QR Code Scanner

QR Code Scanner

Scan and decode QR codes from images or camera. Read QR code content instantly. Free online QR code reader and barcode scanner

A QR code on a printed poster is easy enough; the friction is when you receive a QR as an image in chat or email and you cannot point your phone at it. This scanner reads QR codes from image uploads, drag-and-drop files, paste-from-clipboard, or your camera — and most importantly, shows you what is INSIDE the QR before opening it. The "QR opens a phishing URL" attack works because users tap before reading; this tool reverses the order.

What a QR code can encode

  • URL — most common. Decoder shows the full URL before you tap.
  • Plain text — note to self, instructions, message.
  • Wi-Fi credentials — WIFI:T:WPA;S:NetworkName;P:Password;; format. Connects automatically if you scan from system camera; here it shows the password.
  • Phone number — tel:+48123456789. Tapping initiates a call.
  • Email — mailto:address@example.com?subject=...&body=...
  • SMS — sms:+48123456789?body=text.
  • vCard / MeCard — contact details.
  • Calendar event — VEVENT iCalendar format.
  • Geo coordinates — geo:51.107,17.038.
  • Bitcoin / crypto address — bitcoin:bc1q... or ethereum:0x...
  • EU Digital COVID Cert / health pass — encoded health attestation (regional variants).

Why scan-before-tap matters

QR-based phishing ("quishing") is the fastest-growing phishing vector since 2023. The pattern: attackers print QR codes that link to login-clone sites and place them in physical locations (restaurant tables, parking meters, EV charging stations) or include them in emails that bypass URL-scanning email filters because email scanners do not decode QR images.

iOS Camera and Android Google Lens preview the URL before opening (since 2019). Most third-party QR scanners do not. The protection is: never tap from inside a scanner app that does not preview the URL. Always check the domain matches the expected source.

Working example

Input

A QR code from a restaurant menu

Output

Decoded:
  Type:    URL
  Content: https://menu.restaurantname.com/cards/2026-spring

Analysis:
  Scheme:  https (encrypted)
  Domain:  menu.restaurantname.com
  Path:    /cards/2026-spring

Domain assessment:
  Registered: 2023-09-15 (legitimately old, established domain)
  Connection: TLS 1.3, valid certificate from Let's Encrypt
  Reputation: clean (no recent abuse reports)

Likely safe. If domain were "rest4urant-name.com" or "menu-restaurantname.org",
close match to a legitimate domain — investigate before tapping.

The scanner showing the URL gives you a chance to spot homograph attacks (Cyrillic а vs Latin a) and typo-squat domains (paypal.com vs paypa1.com) before you visit. For QRs in physical contexts you do not trust (random poster, sticker over an existing one), treat the URL with the skepticism you would a random link in an email.

QR codes you should be cautious about

  • Stickers in public places — easy to apply on top of legitimate signage. EV charging stations, parking meters, restaurant tables are common targets.
  • QR in emails with urgency ("verify your account") — same red flags as phishing links; the QR is a delivery mechanism that bypasses email URL filters.
  • QR in printed letters from "banks" or "tax authorities" — banks and government rarely use QR for sensitive actions; high-effort attacks exist.
  • Shortened URLs inside QR (bit.ly/...) — the destination is opaque. Decode the shortened URL separately to see the real destination.
  • QR claiming to be "free Wi-Fi" — connects you to a network the attacker controls; useful for credential theft and MITM.

When to reach for this tool

  • You received a QR code in an image / PDF / email and want to see what it encodes without a phone.
  • You are testing a QR you generated and want to verify the encoded content is correct.
  • You are auditing a campaign's printed materials — scan a sample to confirm the URL is correct before mass-printing.
  • You are debugging a "the scanner shows the wrong content" issue — comparing your generation tool to a different decoder.

What this tool will not do

  • It will not visit the URL automatically. Decoding shows the content; you decide whether to navigate.
  • It will not assess whether the URL is malicious. Domain reputation is one signal; final judgement requires context (did you expect this QR? does the domain match the source?).
  • It will not decode partial or damaged QR codes reliably. Error correction handles ~7-30% damage depending on the QR's ECC level; severe damage requires generation tools, not scanners.
  • It will not handle codes other than QR. Barcodes (EAN, UPC, Code 128) need a barcode scanner.

Image decoding happens entirely in your browser. QR images uploaded or captured are not transmitted anywhere; safe for confidential content (encryption keys, internal URLs, payment links).

Frequently asked questions

Why does my QR not scan in this tool but works on my phone?

Lighting and angle. Phone cameras adapt exposure live; static image scans depend on the image quality at the moment of capture. Try: rotate the image, increase contrast, crop tightly around the QR, ensure quiet zone (white margin) around the code.

Can I scan from a screen instead of paper?

Yes. Take a screenshot of the QR on screen, upload to the scanner. Or photograph the screen with your phone, upload. Be careful with screen QRs — they can be modified between display and your scan.

What does "error correction" mean in QR?

QR codes embed redundancy so they can be partially damaged and still readable. Four levels: L (7% recovery), M (15%), Q (25%), H (30%). Higher correction = denser code (more "data" represents the same content). Use L/M for clean printing, H for codes that might get scratched or covered by a logo.

Can a QR contain malware?

The QR itself contains text. The risk is what that text causes when interpreted — opening a phishing URL, autoconnecting to a hostile Wi-Fi, autodialing a premium-rate number. The text alone cannot execute code; the dangerous moment is when an app acts on it.

How much data can a QR hold?

Up to ~4,296 alphanumeric characters or 2,953 bytes binary. Most QR codes in practice carry <100 characters. Larger payloads make denser codes that are harder to scan from far away or low resolution.

Are QR codes safe to use for payments?

When generated by a known authority (bank app, payment gateway). When scanned from an unknown source, no — QR-based payment fraud is rising. Banks like to display a transaction summary before confirming, exactly to give users a chance to spot wrong amounts/recipients introduced via QR.

Related tools

QR Code Generator

Create QR codes for URLs, text, WiFi, vCard contacts. Customize colors and download PNG/SVG. Free online QR code maker with logo support

Barcode Generator

Generate EAN-13, UPC-A, Code128, Code39, ITF barcodes. Download as PNG or SVG. Free online barcode maker for products and inventory

URL Encoder & Decoder

Encode and decode URLs online. Convert special characters to percent-encoding for safe URLs. Free URL encoder/decoder tool for developers

Wallet Address Validator

Validate cryptocurrency wallet addresses. Check if Bitcoin, Ethereum, Solana, Litecoin addresses are valid. Detect address type and network

Last updated · E-Utils editorial team