Does the image get uploaded to a server?

No. Decoding and analysis run entirely in your browser using canvas pixel processing and a self-contained QR reader. The image and the decoded URL never leave your device.

Quishing is QR-code phishing: a malicious QR code that points to a fake login or payment page. Because a QR code hides its URL until you scan it, attackers use them to bypass the instinct to check a link before clicking.

Why did decoding fail on my image?

The decoder needs a reasonably sharp, flat, high-contrast image with the three corner squares visible. Heavy skew, blur, glare, or very high QR versions can defeat it. Re-crop to just the code and try a screenshot rather than an angled photo.

Does a 'low risk' result mean the link is safe?

No. Heuristics catch common phishing patterns but a careful attacker can avoid all of them, and a legitimate site can trip one by accident. Treat the result as a prompt to think, not a guarantee. When unsure, type the address by hand.

What signals does it check for?

Raw IP-address hosts, punycode or non-ASCII homoglyph domains, frequently-abused TLDs, URL shorteners that hide the destination, embedded credentials, login/payment keywords, insecure http, and unusually long or heavily encoded URLs.

QR Code Safety Inspector

QR codes are convenient precisely because they hide their destination — which is also exactly why attackers love them. This tool decodes a QR image in your browser, reveals the embedded URL or text, and runs a battery of phishing heuristics so you can judge a code before you ever point your phone at it.

How it works

Decoding happens in two stages, both local to your browser.

First, the image is drawn onto an off-screen canvas and converted to black-and-white using Otsu’s method, which automatically picks the threshold that best separates the dark modules from the light background. The decoder then scans for the three finder patterns — the nested squares in three corners that follow the distinctive 1:1:3:1:1 dark-to-light run ratio. From their geometry it recovers the grid orientation, module size, and QR version, samples every module, removes the data mask, and reads the byte, numeric, and alphanumeric segments into the final payload string.

Second, that payload is scored against phishing heuristics. A URL is parsed and checked for: a raw IP host, punycode or other non-ASCII homoglyph characters that impersonate real brands, abused top-level domains, URL shorteners that hide the real target, embedded user:pass@ credentials, sensitive keywords like login or payment, insecure http, and excessive length or percent-encoding.

Worked example

Imagine a QR sticker on a parking meter that decodes to:

http://pay-parking-secure.xn--80ak6aa92e.top/login?ref=meter42

The inspector would flag several danger and caution signals at once: insecure http, a punycode label (xn--…, a homoglyph trick), the frequently-abused .top TLD, and the keyword login. Any one of these is a reason to stop; all four together is a near-certain scam. A legitimate council parking link would typically be a plain https:// address on a recognisable government domain with none of these traits.

Tips and limitations

Crop tightly to the code and prefer a flat screenshot over an angled photo — perspective distortion is the most common reason decoding fails.
A “low risk” verdict is a prompt to think, not proof of safety. A skilled attacker can register a clean-looking domain that trips none of the rules.
For non-URL payloads (Wi-Fi credentials, tel:, mailto:, plain text) the tool tells you what kind of payload it is so you are not caught out by a code that silently changes a phone setting.
If you are at all unsure, ignore the QR code entirely and type the organisation’s known web address into your browser by hand.