SafeScan QR

Learn

QR code safety center

QR codes hide their destination until something on your device opens it. This guide covers how QR phishing ("quishing") works, how to check a code before you scan it, and how SafeScan's scanner applies these checks automatically.

The basics

What is quishing?

01

Hidden destination

A QR code can encode any URL, wallet action, or app deep link. Unlike a typed link, you can't see where it points until your phone decodes it - attackers exploit that blind spot.

02

Familiar wrapper, new payload

Quishing reuses the same playbook as email phishing - urgency, a trusted-looking brand, a request to "verify" or "claim" something - but delivers it through a printed or pasted code instead of a link in an inbox.

03

Bypasses email filters

Because the malicious link is embedded as an image, traditional spam and link-scanning filters often never see the actual destination, which is part of why quishing has grown as a tactic.

Before you scan

How to check if a QR code is safe

You don't need special tools for the first checks - just a careful look and your phone's built-in preview.

1. Inspect the code itself

Look for a sticker placed on top of a poster, menu, parking meter, or flyer. A second QR code stuck over the original - even slightly misaligned, a different paper stock, or a different print quality - is one of the most common quishing setups.

2. Use your camera's link preview, don't tap blindly

Most phone cameras show a preview of the URL before opening it. Read the full domain, not just the first part. Watch for misspellings of real brands (e.g. "paypa1.com"), unfamiliar domains, or shortened links (bit.ly, tinyurl) that hide the real destination.

3. Never enter a wallet seed phrase or "sign" a blind transaction

No legitimate airdrop, refund, or "claim" requires your seed phrase. If a QR code opens a wallet prompt asking you to "approve," "permit," or "sign," stop and verify the site independently before continuing - these are the same mechanisms used by wallet-drainer kits.

4. Run it through a scanner before opening it

Paste the URL (or upload/scan the code) into SafeScan's scanner first. SafeScan resolves the full redirect chain, checks domain age and reputation against VirusTotal and Google Safe Browsing, and screens for known wallet-drain signature patterns - all before you ever open the link.

Spotting tampered codes

Restaurant menus, parking, and other public QR codes

01

Check for overlays

Run a finger over the code. A sticker placed over the original will have a visible edge or a different texture from the table or sign underneath.

02

Compare to other tables/signs

If every other table has a printed-in code but yours has a loose sticker, that's a red flag. Ask staff if you're unsure.

03

Watch for payment prompts

A menu QR code should open a menu, not a payment page or an app-install prompt. If scanning a "menu" code asks for card details immediately, don't proceed.

Crypto & wallet safety

Common wallet-drain techniques hidden in QR codes

Modern wallet-drainer kits rarely use an obvious "send funds" request. Instead they ask your wallet to sign something that looks routine. SafeScan's scanner screens QR payloads for these patterns automatically:

Token "permit" / Permit2 signatures

An off-chain signature that grants an allowance without an on-chain "approve" transaction - widely used by drainer kits because it looks like a free, gasless action.

setApprovalForAll (NFTs)

Grants an attacker-controlled address blanket control over an entire NFT collection in your wallet, not just one item.

Maximum token approvals

A request to approve an unlimited (max uint256) spending allowance for a token, often disguised as a "claim" or "stake" action.

WalletConnect pairing URIs

A QR code that's actually a WalletConnect (wc:) pairing link can silently propose a session with a malicious dApp the moment it's scanned.

Try it now

Check a QR code or link with SafeScan

Open the scanner Browse known-malicious codes