🛡️ QR Code Security · 2026 Guide

How to Analyze a Malicious QR Code or Link with DoItQR Diagnostic

Before you scan, verify. A free tool that checks 17 security criteria in real time — no installation, instant results.

📝 By the DoItQR team 📅 May 2026 ⏱ 10 min read
🇫🇷 FR | 🇺🇸 EN | 🇪🇸 ES

📋 Table of Contents

  1. Why you can't trust a QR code visually
  2. The quishing threat: stats that should worry you
  3. What does DoItQR Diagnostic actually check?
  4. Step-by-step: how to use DoItQR Diagnostic
  5. How to read your results
  6. Common malicious scenarios detected
  7. What to do after a suspicious result
  8. Pro tips to stay safe
  9. Conclusion

1. Why You Can't Trust a QR Code Visually

Pick up two QR codes side by side: one leads to your favorite restaurant's menu, the other to a phishing page designed to steal your banking credentials. They look identical. The same black-and-white grid. The same innocuous square. You will not see the difference — and that's precisely what makes malicious QR codes one of the most insidious threats of the digital era.

Unlike a suspicious link in an email — where a careful reader can hover over it and spot "paypa1.com" instead of "paypal.com" — a QR code offers no visual preview of its destination. The encoded URL is completely opaque. You only find out where it goes after you've already scanned it.

⚠️
A physical threat too Cybercriminals don't only operate online. Stickers containing malicious QR codes have been documented in parking garages, restaurant tables, train stations, and ATMs — placed directly over legitimate codes. In 2025, the FBI issued a national warning about this practice in the United States alone.

Fortunately, there's a simple and free solution: running your QR code or URL through DoItQR's Diagnostic tool before you interact with it. Let's break down exactly how it works.

2. The Quishing Threat: Stats That Should Worry You

Quishing — the portmanteau of QR code and phishing — is growing at an alarming pace. Here's what the data says in 2026:

Indicator Figure Source
Share of phishing attacks using QR codes 12% in 2025 (vs 0.8% in 2021) Keepnet Labs, 2026
Rise in quishing attacks (2023) +587% in one year Keepnet Labs, 2026
Users who don't verify before scanning 77% scan without checking NordVPN study, 2026
Users who've encountered a malicious QR code 15% of surveyed users NordVPN, 2026
Target profile Mobile users represent 68% of victims Proofpoint, 2025
💡
Why mobile users are the primary target Corporate laptops are protected by antivirus, DNS filtering, and endpoint detection tools. Your smartphone typically has none of these defenses. Palo Alto Networks Unit 42 specifically frames quishing as "phishing at the edge of the web and mobile" — a gap in most organizations' security posture.

The threat is real, documented, and growing. And traditional security filters are largely blind to it: a QR code is an image — anti-spam tools scan text, not pixels. That's why a dedicated URL analyzer like DoItQR Diagnostic fills a critical gap.

3. What Does DoItQR Diagnostic Actually Check?

DoItQR Diagnostic is not a simple "this link is safe/unsafe" binary checker. It runs your submission through 17 distinct security criteria, covering every major attack vector used by modern quishing campaigns. Here's what it analyzes:

Domain & URL reputation

  • Domain age — freshly registered domains (under 30 days) are a major red flag
  • Domain reputation against known threat intelligence databases
  • Presence on public blocklists (Google Safe Browsing, OpenPhish, etc.)
  • TLD analysis — certain top-level domains have disproportionately high abuse rates
  • WHOIS data checks — is the registrant hidden behind a privacy shield on a suspicious registrar?

Redirect chain analysis

  • Detection of URL shorteners masking the true destination (bit.ly, t.co, tinyurl, etc.)
  • Multi-hop redirect chains — every intermediate step is followed and inspected
  • Detection of open redirectors on legitimate domains used to bypass filters
  • Final destination verification — where does the link actually end up?

Content & behavioral signals

  • HTTPS validity and certificate inspection
  • Presence of credential-harvesting forms (fake login, payment fields)
  • Detection of typosquatting — domains mimicking trusted brands (g00gle, paypa1, arnazon)
  • IP geolocation mismatches — brand from country A, server hosted in country B
  • Similarity score against known phishing templates
  • Detection of obfuscation techniques designed to bypass automated scanners
17 criteria, not 1 Most casual URL checkers give you a single score from one database. DoItQR Diagnostic layers multiple independent signals, which dramatically reduces both false positives (safe links flagged as dangerous) and false negatives (dangerous links marked as safe).

4. Step-by-Step: How to Use DoItQR Diagnostic

The tool works in three ways: by uploading an image of a QR code, by pasting a URL directly, or by scanning a code live from your camera. Here's how to use each method.

Method A — Analyze a QR code image

  1. Go to doitqr.com/diagnostic from any browser (desktop or mobile).
  2. Click the image icon (🖼️) to switch to image upload mode.
  3. Upload a screenshot or photo of the QR code you want to check (PNG, JPG, GIF, WEBP accepted).
  4. The tool decodes the QR code, extracts the encoded URL, and runs the full 17-point analysis automatically.
  5. Read your results — a color-coded report details every criterion checked and flags anything suspicious.

Method B — Analyze a URL directly

  1. Go to doitqr.com/diagnostic.
  2. Select the link icon (🔗) to switch to URL input mode.
  3. Paste the full URL you want to verify (copied from an email, a message, or a shortened link).
  4. Click Analyze. The diagnostic engine resolves all redirects and follows the full chain to the final destination.
  5. Review the detailed results report.

Method C — Scan live with your camera

  1. Go to doitqr.com/diagnostic on your mobile device.
  2. Tap the camera icon (📷) to activate your device's camera.
  3. Point it at the QR code you want to check — on a poster, a table card, a package, or a screen.
  4. The tool reads the code, extracts the URL, and launches the full analysis without opening the link first.
  5. You'll see the security report before ever touching the destination.
🔒
Your privacy is protected DoItQR Diagnostic never opens the suspicious URL on your device. All checks happen server-side, meaning your browser and phone are never exposed to the potentially malicious content during analysis.

🛡️ Analyze your QR code now — it's free

No sign-up, no installation, no subscription. Paste your URL or upload your QR code image and get an instant security report.

Run the Diagnostic →

5. How to Read Your Results

Once the analysis completes, DoItQR Diagnostic displays a structured report. Here's how to interpret it:

Result color Meaning Recommended action
🟢 Clear All 17 criteria pass — no threat detected Safe to proceed, but stay alert
🟡 Suspicious One or more warning signals detected (e.g., recent domain, URL shortener) Approach with caution — verify the source independently
🔴 Dangerous One or more criteria definitively flag a known threat Do not open. Report the source if possible.

Each criterion is listed individually in the report with its pass/fail status and a brief explanation of why it was flagged. This transparency lets you understand exactly what triggered the alert — not just a black-box "unsafe" verdict.

🧠
A "suspicious" result doesn't always mean danger A brand-new startup website might score "suspicious" simply because its domain is less than 30 days old — not because it's malicious. Context matters. Use the detailed per-criterion breakdown to make an informed judgment.

6. Common Malicious Scenarios Detected by DoItQR Diagnostic

Based on documented quishing campaigns, here are the most frequent attack patterns the tool catches:

The fake parking meter QR code

Cybercriminals place stickers over legitimate parking payment QR codes. The fake code redirects to a spoofed payment page that collects credit card numbers. The redirect chain typically goes: shortened URL → intermediate cloaking page → fake payment form. DoItQR Diagnostic traces every hop.

The fake package delivery notification

An SMS or email claims your package is on hold and includes a QR code to "confirm your address." The code leads to a page impersonating FedEx, UPS, or your national postal service, designed to harvest credentials or payment details. Typosquatting detection catches domains like "fed-ex-delivery[.]info".

The fake restaurant Wi-Fi or menu QR

A sticker placed on a restaurant table or window replaces the legitimate QR code. Scanning it may silently install a browser extension or redirect you to a spoofed login page. The domain's 2-day age and lack of SSL certificate would flag immediately in the diagnostic.

The corporate "IT security update" email

A QR code in a business email claims to link to a mandatory security training or VPN update. It redirects through an open redirector on a legitimate platform (Google, Microsoft) to a credential phishing page. DoItQR Diagnostic follows the full redirect chain regardless of how trusted the first hop appears.

🎯
Executives are targeted 40× more often Senior managers are disproportionately targeted by quishing attacks precisely because compromising their credentials unlocks high-value systems. If you handle sensitive corporate data, systematic QR code verification should be a non-negotiable habit.

7. What to Do After a Suspicious or Dangerous Result

If DoItQR flags a QR code as dangerous:

  • Do not open the link on any device — the analysis is conclusive enough to act on
  • Report the QR code to your national cybersecurity authority (CISA, NCSC, ANSSI, etc.)
  • If the code was on a physical surface, notify the venue immediately so they can remove it
  • If you already scanned it and entered data, change your passwords immediately and contact your bank
  • Share the diagnostic result URL with colleagues or family who may have encountered the same code

If you already scanned a suspicious QR code before checking:

  • Run the URL through DoItQR Diagnostic immediately to assess the risk level
  • If you entered any credentials, change them now — don't wait
  • Enable two-factor authentication (2FA) on any affected account
  • Check your bank and card statements for unauthorized transactions
  • Run a malware scan on your device if you clicked through to an unknown site
  • Alert your IT department if this happened on a work device
"Scammers can replace a legitimate QR code with a malicious one in seconds, making every public QR code a potential trap." — Adrianus Warmenhoven, NordVPN cybersecurity expert, 2026

8. Pro Tips to Stay Safe

Beyond using DoItQR Diagnostic, these habits will significantly reduce your exposure:

  • Always read the URL preview your phone displays before tapping — most QR scanner apps show the destination URL first
  • Physically inspect QR codes in public spaces — look for stickers placed over the original print
  • Be extra skeptical of QR codes that create urgency: "Your account will be suspended in 24 hours"
  • Never enter payment or login details on a page reached via an unverified QR code
  • Prefer official apps over QR-linked pages for banking, delivery tracking, and social media login
  • Keep your phone OS and apps updated — security patches matter
  • Enable 2FA on all important accounts — even if credentials are stolen, the attacker can't log in
📱
iOS and Android built-in QR scanning is basic The native camera apps on smartphones decode QR codes and show you the URL — but they don't run any security analysis. They will happily display "paypa1.com" without flagging that it's not "paypal.com". DoItQR Diagnostic adds the layer of verification your phone's camera doesn't provide.

🔍 Also: scan a QR code online

Need to read a QR code without a phone camera? Use DoItQR's online scanner — no app, no installation, straight from your browser.

Scan a QR code online →

9. Conclusion: Verify First, Scan Second

Malicious QR codes — quishing attacks — are one of the fastest-growing cybersecurity threats of 2026. They exploit a simple truth: a QR code is inherently opaque. You can't read its destination without scanning, and once you've scanned, it may already be too late.

DoItQR Diagnostic flips that equation. By running 17 security criteria across every URL, redirect hop, and domain signal before you ever interact with the link, it gives you the information you need to make a safe decision — in seconds, for free, from any device.

The habit is simple: when in doubt, diagnose first. A malicious QR code is indistinguishable from a legitimate one to the naked eye. But it's not indistinguishable to a purpose-built security analyzer.

A QR code is a locked box. Before you open it, let DoItQR Diagnostic tell you what's inside.

🛡️ Protect yourself — run the diagnostic now

Free, instant, no sign-up. Paste any URL or upload any QR code image and get your security report in seconds.

Analyze a QR code →

🔗 Sources and useful links