Are QR codes inherently unsafe?

The QR itself is just a carrier. The risk is that it hides the URL, which reduces user scrutiny and can bypass some scanning.

Can I preview a QR code safely?

Use a scanner that shows the full URL before opening it, and prefer opening unknown QR destinations in an isolated session or on a sacrificial device.

Why does this work better on phones?

Mobile browsers hide more of the URL and make security cues less obvious, which increases conversion for attackers.

Does isolation help on mobile?

If your environment supports managed mobile browsing, isolating untrusted destinations still reduces endpoint exposure and makes sessions disposable.

Category: Phishing & Social Engineering

QR code phishing (quishing) in the browser

QR code phishing (“quishing”) uses a QR code to hide a malicious URL that opens a browser link on a phone or workstation.

Quick answer

QR codes bypass many traditional link previews and filters, pushing users straight into a browser flow where they’re less likely to inspect the destination.

For risky links and login flows, isolation keeps the page off the endpoint by running it in a disposable container and streaming only the rendered output to the user.

When you need this

You’ve seen indicators of this threat in your environment.
Users frequently click unknown links as part of daily work.
You need a control that reduces risk without relying on perfect user judgment.

Last updated

2026-01-29

How it usually happens in the browser

The attacker places a QR code in an email, PDF, poster, package insert, or fake “security update” notice.
The user scans it and lands on a shortened URL or a redirect chain that hides the final domain.
The destination is often a fake login page or a payment capture form.
Victims may complete the flow on mobile where security controls and URL visibility are weaker.

What traditional defenses miss

Email gateways can’t always safely “detonate” a QR code without image analysis.
Users treat QR codes as physical-world trusted objects (posters, lobbies, shipping labels).
On mobile, full domains are truncated and security cues are subtle.

How isolation changes the game

Isolation helps by making untrusted browsing disposable and policy-controlled when QR links are opened in managed browsers.
When sessions are isolated and deleted, risky link explorations don’t leave long-lived browser artifacts behind.
Admins can enforce stricter policies for URL shorteners and newly registered domains where QR codes often point.

See Legba for Chrome

Operational checklist

Block or warn on URL shorteners and unknown redirectors; force them into isolation.
Use device management to ensure work browsing stays within managed browsers on mobile.
Create a safe internal workflow: “verify QR destination” for HR/IT notices and physical signage.
Require step-up auth on sensitive actions if the user arrived via an external link.
Run periodic quishing simulations and measure click-to-credential-entry rate (not just click rate).

FAQs.

References.

01
CISA: Avoiding Social Engineering and Phishing AttacksCISA
02
Cloudflare: Browser IsolationCloudflare

QR code phishing (quishing) in the browser

Quick answer

When you need this

Last updated

How it usually happens in the browser

What traditional defenses miss

How isolation changes the game

Operational checklist

FAQs.

References.

Keep exploring

All guides

All browser threats

Secure apps directory

AI security guides

Your agent needs its Legba.

How it usually happens in the browser

What traditional defenses miss

How isolation changes the game

Operational checklist

FAQs.

Are QR codes inherently unsafe?+

Can I preview a QR code safely?+

Why does this work better on phones?+

Does isolation help on mobile?+

References.

Keep exploring

All guides

All browser threats

Secure apps directory

AI security guides

Your agent needs its Legba.