Check where a QR code really leads before you trust it.
Drop or choose a QR image — it is decoded on your device
A QR code hides its destination inside a pattern of squares — you cannot tell a genuine link from a trap just by looking. This tool reads the code (or a link you paste), then follows the whole chain of redirects from our server so your own phone never opens a suspicious site. It reports the final destination, every hop along the way, and a trust score with plain-language warnings.
This matters because QR phishing — “quishing” — has become common: a scammer sticks a fake code over a real one on a parking meter, a restaurant table, or a delivery notice, leading to a lookalike login or payment page. Checking the destination first turns a blind scan into an informed decision.
Be clear about the limits: this is not a full malware scanner and cannot read the destination’s page content. A link can pass every check and still be untrustworthy — pair it with your phone’s built-in link preview and healthy skepticism. To decode a code without checking it, use the QR scanner.
A code that jumps straight to a payment page deserves a check — confirm the destination domain is the real merchant, not a lookalike.
A code on a peeling sticker, or one placed over an existing code on a public sign, is the classic quishing setup — trace it before you trust it.
A QR code in an email or SMS about a “failed delivery” or “unpaid fine” is worth tracing — these are common lures in the region.
No. Our server follows the link and its redirects for you, then reports back what it found. Your own device never opens the destination, so a risky site never touches your phone or browser.
It checks whether the final destination uses a secure (https) connection, follows the full chain of redirects, and looks for warning signs — insecure downgrades, raw IP addresses, look-alike domains, embedded credentials, URL shorteners, and broken or unreachable destinations.
It is not a full malware scanner and cannot read the content of the destination page. A link can pass every check here and still be untrustworthy. Use it together with your phone’s built-in link preview and plain skepticism — especially for codes from strangers.
Quishing is phishing through a QR code. A scammer prints a code that leads to a fake login or payment page — often on a sticker placed over a real code on a parking meter, restaurant table, or delivery notice. Checking the destination before you act is the simplest defence.
Shorteners are used by countless legitimate campaigns and QR codes, so their presence alone is not dangerous. The point of the note is that a shortened link hides its real destination from you — which is exactly why tracing it first is useful.
No. The link is traced to produce your result and is not saved. The tool is rate-limited to prevent abuse, but the addresses themselves are not stored.
Dynamic QR codes let you change the destination anytime — no reprinting — and show you every scan: when, where, and on which device. Try the full QRA studio free for 14 days.