the clearest warning sign.
Know what "quishing" looks like
Quishing is phishing delivered through a QR code. Instead of a suspicious email link, the attack arrives as a scannable code, often on a fake sticker placed over a real one, or printed on a flyer left in a public place. The scanned link leads to a fake login or payment page designed to capture credentials or card details.
Be cautious with unattended public codes
Parking meters, utility poles, community bulletin boards, and unattended flyers are common places for a fraudulent sticker to be placed directly over a legitimate code. A code from a staffed counter or a printed menu handed to you directly carries a different risk profile than one on an unattended pole in a parking lot.
Treat a QR-triggered payment or login page like any other
Before entering a password or card number after scanning a code, apply the same checks you'd use anywhere else: does the domain match the business, does the page load over HTTPS, and does anything about the request feel rushed or urgent in a way that pressures you not to think it through.
For businesses displaying QR codes
Check your own codes periodically
If a QR code is displayed somewhere the public can access unsupervised (a window, a countertop, an outdoor sign), check it occasionally to confirm the visible code is still the one you printed and has not been covered by a sticker.
Static codes don't need a tracking redirect to be useful
A static QR code, like the ones FreeQRHub generates, points directly to the destination you provide instead of routing scans through a third-party redirect service. If you want campaign data, tagging the destination URL with UTM parameters gives you attribution without adding a middleman that could fail or be repurposed later.
Be transparent about what happens after the scan
Tell people what a code does before they scan it. "Scan for menu," "Scan to pay," or "Scan for WiFi" sets a clear expectation and makes it easier for a customer to notice if something about the resulting page doesn't match.
Frequently asked questions
What is "quishing"?
Quishing is phishing delivered through a QR code instead of an email link. A scanned code opens a fake login page or payment page designed to steal credentials or card details. The defense is the same as email phishing: check the link before entering anything sensitive.
Does FreeQRHub track people who scan the QR codes I create?
No. FreeQRHub generates static QR codes that point directly to the content or link you provide. There is no FreeQRHub redirect, tracking pixel, or scan log sitting between the code and its destination.
Is it risky to scan a random QR code I find in public?
It carries some risk, the same way clicking an unfamiliar link does. Check the link preview your phone shows before opening it, and be extra cautious with codes on unattended signs, stickers, or flyers where tampering is easy.
Last reviewed:
Create a QR code you can stand behind
Generate a static QR code with a clear, direct destination and no unnecessary tracking layer.