Free QR Code Safety Checker

Is that QR code safe to scan?

Paste the link from any QR code and get an instant risk report. We follow the redirect chain, check the domain, and flag scam signals — without opening the page on your device.

Loading checker…

How QR code scams work

QR phishing — known in the security industry as quishing — exploits the blind trust most people place in physical objects. A scammer prints a fake QR code, tapes it over the real one on a parking meter, restaurant table, package delivery notice, or government notice board. You scan it expecting to pay for parking or see a menu. Instead you land on a page that looks identical to your bank, a parcel-tracking portal, or a Microsoft sign-in screen.

The attack works so well because QR codes are opaque by design — there is no URL to read, no hover-preview to check. The threat actor counts on you tapping the camera notification without thinking. Unlike email phishing, these attacks bypass corporate email security gateways entirely, and they target mobile users who are often mid-task, distracted, and less security-aware.

Common delivery mechanisms include:

  • Parking meters & ticketing machines — stick-on codes that redirect to fake payment pages collecting card details.
  • Fake restaurant menus — especially common where restaurants legitimately replaced physical menus with QR codes post-pandemic.
  • Parcel delivery scams — SMS or printed notices with a QR code claiming to re-schedule delivery, leading to credential-harvest or premium-rate subscription pages.
  • Shortener laundering — chaining bit.ly → another shortener → yet another hop before the final phishing page. Each hop adds obfuscation; most scanners only check the first URL.

The tell-tale signs are: URL shorteners hiding the destination, look-alike domains using punycode or subtle misspellings, newly registered domains (days or weeks old), and redirect chains of three or more hops. This checker inspects all of them.

What this checker looks at

Every submitted URL is analysed server-side through a series of independent signal checks. We never open the page in a browser, execute JavaScript, or submit forms — we only follow the redirect chain at the HTTP level and inspect metadata.

Redirect chain

We follow up to 8 hops, recording every intermediate domain.

SSRF guard

We resolve DNS before every hop and refuse to follow redirects into private/internal IP ranges.

Punycode / homograph domains

We detect xn-- encoded domains and mixed-script hostnames used in look-alike attacks.

URL shorteners

A built-in list of 20+ known shorteners — flagged because they hide the real destination.

Domain age (RDAP)

We query the free RDAP registrar API to check when the final domain was registered. Days-old domains are a strong phishing signal.

Suspicious TLDs

.zip, .tk, .top, .xyz, .click and others frequently used in spam infrastructure.

HTTPS check

Final destination must use HTTPS; plain HTTP is flagged.

IP-address hosts, non-standard ports

Legitimate sites use domain names on port 443, not raw IPs on unusual ports.

Honest limits: we do not scan page content for malware, execute JavaScript, or follow HTML meta-refresh / client-side redirects. A low risk score is a good sign, not a guarantee.

Frequently asked questions

How can I check if a QR code is safe?

The safest approach is to copy the link before opening it. Scan the QR code with your camera, long-press the link preview to copy the URL, then paste it into this checker. Our tool follows the redirect chain, checks domain age, inspects the hostname for homograph tricks, and scores the link across 15+ risk signals — without ever opening the page on your device.

Can a QR code hack my phone just by scanning it?

Scanning a QR code itself is safe — it just reads an encoded string. The danger is the destination: a malicious link that opens a phishing page, triggers a malware download, or prompts you to enter credentials. The QR code is just a delivery mechanism. This is why you should always preview and check the URL before tapping 'open.'

Why do scammers use URL shorteners in QR codes?

URL shorteners hide the real destination. When you scan a QR code and see 'bit.ly/x3kQ9', you have no idea where it leads. Scammers chain shorteners through multiple hops — each hop a different domain — to frustrate scanners and bypass corporate web filters. Our checker follows the entire chain and flags shortener use as a risk signal.

What is quishing?

Quishing (QR phishing) is a social engineering attack where scammers replace legitimate QR codes — on parking meters, restaurant tables, parcel delivery notices, or printed flyers — with codes that point to phishing pages. Unlike email phishing, QR-based attacks bypass most email security scanners and target mobile users who may be less cautious. Quishing incidents increased sharply from 2022 onwards, coinciding with the post-pandemic QR boom.

How do I get the link without opening it?

On iPhone: point the Camera app at the QR code — a yellow banner appears. Long-press the banner to get the 'Copy Link' option. On Android (Google Lens or built-in scanner): tap the link preview and choose 'Copy URL' from the context menu. Paste the copied URL into this checker before you open it.

Related tools & guides

Making QR codes people can trust?

Dynamic QR codes give you a short branded URL with an editable destination. If a code is ever compromised, update where it points without reprinting. Transparency builds trust.