With QR code scams on the rise, knowing how to verify a QR code before scanning is an essential digital safety skill. This guide walks you through the exact process professionals use to check QR codes – and it only takes about 30 seconds.
Quick Summary
Don't scan directly. Photograph the QR code → Upload to a safety checker → Review the URL → Only visit if the Trust Score is high. That's it.
Why You Should Verify QR Codes
When you scan a QR code with your phone's camera, you can't see where it leads until you've already clicked through. By that point, you might be on a phishing page that looks exactly like your bank, a fake payment portal, or a site that downloads malware.
The fundamental problem is that QR codes are opaque. Unlike clickable links where you can hover to preview the URL, QR codes hide their destination completely. This opacity is what makes them perfect for attackers.
The solution is simple: decode the QR code first, analyze the URL, and only then decide whether to visit. This is exactly what security professionals do, and now you can do it too.
Step-by-Step: How to Verify a QR Code
Photograph the QR Code
Instead of scanning the QR code directly with your phone's camera, take a photograph or screenshot of it. This captures the QR code as an image file without triggering any redirect.
Tip: On most phones, you can open your camera app and take a regular photo instead of using the QR scanner feature. Or take a screenshot if you're viewing the QR code on a screen.
Upload to a QR Safety Checker
Navigate to a QR code safety checker like RexoGate's QR Code Safety Checker. Upload or drag-and-drop your QR code image into the tool.
Why RexoGate: Unlike some checkers, RexoGate processes everything locally in your browser. Your QR code image is never uploaded to any server, ensuring complete privacy.
Review the Destination URL
The tool will decode the QR code and reveal the hidden URL. Before looking at any analysis, examine the URL yourself for obvious red flags:
- Does the domain look right? Watch for typosquatting (paypa1.com, amaz0n.com)
- Is it HTTPS? Legitimate sites use secure connections
- Is it a known URL shortener? Shortened URLs hide the real destination
- Does the domain match expectations? A parking meter should link to city.gov, not random-site.xyz
Warning: Just because a URL contains "google" or "paypal" doesn't mean it's legitimate. Check the actual domain (the part right before .com/.net/etc).
Check the Trust Score Analysis
RexoGate analyzes the URL against 14 different risk indicators and provides a Trust Score from 0-100:
The tool also lists specific risk factors detected, such as "Insecure Protocol (HTTP)", "Typosquatting Pattern Detected", or "Suspicious TLD".
Make Your Decision
Based on the URL review and Trust Score, decide whether to proceed:
What RexoGate Checks For
Behind the Trust Score is a comprehensive analysis covering these risk factors:
- Protocol Security: HTTP vs HTTPS
- Direct IP Access: URLs using raw IP addresses instead of domains
- Punycode Attacks: Homograph domains using Unicode tricks
- Suspicious TLDs: High-risk extensions like .tk, .xyz, .ml
- URL Shorteners: bit.ly, tinyurl that hide destinations
- Dangerous Files: Links to .exe, .apk, .dmg downloads
- Phishing Keywords: "verify", "login", "update account", etc.
- Typosquatting: Brand name misspellings (g00gle, paypa1)
- Excessive Subdomains: login.secure.verify.bank.evil.com patterns
- Special Characters: @ symbols used for URL spoofing
- Credential Parameters: Suspicious query strings
- Double Extensions: file.pdf.exe disguises
- URL Encoding: Excessive percent-encoding
- URL Length: Abnormally long URLs used for obfuscation
Quick Decision Framework
Use this mental checklist when evaluating any QR code:
- 1. Does this QR code make sense here? A random QR on a lamppost is suspicious.
- 2. Does the domain match what I expect? A parking meter should link to city.gov.
- 3. Am I being asked for sensitive information immediately? Legitimate services rarely do this.
- 4. Is the Trust Score above 60? If not, don't proceed.
- 5. When in doubt, navigate directly. Type the official URL instead of using the QR.
Conclusion
Checking a QR code before scanning takes about 30 seconds and can save you from identity theft, financial fraud, or malware infection. The process is simple:
Photo → Upload → Review → Decide.
Make this a habit, especially for QR codes in public places, unexpected emails, or anywhere payment or login information might be requested. A moment of verification is far easier than recovering from a scam.