Free tool · No signup

Is my QR code safe?

Check where a QR code really leads before you trust it.

or
Scan a QR image

Drop or choose a QR image — it is decoded on your device

See where a QR code really leads

A QR code hides its destination inside a pattern of squares — you cannot tell a genuine link from a trap just by looking. This tool reads the code (or a link you paste), then follows the whole chain of redirects from our server so your own phone never opens a suspicious site. It reports the final destination, every hop along the way, and a trust score with plain-language warnings.

This matters because QR phishing — “quishing” — has become common: a scammer sticks a fake code over a real one on a parking meter, a restaurant table, or a delivery notice, leading to a lookalike login or payment page. Checking the destination first turns a blind scan into an informed decision.

Be clear about the limits: this is not a full malware scanner and cannot read the destination’s page content. A link can pass every check and still be untrustworthy — pair it with your phone’s built-in link preview and healthy skepticism. To decode a code without checking it, use the QR scanner.

When to check first

Before entering card details

A code that jumps straight to a payment page deserves a check — confirm the destination domain is the real merchant, not a lookalike.

Stickers over other codes

A code on a peeling sticker, or one placed over an existing code on a public sign, is the classic quishing setup — trace it before you trust it.

Unexpected codes in messages

A QR code in an email or SMS about a “failed delivery” or “unpaid fine” is worth tracing — these are common lures in the region.

Stay safe with QR codes

  • Preview before you act. Read the destination domain — most phone cameras show it — before opening anything that asks for a login or payment.
  • Be wary of stickers over codes. If a code looks like it was added on top of another, treat it as suspect — that is the most common physical scam.
  • Prefer codes that show a preview domain. A trustworthy code usually reveals a recognisable domain; one that hides behind a shortener deserves a trace.
  • When unsure, do not enter anything. No legitimate service loses your business because you paused to verify a link — a scammer counts on your haste.

Frequently asked questions

No. Our server follows the link and its redirects for you, then reports back what it found. Your own device never opens the destination, so a risky site never touches your phone or browser.

It checks whether the final destination uses a secure (https) connection, follows the full chain of redirects, and looks for warning signs — insecure downgrades, raw IP addresses, look-alike domains, embedded credentials, URL shorteners, and broken or unreachable destinations.

It is not a full malware scanner and cannot read the content of the destination page. A link can pass every check here and still be untrustworthy. Use it together with your phone’s built-in link preview and plain skepticism — especially for codes from strangers.

Quishing is phishing through a QR code. A scammer prints a code that leads to a fake login or payment page — often on a sticker placed over a real code on a parking meter, restaurant table, or delivery notice. Checking the destination before you act is the simplest defence.

Shorteners are used by countless legitimate campaigns and QR codes, so their presence alone is not dangerous. The point of the note is that a shortened link hides its real destination from you — which is exactly why tracing it first is useful.

No. The link is traced to produce your result and is not saved. The tool is rate-limited to prevent abuse, but the addresses themselves are not stored.

Need to edit your QR code after printing?

Dynamic QR codes let you change the destination anytime — no reprinting — and show you every scan: when, where, and on which device. Try the full QRA studio free for 14 days.