Quishing scanner · client-side

What does this QR really go to?

Point your camera, drop an image, or upload a PDF — we decode in your browser, flag homograph + punycode tricks, and surface a cache-hit verdict before you click. Every QR in the file is shown, and our 15-stage scanner takes it from there.

Decode a QR code

Drop an image or PDF, or

Snap a photo, screenshot the QR, or drop a PDF (every page scanned). We decode locally — your file never leaves your browser. If we find a link, we'll hand it to the URL scanner so you see what's on the other end.

Decoded in your browser·Zero upload·PDF supported·Or paste with Ctrl+V
Zero uploadDecoded locally15-stage URL pipelineFree · no account
Under the hood

From QR to verdict, in five steps.

The first three happen in your browser — the image never moves. We only call the URL scanner if you choose to.

  1. Camera, image, or PDF
    Live decode or upload
  2. Decode locally with jsQR
    Browser-side, zero upload
  3. Classify every payload
    URL · wifi · vCard · payment · multi-QR
  4. Cache hit + IDN check
    Punycode-aware verdict pill
  5. Verdict before you visit
    AI + 70+ engines
0
bytes uploaded
decode is fully client-side
< 1s
decode time
even on phone-resolution photos
Live
camera mode
rear camera · 6 fps · torch toggle
PDF
every page scanned
up to 20 pages, 32 MB
How it works

Decode it, classify it, scan it.

Most QR scanners on the web upload your image to their servers and just open the link for you. We do neither. The decode runs in your browser, the URL goes nowhere until you choose, and the verdict comes from the same pipeline that powers our URL scanner.

Decoded in your browser

The QR image, the camera frame, the PDF — none of it leaves your device. We run jsQR (and pdf.js for PDFs) locally on a canvas. The only outbound request is when you choose to scan a decoded URL.

Camera, image, or PDF

Point your camera at a QR for instant decode (rear camera + torch on supported phones), drop a screenshot or photo, or upload a PDF — every page scanned for embedded quishing bait.

Cache-hit + IDN-aware

Decoded URLs are checked against our scan cache for an instant verdict pill. Punycode and mixed-script hosts (paypal.com vs раура1.com) are flagged before you can click handoff.

Multi-QR + non-URL warnings

Every QR in the file is surfaced — useful for sticker-bombed posters and PDF campaigns. Non-URL payloads (Wi-Fi, vCard, crypto wallet, premium-rate dial) get tailored risk warnings.

The threat

Four ways QRs are weaponised against you.

01

Sticker-over-QR in public

An attacker prints a malicious QR sticker and applies it over a legitimate one — parking meter, restaurant menu, charging station, EV charger. Tap, get redirected to a fake payment page, hand over your card.

02

QR in a phishing email

Email-perimeter filters scan links in <a> tags but rarely OCR images. Putting the URL inside a QR sidesteps the filter entirely. "Scan to view your shipping label" / "Scan to verify your account."

03

QR-swap on payment terminals

In countries where QR payment is the default (UPI, WeChat Pay, PIX), scammers swap the merchant's static QR for one that points at their wallet. The customer pays, the merchant never sees the money.

04

Fake Wi-Fi / event QR

A QR code labelled "Free Wi-Fi" connects you to an attacker-controlled access point. From there they can intercept anything you do on the network or push fake captive-portal logins.

Privacy

Your image stays in your browser

We decode the QR using the open-source jsQR library on a <canvas> element inside the page. No upload happens — not when you drop the image, not when you paste a screenshot, not when we render the preview. The only outbound request is when you click Scan this URL, and at that point we send only the URL itself to the URL scanner.

Frequently asked

Quick answers.

Does my QR image get uploaded?
No. The decode happens entirely in your browser using the jsQR library on a <canvas> element. We never see the image, never store it, and never send it anywhere. The only network call happens later — when you choose to scan the decoded URL — and at that point we send only the URL itself.
What's quishing?
Quishing is QR-code phishing: the attacker hides a malicious URL inside a QR code so you can't see the destination before tapping. It's the second-fastest-growing phishing channel because QR codes bypass URL-aware email filters (the link arrives as an image), are trivial to print and stick over real QRs in public, and exploit the assumption that QRs are 'just stickers'.
Can you decode a QR from a live camera?
Yes — switch to the Camera tab. We request the rear camera, run jsQR on every video frame at ~6 fps, and the moment a QR locks in we surface the verdict and stop the stream. Frames never leave your browser. On supported devices we also expose a torch toggle for low-light scans.
Can I scan a PDF?
Yes. Drop a PDF and we render every page locally with pdf.js, then run the same multi-QR decoder against each page. The first 20 pages of any PDF up to 32 MB are scanned. This catches the dominant corporate quishing vector — invoice / shipping label / DocuSign emails with a QR hidden inside the attached PDF that email-perimeter URL filters never see.
What if the image has multiple QR codes?
We surface every QR we find, not just the first. Useful for quishing posters that paste several malicious QRs over legitimate ones (e.g. parking-meter sticker swaps), and for security researchers reviewing a campaign of stickers. Each finding is rendered as its own card with its own verdict pill.
What about IDN homograph attacks?
QR codes are the perfect smuggling vector for them — paypal.com and раура1.com look identical at a phone-screen glance, but the second is xn--ypal-pwc.com when round-tripped through Punycode. Whenever the decoded URL contains non-ASCII or a punycode label, we surface both the visible form AND the real ASCII form, and flag any host that mixes Unicode scripts (Latin + Cyrillic etc.) as a likely homograph attack before you click Scan.
What kinds of QR codes can it read?
Anything that fits the standard QR specification — Versions 1 through 40, all four error-correction levels, plus inverted (light-on-dark) codes. We don't yet decode the variant formats: Data Matrix, PDF417, Aztec, or MaxiCode. If you have one of those, let us know.
What if the QR encodes Wi-Fi credentials, a phone number, or a contact card?
We classify it, lay out the structured fields (SSID, phone number, vCard name, …), and surface a tailored warning explaining what the specific risk is for that kind of payload. Most non-URL payloads aren't actively malicious — but a stranger handing you a QR that auto-dials a premium-rate number, or that joins you to an attacker-controlled Wi-Fi, is still worth a second look.
Why hand off to the URL scanner instead of just opening it?
Because the whole point is to see the verdict before you load the page on your phone. Our URL scanner runs the link through 70+ antivirus engines, sandbox rendering (URLScan.io), Cloudflare Radar reputation, redirect chain tracing, and an AI arbiter that commits to safe / suspicious / malicious with cited reasoning. Takes a few seconds. Saves a lot of regret.
Got a sus QR?

Decode it before you tap it.

Free, anonymous, no account required. Decoded in your browser, scanned through the same 15-stage pipeline that powers our URL scanner. Don't hand your phone to a stranger's QR.

Scan a QR code