Sun, Jul 12, 2026NY 7:53 PM EDTLA 4:53 PM PDTLON 12:53 AM GMT+1PAR 1:53 AM GMT+2DXB 3:53 AM GMT+4SIN 7:53 AM GMT+8TOK 8:53 AM GMT+9SYD 9:53 AM GMT+10UTC 11:53 PM UTCBTC delayed quote CoinGeckoETH delayed quote CoinGeckoFresh explainers, verified sources, practical next steps
Strangely Useful

Clear, verified help for apps, money, security, AI, and everyday tech problems.

Browse the site
Topic hubsFake support guideWrong Cash App paymentLatest storiesTopicsMoney & ChargesSearchInternet & CultureTech & AISecurity & TrustPractical TechnologyMoney & PaymentsBrowser & PrivacyAI ToolsSoftware & ServicesInternet Culture & Everyday WorkflowsHidden HistoryUseful ThingsEntertainmentQuizzesAboutHow we workHow guides are madeNewsletter
Security & Trust - story

Scan a QR Code Without Handing It Blind Trust

Treat a QR code as a concealed link: preview it, inspect its context, and use a known route for payments or logins.

Last verified July 11, 20262 sources checkedEditorial standards
A carefully arranged real-world scene representing scan a qr code without handing it blind trust.
Scan a QR Code Without Handing It Blind TrustA carefully arranged real-world scene representing scan a qr code without handing it blind trust.Context is part of verification. A code on a parking meter can be covered by a sticker; a code in an urgent text can route to a convincing imitation login page. Generated for Strangely Useful; provenance retained.
In this story4 sectionsThe preview is the checkpointRead the destination before openingClues that the square was replacedSafer routes for login and payment

A QR code is a link whose address has been hidden inside a square. That makes the preview screen—not the printed logo—the moment to decide whether to continue.

Treat a QR code as a concealed link: preview it, inspect its context, and use a known route for payments or logins. Context is part of verification. A code on a parking meter can be covered by a sticker; a code in an urgent text can route to a convincing imitation login page.

Know what the code should do before scanning. A restaurant menu should open a menu; a parking code should identify the operator and location before requesting an amount.

The preview is the checkpoint

Check whether a sticker covers an original code. Look for a sticker placed over another code, especially on parking meters, payment kiosks, and menus. Physical tampering changes the destination without changing the sign.

Read the destination before opening

  1. Preview the destination before opening it

    Use the camera preview to read the domain before opening it. Cancel if spelling, subdomain, or top-level domain differs from the organization you expected.

  2. Read the domain from right to left to identify the real site

    Read domains from the registered name outward: in login.example.com, example.com controls the site. A familiar word placed earlier in a longer domain proves nothing.

  3. Open the known app directly for payment or account action

    For payment or sign-in, close the preview and open the known app yourself. This removes the QR code from the trust chain.

  4. Close the page if it asks for an unexpected download or profile

    Reject pages that request a profile, APK, certificate, or surprise app installation. A menu, ticket, or parking code should not need control of the phone.

A malicious code does not need to look suspicious. It can sit on professional signage and open a polished HTTPS page. The mismatch between the expected organization and the actual registered domain is the useful clue.

Clues that the square was replaced

  • HTTPS does not prove the operator is honest.
  • A printed code can be replaced after a sign is installed.
  • Urgency is a reason to slow down, not scan faster.

Close the page and use the company’s known app when a scan requests credentials, payment-card details, a configuration profile, or an unexpected download.

Safer routes for login and payment

Check current menu names, limits, and recovery language against “Scammers hide harmful links in QR codes to steal your information” and “Malicious QR Codes Used to Steal Financial Data” before acting; platform behavior can change after publication, and each source should be used only for the claim it actually supports.

The FTC warns that malicious QR codes can send people to spoofed sites or trigger malware downloads.

The FBI advises checking a scanned URL for misspellings and avoiding payments through a site reached from an untrusted QR code.

Sources & methodology2 sources - evidence for this revision

The records below show what each source supports in this published revision.

  1. Scammers hide harmful links in QR codes to steal your informationFederal Trade Commissionreference - Retrieved Jul 12, 2026

    What it supportsThe FTC warns that malicious QR codes can send people to spoofed sites or trigger malware downloads.

  2. Malicious QR Codes Used to Steal Financial DataFBIreference - Retrieved Jul 12, 2026

    What it supportsThe FBI advises checking a scanned URL for misspellings and avoiding payments through a site reached from an untrusted QR code.

The Useful Dispatch

Keep the good rabbit holes coming.

The weekly email is being prepared. No address is collected yet.

See the newsletter plan →