A QR code itself can't carry a virus — it's just a pattern that encodes text. But what it encodes can absolutely point you somewhere malicious. Here's the practical risk and how to deal with it.
Can a QR code contain malware?
No. A QR code is just data — typically a URL — and your phone can't be infected just by reading it.
The risk comes from what the URL points to: phishing sites, drive-by downloads, fake login pages. The QR itself is harmless; the destination matters.
What is "quishing"?
Quishing = QR phishing. An attacker prints or emails a QR code that points to a fake login page or malicious download. Common formats in 2025-2026:
- Fake parking tickets with QR codes "to pay your fine"
- Fake QR codes stuck over real ones (restaurant menus, payment QRs)
- QR codes in phishing emails marketed as "scan to update your account"
- QR codes that look like Wi-Fi connections but actually take you to a credential-harvest page
How to scan safely
- Most modern phones show you the URL before opening it. iPhone Camera and Android Google Lens both display the destination URL as a preview. Always read it before tapping.
- Be suspicious of QR codes in public places — especially payment QRs, parking QRs, restaurant QRs. Look for signs of stickers placed over original signage.
- Don't scan QRs in unsolicited emails. If you weren't expecting it, the destination probably isn't trustworthy.
- Hesitate on logins. If a QR takes you to a login page, type the company's URL into your browser manually instead. Whatever was being "verified" can be reached through their actual site.
For businesses: protecting your own QRs
If you print QRs on physical materials, occasionally:
- Check your QRs to make sure no sticker has been placed over them.
- Monitor your destination URL for traffic anomalies — sudden spikes from unfamiliar regions can indicate a fake clone.
- Use a redirect-based QR (like ours) so you can spot oddities in the scan logs.
What if I already scanned a suspicious QR?
- Don't enter credentials on any page that comes from a QR you didn't trust.
- Don't download files from a QR destination unless you expected the file.
- If you accidentally entered credentials, change your password immediately on the real site and enable 2FA.
OneDollarQRcodes safety
We don't insert tracking pixels, ads, or interstitial pages between scan and destination. The redirect goes straight to your URL — no surprises. And because our redirect URLs are on a single dedicated domain, you can audit anomalies easily.