Upload a QR code image or use your camera. We'll decode it, reveal the hidden URL, and check it for phishing signals — all inside your browser.
or click to browse — supports PNG, JPG, and screenshots
Point your camera at a QR code
Unlike a regular link, a QR code conceals the URL completely. You cannot see where it leads until after you scan it. Attackers exploit this by embedding malicious URLs in QR codes placed in emails, printed flyers, parking meters, restaurant menus, and fake package delivery notices.
A typical quishing attack embeds a URL like https://paypal-secure-verify.tk/login in a QR code. The code is placed in an email that looks like it comes from PayPal, a sticker over a legitimate QR code on a poster, or a fake parking ticket. When scanned, your phone opens the phishing page — which looks identical to the real site — and asks for your credentials.
After decoding the QR code, we run the same phishing analysis as our link checker: brand impersonation in domains, suspicious TLDs (.xyz, .tk, .ml), IP address URLs, HTTPS downgrade signals, exposed tokens and credentials in query strings, excessive subdomains, URL encoding tricks, punycode homograph attacks, and more.
QR codes on physical objects — posters, flyers, business cards, product packaging — cannot be copy-pasted. Camera scanning lets you check these codes before your phone opens the link. This is especially important for QR codes in public places, where attackers can stick their own code over a legitimate one.
You upload a QR code image or point your camera at a QR code. The scanner uses the jsQR library to decode the QR code entirely in your browser using JavaScript. If the decoded content is a URL, it automatically runs it through our phishing detection engine — checking for domain spoofing, suspicious TLDs, IP addresses, credential tricks, punycode attacks, and more. Everything happens client-side. Nothing is sent to any server.
No. Your QR code image is processed entirely inside your browser and is never uploaded or transmitted anywhere. The image data exists only in your browser's memory while being decoded, then is discarded. You can verify this yourself by opening your browser's developer tools, switching to the Network tab, and scanning a QR code — you will see zero upload requests.
QR phishing — also called quishing — is a social engineering attack where a malicious URL is embedded inside a QR code. Attackers place these QR codes in phishing emails, printed flyers, fake parking tickets, restaurant menus, or even stickers placed over legitimate QR codes. Because QR codes hide the destination URL, victims cannot see where they are going before scanning. This scanner reveals the hidden URL and checks it for phishing signals before you visit it.
This page lets you manually check a single QR code by uploading an image or using your camera. The PhishClean browser extension provides automatic, real-time protection on every page you visit. It catches phishing pages, password fields on suspicious sites, hidden iframes, JWT tokens in URLs, API keys in source code, authorization headers sent to third-party domains, and QR phishing attempts — all without any manual scanning required.