How do you check if a QR code is safe?

Always scan QR codes from reputable sources and exercise caution when scanning unknown ones. Many payment apps and QR code scanners now include security layers that check the validity of a code before opening it. Consider using these features for added protection.

Can a QR code be hacked?

Scammers can tamper with legitimate QR codes by placing a sticker with a fraudulent one over the original, redirecting individuals to phishing websites. Consider these QR code risks before scanning, especially codes in unsecured locations.

What are the types of QR codes?

There are two main types of QR codes: static and dynamic. Static QR codes contain fixed information that cannot be changed and are often used for simple tasks like sharing website URLs or Wi-Fi passwords. Dynamic QR codes are more versatile. They store a URL that redirects to a webpage, allowing the information to be updated or changed without generating a new code. This makes them suitable for payment, digital menus, and marketing campaigns.

Does a QR code collect your personal information?

A QR code itself does not collect personal information. QR code functionality focuses on bridging an individual’s device and a specific piece of information or online location. However, the website or app it directs people to may request personal information.

What should you do if you accidentally scan a malicious QR code?

If a fraudulent QR code is scanned, follow these steps immediately: Do not provide any personal information or download any files from the website. Run a scan with antivirus software to detect and remove any potential malware. Change passwords for any accessed accounts. Monitor bank accounts and credit reports for any suspicious activity. Report the incident to the relevant authorities, such as Action Fraud in the UK.

PayPal logo

Payments

How safe are QR payment codes?

PayPal Editorial StaffPayPal Editorial Staff

8 January 2025

7 mins read

QR codes are becoming a common sight everywhere, from menus to train tickets. But how do these pixelated squares work, and more important, are they a safe way to pay?

This article includes tips, suggestions, and general information. We recommend that you always do your own research and consider getting independent tax, financial, and legal advice before making any important decision.

In this guide, we’ll dive into the technology behind QR code payments, explore common QR code safety concerns, and provide tips on how to make secure transactions.

What is a QR code payment?

A QR code payment allows people to pay for goods or services by scanning a quick response (QR) code with their smartphone or tablet. This code contains payment information directly linked to the merchant's account, allowing for instant transaction processing.

How do QR code payments work?

While scanning a QR code might seem simple, there's a lot happening to process a payment. From generating the code to decoding it, here's how a QR code payment works.

QR code generation

These black and white squares aren’t just random patterns — they’re encoded designs that hold essential QR code information about transactions, including merchant identification details, payment amounts, and transaction identifiers for the specific purchase. Typically, the seller will use a QR code payment app or a point-of-sale (POS) system to generate this unique code.

QR code displaying

Once the QR code is generated, the merchant needs to make it accessible for customers to scan. They may display the QR code in a printed format (e.g., stickers, posters, receipts), on digital screens (e.g., POS terminals, tablets), or on their website or app.

QR code scanning

When the shopper is ready to check out, they'll be prompted to scan the QR code for payment using either a smartphone camera, payment app, or banking app with built-in QR code scanning capabilities. Alternatively, they could use a dedicated QR code reader app.

QR code decoding

After scanning the QR code, a key step happens — decoding. There are two main types of QR codes used for payments, each with a slightly different decoding process:

Static QR codes. These contain fixed information, such as the merchant's account details and a pre-set payment amount. They’re often used for one-time payments or situations where the payment amount is always the same.

Dynamic QR codes. Dynamic QR codes are generated in real time for each transaction, allowing merchants to customise the payment amount, transaction reference, or other specific details for each customer.

Payment authorisation

Once the QR code is decoded and the payment information is retrieved, the payment app displays the transaction details for the customer to review.

Rather than being charged immediately, the customer needs to authorise the payment to proceed. Depending on their preference and payment app, this might involve biometric authentication (e.g., fingerprint scanning, facial recognition), PIN entry, or one-click authorisation.

Transaction processing

Once the payment is authorised, the QR code transaction moves into its final phase — processing. This is where the actual transfer of funds takes place. The customer's payment app securely communicates with the payment network, transmitting the payment instructions and the authorised amount to the merchant.

Once the QR code payment process is complete, the customer receives transaction confirmation via an email or SMS digital receipt, or in-app notification. These record the transaction and offer reassurance that the payment successfully went through.

QR code payments: Safety concerns and preventive tips

QR codes may be handy, but convenience shouldn't come at the cost of security. Like any digital technology, QR code payments have potential vulnerabilities. But there are tips for making payments safer.

Safety concerns

Here are some key QR code security risks and the most common scams:

QR code phishing. Like email phishing scams, QR code phishing involves deceptive codes that redirect individuals to fake websites or apps designed to trick people into entering sensitive information. Learn more about how to prevent phishing.

Malware attacks. Scanning a malicious QR code could lead to downloading harmful software onto devices. QR code malware might steal data, monitor activity, or even take control of a device.

Fraudulent QR codes. Criminals can tamper with legitimate codes, directing payments to their own accounts instead of to the intended merchant.

Preventive tips

While QR code payments are generally safe, vigilance goes a long way. And these QR code safety tips can help:

Double-check the source. Is the QR code displayed by a reputable merchant? Is it professionally printed, or is a dodgy-looking sticker placed on top of something else? If anything seems off, don’t scan it.

Stick to trusted platforms. Use a trusted payment app or digital wallet when scanning a QR code for payment — they’ll typically have security measures in place.

Enable security features. These include two-factor authentication (2FA), biometric authentication (fingerprint or facial recognition), and strong passwords.

Avoid public Wi-Fi. Public Wi-Fi is often unsecured, making data vulnerable to interception. Use mobile data instead.

Here’s more on how PayPal can help protect buyers.

Pay with QR codes using PayPal’s digital wallet

Forget fumbling for cards or cash — PayPal’s digital wallet offers a secure and convenient way to pay with QR codes. Here's how it works:

Access the QR code. Open the PayPal app and choose the QR code option from the homepage.
Scan the code. At checkout, click “Your Code” and let the cashier scan it.
Confirm the payment. Review the transaction information and confirm the payment.
Complete transaction. In this last step, the funds are securely transferred to the merchant.

PayPal QR codes employ encryption to protect financial information. Start paying with QR codes today.

PayPal for You

Shopping & Rewards

Send & Receive

Manage Your Money

PayPal Open

Business Types

Accept Payments

Risk & Operations

Financial Services