You scan QR codes
reflexively — everyone does.
That’s why
the fake ones work.

Canary unpacks and scores every QR code before it touches your device — giving you control over how, or if you want to proceed.

An iPhone camera detecting a QR code; the only information it shows is a 'tinyurl.com' tag.

Canary showing the same shortened link resolves to a known phishing site, marked DANGER, with the reasons listed.

What you see… versus what you get

Your camera reads the QR code.
Canary reads between the lines.

A QR code is not just an image. It’s a set of digital instructions for your phone. Your camera shows a short preview — a URL, a payment handle, or a network to join — and a button to continue.

But behind that button are instructions your phone blindly follows: open this link, send this payment, join this network. Encoded QR data can trigger dozens of integrations with your phone. You’re trusting a square with dots you can’t read.

That’s the part hijackers count on — a fake sticker over a real QR, a short link that hides the final destination, a payment code pointing at the wrong wallet. Before you know it, your device has acted and you’re screwed.

Scammers are slapping fake QR codes on parking meters and mailing them on unexpected packages.

U.S. Federal Trade Commission, consumer alerts

QR-code phishing — now on the EU’s official threat radar.

ENISA, Threat Landscape 2025

Your iPhone barely tells you anything.
Canary gives you the full readout.

iPhone camera detecting the QR — it only offers to open tinyurl.com in Safari

Canary’s detail: this shortened link hides a dangerous destination — phishing site confirmed, unencrypted connection, redirects to another site

iPhone camera detecting the QR — it only offers to open an “ethereum” link

Canary’s detail: verify the recipient address before proceeding; irreversible payment; recipient address revealed

iPhone camera detecting the QR — it only shows en.wikipedia.org

Canary’s detail: this URL looks normal and wasn’t flagged by Google; 2 trackers removed; HTTPS encrypted

Canary understands all QR data types and assesses each integration instruction. It runs its own checks on-device and queries live reputation databases, so it catches new scams or exploits as they emerge.

Canary checks every QR code for:

Phishing & fraudulent websites
Sites flagged for malware
Links that hide their destination
Trackers hidden in the content
Premium-rate phone numbers
Scam & premium-rate texts
“One-ring” callback scams
Insecure or open Wi-Fi networks
Crypto transfer requests
Look-alike brand impersonation
Contacts or scheduling requests
Invoices & payment requests

Every scan ends in a badge.

SAFE CONFIRM DANGER

Plus all the context you need to make the right decision — the real destination, the flags it found,
and what it means in plain language.

Canary is free on the App Store — no signup, no user tracking, no advertising.

And Canary checks on the QR code, not on you.

Canary was built by people who don’t want to be tracked either. Your scans aren’t tied to your name, your email, or any identity — Canary never asks for them. All of Canary’s network checks — scoring and validation alike — run through our own servers, so your phone never connects directly to whatever is being checked. The only data we keep is anonymous stats and threat types — never the contents of what you scan.

Read the privacy policy →

You scan QR codesreflexively — everyone does.That’s whythe fake ones work.

Your camera reads the QR code.Canary reads between the lines.