SecuritySpanish version

Support article

Safe use of QR codes to avoid fraud

Learn how to use QR codes safely, spot fake links and protect your data, payments and hosting access.

Published: 30/06/2026Updated: 30/06/2026

Introduction

QR codes are convenient: they let you open a website, make a payment, download an app or sign in by scanning an image. The problem is that they can also be used for fraud.

A QR code can send you to a fake page, download a malicious file or imitate access to a legitimate service. Because we usually do not see the full URL before scanning, it is easy to trust too much.

In this guide we explain how to use QR codes safely and what precautions to take if you manage a website, email or hosting service.

Risks of QR codes

A malicious QR code can:

  • Take you to a phishing website.
  • Open a fake payment page.
  • Download a fraudulent app.
  • Ask for your username and password on a copy of a legitimate site.
  • Redirect you to shortened or hard-to-verify domains.
  • Trigger unwanted actions on your phone.

The QR code itself is not dangerous. The risk is in the destination it points to.

How to review a QR code before trusting it

When you scan a QR code:

  1. Review the URL before opening it.
  2. Check that the domain is correct.
  3. Be wary of shortened links.
  4. Do not enter passwords if you are not sure about the site.
  5. Avoid scanning QR codes stuck over original posters or documents.
  6. Do not install apps outside official stores.
  7. Be suspicious if the QR promises prizes or exaggerated discounts.

Many phones show a preview of the link before opening it. Read it carefully.

QR codes and payment pages

Be especially careful with QR codes used for payments. Before you pay:

  1. Verify the merchant or service.
  2. Check that the amount is correct.
  3. Review the payment gateway domain.
  4. Do not save cards on unknown pages.
  5. Do not repeat the transaction if a strange error appears without first confirming whether the charge went through.

If the payment is for a hosting or domain service, the safest option is to go directly to the client area using the official address.

Recommendations if you publish QR codes on your website

If you use QR codes for your customers:

  • Use links to your own domains or clearly recognizable ones.
  • Avoid shorteners unless they are absolutely necessary.
  • Show the destination URL below the QR code.
  • Regularly check that the link is still correct.
  • Do not use QR codes generated by unknown tools for sensitive processes.
  • Protect all destination pages with HTTPS.

Useful tips

  • Keep your phone updated.
  • Use a reliable QR reader.
  • Do not scan codes from unknown sources.
  • Verify the domain before logging in.
  • If in doubt, type the address manually in the browser.
  • Report fraudulent QR codes if they are connected to a phishing campaign.

Common problems

The QR opens a shortened URL

That does not always mean it is malicious, but it is less transparent. If you do not know who generated it, do not enter personal data.

The QR asks me to log in

Check the domain before entering your username and password. If it does not match the real service, close the page.

The QR is placed on top of another one

That is a clear warning sign. It may be a fraudulent replacement.

Frequently asked questions

Can a QR code infect my phone

Not by itself, but it can lead you to a malicious download or a dangerous website.

Can I use QR codes for my business

Yes, but you should use secure links, HTTPS and clear domains so they do not create distrust.

What should I do if I scanned a suspicious QR code

Close the page, do not enter data, review recent downloads and change passwords if you typed any.

Why does this affect my hosting

A fraudulent QR code can lead to a fake page that steals access to WordPress, email or the control panel.

Conclusion

QR codes are useful, but they must be used carefully. Before opening a link or entering data, review the domain and confirm that you are on a legitimate page. If the QR is related to payments, hosting or passwords, take even more precautions.