Hidden destination
A QR code can encode any URL, wallet action, or app deep link. Unlike a typed link, you can't see where it points until your phone decodes it - attackers exploit that blind spot.
Learn
QR codes hide their destination until something on your device opens it. This guide covers how QR phishing ("quishing") works, how to check a code before you scan it, and how SafeScan's scanner applies these checks automatically.
The basics
A QR code can encode any URL, wallet action, or app deep link. Unlike a typed link, you can't see where it points until your phone decodes it - attackers exploit that blind spot.
Quishing reuses the same playbook as email phishing - urgency, a trusted-looking brand, a request to "verify" or "claim" something - but delivers it through a printed or pasted code instead of a link in an inbox.
Because the malicious link is embedded as an image, traditional spam and link-scanning filters often never see the actual destination, which is part of why quishing has grown as a tactic.
Before you scan
You don't need special tools for the first checks - just a careful look and your phone's built-in preview.
Look for a sticker placed on top of a poster, menu, parking meter, or flyer. A second QR code stuck over the original - even slightly misaligned, a different paper stock, or a different print quality - is one of the most common quishing setups.
Most phone cameras show a preview of the URL before opening it. Read the full domain, not just the first part. Watch for misspellings of real brands (e.g. "paypa1.com"), unfamiliar domains, or shortened links (bit.ly, tinyurl) that hide the real destination.
No legitimate airdrop, refund, or "claim" requires your seed phrase. If a QR code opens a wallet prompt asking you to "approve," "permit," or "sign," stop and verify the site independently before continuing - these are the same mechanisms used by wallet-drainer kits.
Paste the URL (or upload/scan the code) into SafeScan's scanner first. SafeScan resolves the full redirect chain, checks domain age and reputation against VirusTotal and Google Safe Browsing, and screens for known wallet-drain signature patterns - all before you ever open the link.
Crypto & wallet safety
Modern wallet-drainer kits rarely use an obvious "send funds" request. Instead they ask your wallet to sign something that looks routine. SafeScan's scanner screens QR payloads for these patterns automatically:
An off-chain signature that grants an allowance without an on-chain "approve" transaction - widely used by drainer kits because it looks like a free, gasless action.
Grants an attacker-controlled address blanket control over an entire NFT collection in your wallet, not just one item.
A request to approve an unlimited (max uint256) spending allowance for a token, often disguised as a "claim" or "stake" action.
A QR code that's actually a WalletConnect (wc:) pairing link can silently propose a session with a malicious dApp the moment it's scanned.
Try it now