QR Code Scanner

A QR (Quick Response) code is a two-dimensional matrix barcode that stores information in a grid of black and white squares. Originally developed by Denso Wave in 1994 for tracking automotive parts during manufacturing, QR codes can encode URLs, plain text, contact information, Wi-Fi credentials, payment details, and other structured data. Their name derives from their ability to be decoded at high speed — a significant improvement over the traditional one-dimensional barcode.

A standard QR code is composed of several key structural elements. The three large square "finder patterns" in the corners allow scanners to detect the code's position and orientation. Smaller "alignment patterns" help correct for image distortion. Timing patterns — alternating black and white modules running between the finder patterns — establish the module grid. The data payload itself is encoded as dark and light modules across the remaining grid, read in a specific zigzag pattern. Reed-Solomon error correction is built into every QR code, allowing up to 30% of the code's data to be restored even if that portion is damaged, dirty, or obscured — which is why QR codes remain scannable even with logos overlaid on them.

Decoding a QR code is a multi-step process. First, the scanner locates the three finder patterns — the distinctive nested squares in the top-left, top-right, and bottom-left corners. These allow the software to calculate the code's orientation, even if it is rotated or skewed. Next, the timing patterns are read to determine the size of the grid (measured in "modules") and the precise coordinate system for mapping each cell.

The format information strip — a band of modules adjacent to the finder patterns — is read next. This strip encodes the error correction level (L, M, Q, or H) and the data mask pattern used to prevent long runs of identical modules that would make decoding unreliable. Once the mask is removed, the actual data codewords are read by traversing the grid in a two-column zigzag pattern from right to left, bottom to top. Finally, Reed-Solomon error correction is applied: depending on the error correction level chosen when the QR code was generated, anywhere from 7% (Level L) to 30% (Level H) of damaged or missing data can be fully reconstructed before the final payload — URL, text, or binary data — is decoded.

Quishing — a portmanteau of "QR" and "phishing" — is a cyberattack technique in which malicious actors embed fraudulent URLs or commands inside QR codes to trick victims into visiting phishing pages, downloading malware, or surrendering credentials. Unlike traditional phishing links in emails, QR codes are visually opaque: a human cannot read the embedded URL simply by looking at the code, which makes them an attractive vector for attackers.

The FBI's Internet Crime Complaint Center (IC3) issued a public service announcement in January 2022 specifically warning about tampered QR codes, and reported a significant rise in quishing incidents through 2023. Real-world examples have included attackers placing fake QR code stickers over legitimate ones on parking meters in major US cities, directing drivers to spoofed payment portals to harvest credit card numbers. Similar campaigns have targeted COVID-19 vaccine registration pages and restaurant menu QR codes. In corporate environments, quishing emails are increasingly used to bypass email security filters because the phishing URL is hidden inside an image attachment rather than as a plain-text link that security tools can inspect.

Because QR codes can also encode Wi-Fi credentials, vCard contacts, and SMS messages, attackers can use them to silently join a victim's device to a rogue network, inject malicious contacts, or pre-populate fraudulent SMS messages — all triggered by a single scan.

The most important habit when scanning QR codes is to always preview the decoded URL before navigating to it. Most modern smartphone camera apps and dedicated QR scanner apps display the URL in a preview bar before opening the browser. Take a moment to read the domain carefully.

Be especially cautious of QR codes found in public places — on posters, flyers, parking meters, restaurant tables, or event signage — where a sticker could have been placed over a legitimate code. If the QR code is printed on a sticker that appears added on top of an original surface, treat it with suspicion. Similarly, exercise caution with QR codes received in unsolicited emails or text messages; legitimate organizations rarely require you to scan a QR code for account verification or urgent action. When in doubt, navigate directly to the organization's official website by typing the URL manually rather than following a QR code link.

After decoding a QR code — either with this tool or your phone — examine the URL closely before visiting. First, check that the domain name is exactly what you expect. Attackers commonly use typosquatting (e.g., "paypa1.com" instead of "paypal.com") or subdomain tricks (e.g., "paypal.com.malicious-site.xyz") to create deceptively similar URLs. The real domain is the part immediately before the first single slash — not what appears at the beginning of the URL.

Second, confirm the site uses HTTPS — though note that HTTPS alone does not guarantee a site is legitimate; it only means the connection is encrypted. Third, for suspicious links, paste the URL into VirusTotal (virustotal.com) or Google Safe Browsing to check whether it has been flagged as malicious. Be aware that short URLs (bit.ly, tinyurl.com, etc.) embedded in QR codes can obscure the final destination — use a URL expander to reveal the real link before visiting. Finally, always trust your browser's built-in safe browsing warnings: if your browser shows a red warning screen after navigating, leave immediately and do not enter any information.