How to Scan QR Codes Safely: 15 Security Checks

QR codes are convenient, but they are also an increasingly popular attack vector. Unlike a URL you can read before clicking, a QR code hides its destination until after you scan it. Malicious actors exploit this opacity to redirect unsuspecting users to phishing pages, malware downloads, and credential harvesting sites.

Qrivo runs 15 automated security checks on every scanned code before you ever open the link. Here is what each check does and why it matters.

1. HTTPS Verification

The most basic check: does the URL use HTTPS? Plain HTTP connections transmit data in clear text, making them vulnerable to interception. Any legitimate website in 2026 should use HTTPS. If a scanned URL uses HTTP, Qrivo flags it immediately with a warning. There are very few legitimate reasons for a QR code to point to an HTTP URL in the modern web.

2. Punycode and Homoglyph Detection

One of the most sophisticated phishing techniques involves using characters from non-Latin scripts that visually resemble Latin letters. The Cyrillic "a" (U+0430) looks identical to the Latin "a" (U+0061) but is a different character. An attacker can register а domain like "аpple.com" using Cyrillic characters that looks exactly like "apple.com" in the address bar.

Qrivo decodes any punycode (internationalized domain names) and checks for mixed-script usage. If a domain contains characters from multiple Unicode scripts, it is almost certainly a phishing attempt.

3. IP Address Host Detection

Legitimate businesses use domain names, not raw IP addresses. A QR code pointing to http://192.168.1.1/login or http://45.33.32.156/download.apk is suspicious. Qrivo flags any URL that uses an IP address as the host, since this is a common tactic to avoid domain-based blocklists.

4. Suspicious Port Numbers

Standard web traffic uses ports 80 (HTTP) and 443 (HTTPS). A URL targeting port 8080, 4443, or any non-standard port may indicate a temporary phishing server or a misconfigured staging environment. Qrivo warns you when a URL specifies an unusual port number.

5. URL Shortener Expansion

Services like bit.ly, tinyurl.com, and t.co are legitimate, but they are also frequently used to mask malicious URLs. Qrivo identifies known URL shortener domains and warns that the true destination is hidden behind a redirect. Where possible, it follows the redirect chain to reveal the final URL.

6. Redirect Parameter Detection

Open redirect vulnerabilities allow attackers to craft URLs on legitimate sites that redirect to malicious ones. A URL like https://trusted-site.com/redirect?url=https://evil-site.com exploits the victim's trust in the first domain. Qrivo scans query parameters for redirect-related keys like url, redirect, next, return, and goto.

7. Encoded Character Analysis

Percent-encoded characters (%XX) can hide the true nature of a URL. While some encoding is normal (spaces become %20), excessive encoding is suspicious. Attackers use double or triple encoding to bypass security filters. Qrivo decodes URLs and flags excessive or unusual encoding patterns.

8. Known Malware Domain Matching

Qrivo maintains a local database of known malicious domains compiled from public threat intelligence feeds. Every scanned URL is checked against this list. The database updates regularly to keep pace with newly discovered threats.

9. Suspicious TLD Analysis

Certain top-level domains are disproportionately associated with malicious activity. While no TLD is inherently bad, some have more permissive registration policies that attract abuse. Qrivo applies higher scrutiny to URLs using TLDs with historically high abuse rates.

10. Data URI Detection

Data URIs embed content directly in the URL using the data: scheme. While useful for small images, they can also embed HTML pages with malicious JavaScript. A QR code containing a data URI that renders a fake login page is a real threat. Qrivo blocks data URIs by default and warns the user.

11. JavaScript URI Detection

The javascript: URI scheme executes code directly in the browser. Any QR code containing a JavaScript URI is almost certainly malicious. Qrivo blocks these outright with no option to override.

12. Excessive Subdomain Analysis

URLs with many subdomains like secure.login.account.verify.example.com are often crafted to make the meaningful part of the domain (which may be malicious) scroll out of view on mobile browsers. Qrivo counts subdomain levels and flags anything beyond three as suspicious.

13. Lookalike Domain Detection

Beyond homoglyphs, attackers also use character substitution and transposition to create domains that look like popular brands: "g00gle.com", "paypa1.com", "arnazon.com". Qrivo checks scanned domains against a list of commonly impersonated brands and flags near-matches using Levenshtein distance calculations.

14. File Extension Analysis

A URL ending in .apk, .exe, .dmg, or .msi is attempting to download an executable. While this is sometimes legitimate (app download pages), it is also a common malware distribution method. Qrivo warns before opening any URL that appears to directly download an executable file.

15. Content Type Mismatch Warning

When Qrivo follows a URL, it checks the Content-Type header of the response. If a URL that appears to be a webpage actually serves a file download, or if the content type does not match expectations, Qrivo alerts the user. This catches scenarios where a seemingly harmless link actually triggers a file download.

What You Should Do

Even with 15 automated checks, your own awareness is your best defense. Always preview the URL before opening it. Be especially cautious with QR codes in public places where anyone could have placed a sticker over the original code. If something looks suspicious, trust your instincts and do not open it.

Qrivo shows you the decoded content before taking any action. You see the raw URL, the security assessment, and any warnings, all before you decide whether to proceed. This preview-first approach puts you in control every time.