Guides 6 min read

QR Code Security: Prevent Phishing, Verify Scans, and Protect Your Brand

Security best practices for QR code campaigns. Prevent QR phishing attacks, verify webhook signatures, authenticate API keys, and protect your redirect infrastructure.

QR codes bridge the physical and digital worlds — which makes them a target for phishing ("quishing"). Here's how to protect your campaigns and users.

The Quishing Threat

Attackers can place fraudulent QR codes over legitimate ones (sticker attacks) or generate codes that redirect to phishing sites. Victims scan expecting a menu or promotion and end up on a credential-harvesting page.

Prevention Strategies

Use branded short domains: A short URL like scan.yourbrand.com/abc is harder to spoof than a generic domain. ScanStack Business plans include custom domain support.

Use dynamic codes: With dynamic QR codes, you control the destination. If a code is compromised, update the redirect instantly without replacing physical codes.

Monitor scan patterns: Use analytics and webhooks to detect unusual scan spikes or geographic anomalies that may indicate sticker attacks.

Tamper-evident printing: Print QR codes under a laminate or directly on packaging so stickers are obvious.

API Security

  • Rotate API keys periodically and use separate keys for dev/staging/production
  • Never expose API keys in client-side code or public repositories
  • Use environment variables to store keys server-side
  • Monitor API usage for unexpected spikes that could indicate key compromise

Webhook Verification

Always verify HMAC-SHA256 signatures on incoming webhooks. Never trust a webhook payload without validating the x-webhook-signature header against your secret. See our webhook guide for code examples.

HTTPS Everywhere

All ScanStack redirects use HTTPS. Ensure your landing pages also use HTTPS. Mixed-content redirects trigger browser warnings and erode trust.

Security Checklist

  • Use dynamic QR codes for all commercial campaigns
  • Monitor scan analytics for anomalies
  • Verify webhook signatures with HMAC-SHA256
  • Store API keys in environment variables, never in code
  • Use HTTPS on all landing pages
  • Consider custom domains for brand trust
  • Use tamper-evident printing for physical QR codes