Free QR Code Safety Scanner
Before you scan a QR code with your phone, check where it actually leads. Upload an image of any QR code for an instant safety analysis — free and private.
Check a QR Code — FreeWhat Is QR Code Phishing (Quishing)?
QR code phishing — nicknamed "quishing" — is a growing attack method where criminals replace or create fake QR codes that redirect victims to malicious websites. The word combines "QR code" and "phishing."
QR codes have an inherent security problem: there is no way to tell by looking at a QR code where it leads. A legitimate restaurant menu QR code and a malicious one look completely identical. Without scanning it, you cannot tell the difference — and by the time you have scanned it on your phone, it may already be too late. Quishing attacks have increased significantly, targeting individuals and corporate environments alike.
Where Are Malicious QR Codes Found?
Attackers place malicious QR codes in a wide range of physical and digital locations:
- Parking meters and machines: Fraudulent stickers placed over legitimate QR codes on parking terminals redirect payments to the attacker. Widely reported in Australia, the US, and UK.
- Restaurant table menus: Fake QR code stickers placed on top of real ones. Scanning them leads to convincing fake ordering sites that steal credit card details.
- Phishing emails: Attackers embed QR codes in emails specifically to bypass security software that scans text URLs but cannot read QR codes in images.
- Public posters and flyers: Malicious QR codes on notice boards and bus stops, often offering fake deals or competition entries.
- Fake package delivery cards: Physical cards left at doors claiming a parcel is waiting, with a QR code to "reschedule delivery" leading to a payment-stealing site.
How ScanTotal's QR Code Scanner Works
Step 1 — Take a photo or screenshot. Use your phone's camera to photograph a QR code in the real world, or take a screenshot if the QR code appears on a screen.
Step 2 — Upload the image to ScanTotal. Open ScanTotal in your browser, select the Image/QR scanner, and upload your photo or screenshot. We accept PNG, JPG, and GIF formats.
Step 3 — QR code decoding. We decode the QR code using the jsQR library to extract the destination URL or data it contains.
Step 4 — URL threat analysis. The decoded URL is immediately checked against Google Safe Browsing and additional threat databases.
Step 5 — Results. You receive a clear verdict — safe or threat detected — along with the decoded destination URL so you can see exactly where the QR code leads.
Frequently Asked Questions
Can I check a QR code without scanning it with my phone first?
Yes — that is the whole point. Photograph the QR code or screenshot it, upload it to ScanTotal, and we decode and analyze it. You never scan it with your phone until you know it is safe.
What image formats are supported?
ScanTotal accepts PNG, JPG, and GIF image files for QR code scanning.
Is it safe to photograph a QR code without scanning it?
Yes. Taking a photo of a QR code does not activate it or connect you to any website. You are only at risk if you allow your phone's camera app to open the URL.
What if the QR code contains something other than a URL?
QR codes can contain plain text, contact info (vCards), Wi-Fi credentials, or calendar events. If the decoded content is not a URL, we display the decoded data so you can review it before acting on it.