Quick answer
Do not scan a suspicious QR code just to see where it goes. The main risk is being taken to a fake website where you may be asked to enter login details, card details or a one-time code. Most phones preview the destination URL before opening — check that domain before tapping through, and verify it matches the organisation's official website.
QR codes used to be associated mainly with restaurant menus and event tickets. Now they appear in text messages claiming to be from HMRC, in emails claiming to be from your bank, in letters saying your parcel is held, and in notices about council tax or parking fines. Many of these are scams.
The reason scammers have moved to QR codes is straightforward: your email security tools scan links automatically. They don't scan QR codes. A link to a suspicious website might get blocked. The same link encoded in a QR code often passes straight through.
What is quishing?
Quishing is QR code phishing. The scammer puts a fraudulent URL inside a QR code and presents it as something legitimate — a payment link from HMRC, a verification step from your bank, a parcel tracking page from Royal Mail. When you scan it, you're taken to a fake website designed to steal your login credentials, card details, or personal information.
The scam works because people have grown accustomed to scanning QR codes without thinking. A QR code looks neutral — there's no suspicious domain name visible, no obvious red flags. The danger is hidden inside.
Warning signs to look for
Do not scan a suspicious QR code just to test where it goes. The main risk is arriving at a site designed to steal your login details, card details, or one-time codes. Most modern phones show a URL preview before you tap through — use this to check the domain before opening anything.
- The QR code arrives unexpectedly in a text, email, or letter you weren't expecting
- The surrounding message creates urgency — pay within 24 hours, or your account will be suspended
- The message claims to be from HMRC, a bank, Royal Mail, or another official body
- The QR destination URL (shown by your phone before you tap) doesn't match the official domain of the organisation
- The URL uses words like "secure", "verify", "pay", "claim" combined with a non-official domain
- You're being asked to enter login credentials, card details, or a one-time passcode after scanning
- The QR code is on a sticker placed over an existing sign — this can happen in car parks
How to check a QR code before scanning
Most smartphones now show a preview of the URL when you point your camera at a QR code — before you tap to open it. This is your best check. Look at that domain carefully. If it doesn't match the organisation it claims to be from, don't scan further.
For HMRC: genuine HMRC online services use gov.uk or hmrc.gov.uk. If a QR code claims to lead to an HMRC service but the destination does not match those domains, treat it with significant caution. Verify any claimed HMRC action independently through GOV.UK — do not use the QR code as confirmation.
For your bank: your bank's QR codes should lead to your bank's official domain — the one you'd find by searching for your bank's name.
For Royal Mail: royalmail.com only.
QR destination (visible when phone camera is pointed at code): https://hmrc-refund-secure-check.com/claim
This QR code was submitted to Summarly using the Check QR Code tab. Summarly immediately flagged that the destination domain — hmrc-refund-secure-check.com — is not a GOV.UK domain, that HMRC does not send refund notices with QR codes, and that the 24-hour deadline is a classic pressure tactic. Classification: High risk.
What to do if you receive a suspicious QR code
- Do not scan it to test where it goes — that's exactly what the scammer wants
- If you can see the destination URL in your phone's preview, check whether the domain matches the official organisation
- Upload a photo of the QR code and surrounding message to Summarly using the Check QR Code tab
- Verify any claimed action (a tax refund, parcel fee, account restriction) through the official website — type the address directly, don't scan
- Report suspicious texts to 7726 and suspicious emails to report@phishing.gov.uk
When QR codes are fine to scan
Not every QR code is suspicious. A QR code on a restaurant table linking to the menu, a QR code on an event ticket, or a QR code in a brochure from a company you've just visited are all generally low risk.
The risk increases significantly when a QR code arrives unexpectedly and the surrounding message creates urgency, involves payment, or claims to be from a government body or financial institution.
Not sure about a QR code message?
Use Summarly's Check QR Code tab. Upload a photo of the QR code and surrounding message, or paste the destination URL if you have it. We'll explain what it appears to say and flag anything suspicious.
Check a QR code messageFrequently asked questions
Is it safe to scan a QR code?
In trusted physical contexts — a restaurant, a shop, an event — usually yes. The risk rises significantly when a QR code arrives unexpectedly in a message claiming to be from an official organisation, especially when it creates urgency or asks for payment or login details.
How can I see where a QR code goes before scanning?
Point your phone camera at the QR code without tapping. Most modern smartphones show a URL preview. Check that domain carefully before tapping to open it.
I scanned it and entered my details. What now?
If you entered card or bank details, call your bank immediately using the number on the back of your card. If you entered login credentials for a service, change your password immediately from a different device. Report to Action Fraud at actionfraud.police.uk or 0300 123 2040.
Can I use Summarly to check a QR code?
Yes. Use the Check QR Code tab. Upload a photo of the QR code and surrounding message, or paste the message text and QR destination URL. Summarly will analyse it and explain what it appears to say and whether anything looks suspicious.