Quishing is phishing that uses a QR code as the bait. Someone prints or emails you a QR; you scan it; the URL takes you to a fake login page or a malware download. The trick is that the destination URL is hidden inside the QR pattern, so you can't tell whether it's safe before you scan.

How does this quishing detector work?

Scan or upload the QR, or paste a URL you already extracted. We decode the QR in your browser, then ask our server to follow the redirects and check the final URL against Google Web Risk. You get a verdict, the redirect chain, and a note about what type of QR it was.

Is the Quishing Detector free?

Yes. No signup. QR Dex sells a paid product for editable QR codes with analytics, but this one is free for anyone who wants it.

What are the red flags of a quishing attack?

A QR sticker placed on top of another QR (parking meters and restaurant tables are common targets). QR codes inside unsolicited emails or texts. Codes that resolve through a URL shortener. Destinations that almost look like a real brand (qrd3x.io instead of qrdex.io). Any request for a password or payment that appears the moment you scan.

Can a QR code itself contain malware?

No. A QR is just text. The danger is what the URL inside it points to: a phishing page, a drive-by download, a malicious app store link. Decoding a QR with this tool is safe because we never actually open the page in your browser.

How can I protect myself from quishing?

Pause before scanning QR codes in public, especially ones that look pasted on. Use a scanner that previews the URL before opening it. Never enter credentials or payment info on a page you only got to from a QR scan. If you're unsure, type the brand's real URL directly.

Is this QR code a phishing attack?

Quishing is phishing that hides behind a QR code. Scan or upload yours below, and we'll check the destination URL against Google Web Risk before you click it.

Point your camera at a QR code. We never store the image or video.

What is quishing?

Quishing is short for "QR phishing." It's the same idea as a phishing link, but the link is hidden inside a QR code so you can't see where it's actually going. Attackers use this trick because URL scanners in email don't read images, and because we're all trained to scan QR codes without thinking.

Quishing attacks we've seen recently

A sticker pasted over a real QR on a parking meter or restaurant table, sending you to a fake payment page. Phishing emails with the URL hidden inside an attached PNG so the email gateway can't scan it — you open it on your phone and land on a fake Microsoft 365 login. Lookalike domains like qrd3x.io instead of qrdex.io. QR codes that encode a bit.ly link, which then bounces through three more redirects before landing somewhere malicious.

How to protect yourself

Treat an unsolicited QR like an unsolicited link: pause. Use a scanner that previews the URL before opening it. Never enter a password or payment on a page you only got to from a QR scan — if you actually need to log in, open a fresh tab and type the real URL. And if a QR in a public place looks pasted on, try peeling it. There's usually a legitimate one underneath.

Frequently Asked Questions

What is quishing?: Phishing that uses a QR code as the bait. You scan, the URL takes you somewhere malicious, and you couldn't tell because the URL was hidden inside the QR pattern.
How does this detector work?: We decode the QR in your browser, follow any HTTP redirects on our server, and check the final URL against Google Web Risk's phishing and malware database.
Is it free?: Yes. No signup.
What are the red flags?: QR stickers placed over other QRs, codes in unsolicited emails, redirects through URL shorteners, lookalike domains, and any request for a password the moment you scan.
Can a QR code itself contain malware?: No. A QR is just text. The danger is the URL inside it. We never actually visit the URL on your behalf.
How can I avoid quishing?: Pause before scanning codes in public. Use a scanner that previews the URL. Never type a password on a page you only got to from a QR scan.