You can also watch this video at YouTube.
Watch more videos about related subjects: iPhone (333 videos), Security (133 videos).
Video Summary
In This Tutorial
Learn what QR codes are, how they work on the iPhone, and whether they are safe to use. Understand how to evaluate a QR code based on its source, context, and domain, and how to avoid scams.
What Are QR Codes?
QR codes are just visual representations of URLs. You scan them using the iPhone Camera app, and a link appears for you to tap. They’re useful for quickly going to a webpage without typing a long address. The information is embedded redundantly so they still work if partially damaged.
What Are the Risks Of Using a QR Code?
The risks are the same as clicking any link. You can’t see the full URL before scanning, which can make them feel more suspicious, but they aren't inherently more dangerous than any other kind of link.
You Need To Trust the Source
Only use QR codes from sources you trust. If a friend shares one, or a business you’re interacting with displays one, it’s usually safe. If you wouldn’t click a random link in an email or message, don’t scan a QR code from an untrusted place either.
Consider the Stakes
Context matters. If the QR code leads to something low-stakes like a concert info page or restaurant menu, there’s little risk. Be more cautious if the page asks for personal or financial information.
What About For Tipping?
When tipping via QR code in low-stakes scenarios (buskers, shuttle drivers), the code usually takes you to a payment app like Venmo. These apps act as a barrier, so the person doesn’t see your information. There's little incentive for the code to be misleading.
Does the Domain Name Shown Make Sense?
After scanning, check that the domain name matches what you expect. If it’s a parking meter, it should be from the parking company. If it looks off, don’t proceed.
Worry About QR Code Sent In Emails or Texts
You should never receive QR codes in places where clickable links make more sense, like emails or text messages. That’s a red flag. They may be used to hide the real destination.
Are QR Codes Safer Than Visible URLs?
No. They are no safer than URLs and no more dangerous either. Treat them with the same level of caution as you would any other type of link.
Beware Of Parking Meter Scams
There have been cases where scammers place fake QR codes over real ones at parking meters. Use the official app if available instead of scanning a code. These scams are rare since they require physical tampering, unlike easier online scams.
Video Transcript
Hi, this is Gary with MacMost.com. Are QR codes safe to use? Let's take a look.
Today you see QR codes everywhere. You see them in restaurants. You see them in stores. You'll see them in signs around town. They are those little square boxes with black and white dots in them. To use a QR code you would use the camera app on your iPhone. You would point your iPhone at the QR code and then you would see a link appear at the bottom. You can tap that and it usually go to a webpage or sometimes open an app.
For instance here I'll point my iPhone at this QR code. You can see my website appears underneath. The iPhone recognizes those dots as an URL and will show me the website that I'll go to if I tap that link. Then it will take me there. It will open up my default browser and go to that webpage. If I had to type this out it would take a little time and it would be hard not to make a mistake. This is why QR codes are handy. They make it easier to go to a webpage without having to type something out. It's important to realize this. The QR code is just a URL or web address. That's all it is. It's like that web address but in a different language. A language that's easier for a camera to understand as opposed to a human who actually sees the letters. The advantage of a QR code is it actually embeds the link several times in there. It is repeated. So if some of those dots have gotten smudged or they are not visible for some reason it can still make out what the exact URL is. That is not true if it's a bunch of letters. If a few letters are missing you probably won't be able to figure out where you are supposed to go.
So, what are the risks to using a QR code? Well, they are just links so the risks are essentially the same as using any link. Like one that you would type in or one that you would click from one webpage or maybe from an email address or text message. Clicking links do have risks. QR codes are no different from that. One thing about QR codes that kind of makes them feel riskier is you can't tell what the link is until you hold your iPhones camera up and then you just get the domain name there at the bottom. So QR codes can be misleading. Instead of going to the place that they say they're going to go to they can go someplace completely different. But it is no different if it was a URL that was shortened or some sort of URL that redirects somewhere that was letters. It being a QR code makes it a little harder to figure out where you are actually going, but doesn't actually increase the danger level of where you could go.
So if you are going to use a QR code how can you stay safe? Well, just like any link that you might get, say, an email message or text you want to trust the source. If a friend of yours sends you a link and tells you to check something out you trust them, you go to the link. But if you get a piece of junk mail that has a link in it you don't trust that link. It is the same thing with QR codes. If you go into a restaurant, you sit down at a table, and there's a little sign on the table, use this QR code to view our menu, well, you trust the restaurant. You're actually physically there. You're about to eat there and then pay them afterwards. So there is no reason not to trust that QR code that actually goes to the menu. It is the same thing when you're ready to pay. You would probably hand them your credit card and let them take that away to run the card, at least in the United States that is still pretty much how it is done. So why wouldn't you trust the QR code that appears on the receipt they may give you.
If you find these videos valuable consider joining the more than 2000 others that support MacMost at Patreon. You get exclusive content, course discounts, and more. You can read about it at macmost.com/patreon.
Also, consider the stakes. Like if you see a poster for a concert and there is a QR code to get more information, well it is just going to take you to a page that's just going to show you information like the address for the venue, the time, that kind of thing. Pretty low stakes. You don't expect to go to a page that's going to ask you for personal information for instance. So if you use the QR code and you go there and that's all it is, well the stakes aren't really that high. It's perfectly fine. The same for menus at restaurants. You expect to go to a page to show you the menu. If that's all you see you're fine.
You also may use a QR code for tipping and the stakes are pretty low there as well. For instance, somebody playing music in the park or a shuttle bus driver may show you a QR code that allows you to tip them. These will almost always take you to a payment app like Venmo. When you're paying through Venmo there's barrier between you and the recipient. A person showing you the QR code of course wants to get the few dollars you're going to send them. If your intention is to send $5 to somebody why would that person mislead you about where the $5 is going. It is certainly going to them. It's not like they get any real information about you because there is that app you're using where the money is getting sent through it. It's not like you're logging into a site they created and giving them your credit card information.
Now when you use a QR code, of course check the domain name that it is sending you to, to make sure it makes sense. If it's say a parking meter and the domain name is for the name of that parking meter company then it kind of makes sense. Do be suspicious of QR codes that are used in places where links should be used. For instance you should never get an email or text with a QR code. You're in a place where they can just send you a link and you can click or tap on that link. A QR code can only be used in that situation to obfuscate the location where you're going to.
Now keep in mind while QR codes really aren't any more dangerous than an URL they aren't any safer than an URL either. So you should be just as suspicious of a QR code as any other link. Be on the lookout for scams, especially phishing attacks where either a link or a QR code sends you to someplace where you are not supposed to be and now you're handing over information. If you got an email asking for payment or something you would normally not click on the link but instead go to the website for that company and pay them there. The same thing with a QR code. If you are using an app or you're using a website normally to make payments don't use the QR code just as you wouldn't use the link. Go directly to that site or app.
Now there aren't many real world examples of QR codes being used for scams. But there have been some reports of parking meters where somebody has taken a QR code and pasted it over the official one. So, the rest of the sign or sticker looks legit but when you use the QR code you actually end up going to a scammer's site and giving them information or your payment. But it is easy to get around these and typically parking lots all use different apps that you may already have or you can easily get in the App Store. The logos are usually shown at the parking lot and you can just go into the app and the app will use your GPS location to figure out where you are and let you pay for parking without ever having to scan the code.
So be on the lookout for things like that. But they still seem to be very rare as the scammer has to actually physically do something to run the scam and it's much easier for them to do scams that are just completely online where they can be on the other side of the world.
In summary, it is completely okay to use QR codes in situations where you are just looking to get information, like a menu at a restaurant. It is also okay to use them to pay for something as long as you trust the establishment and the person giving you the QR code, like when you're finished eating at a restaurant. Hope you found this useful. Thanks for watching.
Hi.
That was a great video. I’d just like to add that here in the UK the parking sign scam has been used several times.
The scammers can get your payment, and some personal information, but crucially, you haven’t paid for the parking and so can receive a fine or charge in the post some weeks later.
So, if you are visiting the UK, be very wary of QR codes in car parks.
Thanks bunches
This video Is a bit misleading:
A malicious QR code can lead to stolen logins, bank details, or full account takeovers via phishing sites or fake portals. It may install spyware or rogue profiles, giving attackers control over calls, messages, and internet traffic. Zero-day exploits can let hackers run code on your phone, enabling camera/mic spying, data theft, location tracking, and identity fraud. In worst cases, this can escalate to financial loss and complete device compromise.
Warning: Misleading? Everything you describe is just the same problems that any URL has. That's the point: A QR code is just a URL. It has the same risk level as any URL.
You are right that they are like a URL shortener, which is as problematic, but they often can be expanded before following. Also special characters can fool users (e.g. Latin vs Cyrillic “а”) and the user can't verify it (especially on the tiny preview in the Photos app). And many apps instantly open it without preview.
Furthermore nobody says that the sticker in the restaurant has been put there by the owner.
Taking all issues into account, I am very cautious using them.
To your point on parking meter and other physical items, the FBI has issued an advisory about QR codes in brushing scams. Printing a link on a physical object would require someone to manually enter the link -- but the QR code allows the victim to quickly make the mistake of going to a malicious site. https://www.ic3.gov/PSA/2025/PSA250731