A direct HTTPS link to a first-party Abundera site. No shorteners, no redirects. Best-case verdict: Cleared with static mutability and a low destination-server-mutability floor.
https://qr.abundera.ai/
Quishing defender · QR + URL + shortener safety
Don't trust a QR until it's been cleared.
A QR code is a stranger handing you an envelope. Same goes for any short URL, a bit.ly, a t.co, or a link in a DM. Open it without checking and you can land on a credential-phishing page, an open WiFi trap, a wallet-drainer transaction, or an Android intent that sideloads malware. We trace the chain, screen the destination, and tell you who can change it after the QR was printed, the question that decides whether a parking-meter sticker, a forwarded short URL, a restaurant menu, or a corporate MFA flyer is actually safe.
No signup, no account Payload never persisted Camera decoding stays local Mac, Windows, iOS, Android apps soon
Share this tool · or save a short link to come back
Scan a QR code using your camera, upload an image, paste an image, or paste decoded text.
Camera and image decoding happen in your browser. Only the decoded text is sent to our analyzer.
Scanner settings
Downloading enhanced decoder… 0%
Scan history
Stored on this device only, never sent to our servers. Last 25 scans, oldest pruned automatically. Cloud-synced scan history (cross-device, 30 days) is on the roadmap for Personal+ tiers.
See it in action
Tap "Try this scan" to run it here, or point your phone camera at the QR, it routes through our scanner and the verdict shows up on your phone. No need to visit anything first.
A QR that routes through our own shortener before reaching its terminal destination. The verdict surfaces who can change the destination after print, the mutability axis no other scanner shows.
https://aqr.net/demo-walmart
A link guaranteed to resolve in a country different from yours (the JS swaps the target after detecting your region). Demonstrates the per-hop country chip, a chain crossing borders unexpectedly is a stronger trust signal than any single hop alone.
https://www.bundestag.de/
Google maintains this URL specifically as a Safe Browsing test fixture. It is classified as SOCIAL_ENGINEERING by Safe Browsing, useful for demonstrating that the reputation aggregator and the verdict escalation actually work, without linking to a real phishing site.
https://testsafebrowsing.appspot.com/s/phishing.html
How it works
- 1
Decode
Your browser decodes the QR locally (jsQR). The image never leaves your device. We only see the textual payload.
- 2
Dispatch
The payload is classified by URI scheme, structured-format prefix, or content heuristic into one of 48 analyzer categories that together recognize 222 payload variants: HTTP URL (with dozens of host-specific recognizers), WiFi, vCard, telephony, mail, Android intent, cryptocurrency, content-addressed, inline data, calendar, geo, Bluetooth pairing, Matter onboarding, EMV merchant payment (PIX, PayNow, PromptPay, UPI, & 30+ country schemes), WireGuard config, Smart Health Card, eSIM activation, WalletConnect pairing, FIDO passkey hybrid, hard-blocked scheme, or plain text. Each category goes to its dedicated analyzer.
- 3
Trace + classify
For HTTP URLs, we trace the redirect chain through indirection services (Bitly, Linktree, QR Tiger, & ~80 others), record per-hop intermediaries, classify mutability (static / dynamic-single / dynamic-chained / ad-interstitial / cyclic), and attribute control to each indirection-service operator. In parallel we screen the destination against Google Safe Browsing and URLhaus.
- 4
Unify
We compose a single verdict shape that's invariant across payload types:
threat_class,mutability,chain,attribution,sub_payloads, plain-languagedisclosure. Sub-payloads embedded in a parent (URLs in a vCard NOTE field, SSIDs containing a link, etc.) are recursively dispatched.
What we catch that URL-only tools miss
URL-class threat scanners cover one of 48 payload categories a QR can carry, and a single recognizer inside the URL category at that. We recognize 222 payload variants across all 48. A taste below; the full list and Tier 2 roadmap are on the coverage page.
Redirect chain & mutability
Trace every hop. Detect Bitly + Linktree chains. Identify indirection-service operators. Surface the parties who can change the destination after print.
WiFi config QRs
SSID + encryption parsed and normalized. Open / weak-WEP / hidden networks flagged. Confusables-decoded so look-alike SSIDs surface in the result.
Crypto wallet drainers
Per-chain address format + checksum validation. EVM function-selector detection (approve, setApprovalForAll, permit). Chainabuse reputation.
Matter smart-home commissioning
Decode MT: base-38 onboarding payloads. Extract vendor ID + product ID. Surface the "this enrolls a device into your home network" framing so a swapped sticker can't quietly join an attacker fabric.
EMV merchant-QR payment swap
Parse EMVCo MPM / CPM payloads (SGQR, PromptPay, PayNow, DuitNow, UPI). CRC validation + merchant-name surface, catches the sticker-swap attack, the highest-volume QR fraud globally.
QR-login account hijack
Recognize WhatsApp Web, Telegram, Signal, Microsoft 365, Google, GitHub, and AWS device-code QR-login endpoints. Warn that scanning grants whoever generated the QR access to your account.
A clean QR today, a phishing page tomorrow
Once a QR is printed on a sticker, a menu, or a flyer, you can't un-print it. So the verdict that matters isn't just "is the link safe now," it's "who can change where this points after the ink dried." That's mutability.
Static QR
walmart.com encoded directly into the QR matrix
The destination lives in the dot pattern itself. No third party can rewrite where it goes. What you scan today is what you'll scan a year from now.
Dynamic QR (the risk)
aqr.net/demo-walmart → some shortener → walmart.com
The QR encodes a shortener URL; the shortener's account holder picks the destination at scan time and can swap it in 30 seconds. Clean today, phishing tomorrow, same physical sticker. We surface the chain, name the indirection-service operator, and tell you whether the printed asset is on a leash.
Pricing
Free for personal use, no signup. Paid plans for individuals, families, teams, brands, and enterprise rollouts.
FOUNDING MEMBER Your rate. Locked. Forever. Save 34% off paid tiers, annual billing, available through September 1, 2026.
Native apps coming soon
Same engine, native on macOS, Windows, Linux, iOS, and Android. Camera scan stays on-device; classification goes to the same endpoint. abundera.app →
Questions
What is quishing?
Quishing is QR-code phishing: an attacker prints, stickers, emails, or DMs a QR code that, when scanned, opens a credential-harvesting page, a wallet-drainer transaction, an open WiFi trap, or an Android intent that sideloads malware. The QR itself is just an image, so email-link filters and browser warnings never see it until the victim's phone has already opened the destination. The defense has to happen at scan time, before the phone follows the link.
How is quishing different from regular phishing?
Three differences. The attack vector is physical or visual, a sticker over a parking-meter QR, a printed flyer impersonating an MFA enrollment, a restaurant menu QR replaced overnight, so it bypasses email gateways entirely. Victims trust QR codes more than they trust links in email; a QR feels like a destination chosen by whoever printed the surface. And dynamic QR codes that route through a shortener can be repointed at a phishing destination after the printed asset has been distributed, so a QR that was safe at print time can become hostile months later. Static link-scanners answer "is this URL malicious right now", not "who can change where this points".
How do I check a QR code is safe before scanning?
Don't point your phone's native camera at it, that opens the destination immediately. Instead, open check.qr.abundera.ai on your phone, scan the QR through the in-page camera (decoding happens locally; the image never leaves your device), and read the verdict. We walk every redirect hop, classify whether the destination is controllable by a third party after the QR was printed, and check reputation against Google Safe Browsing and other aggregators. Cleared verdicts are safe to open; Caution and Do not proceed verdicts tell you why.
What are real-world quishing examples?
Parking-meter and EV-charger stickers that overlay the legitimate QR with one pointing to a credit-card-harvesting page, the most-reported pattern of 2024-2025, observed in Austin, San Antonio, and across the UK. Restaurant menu QRs swapped to phishing pages overnight by an attacker physically replacing the table tent. Corporate MFA-enrollment flyers in office bathrooms that look official but enroll the attacker's device. Wedding-invitation QRs distributed months before the event, where a shortener-account compromise lets an attacker repoint thousands of printed cards. Crypto-payment QRs at point-of-sale terminals overlaid with the attacker's wallet address. The common thread: the printed QR looks identical to the safe one.
How is this different from Google Safe Browsing or VirusTotal?
Existing tools classify whether a URL is currently malicious. We additionally classify whether the destination is controllable by a third party after the QR was printed, a property we call mutability. A clean dynamic QR routed through a shortener is still high-risk for a parking-meter sticker or wedding invitation: the shortener account holder can change the destination at any time. We surface this control-posture as a first-class verdict field alongside the threat-content verdict.
Do you store the QR I scanned?
No. The decoded payload travels to our server over HTTPS so we can walk the chain and query reputation databases, that's a functional necessity, not a choice, but it is never persisted. Verdicts are cached by a SHA-256 hash of a per-payload-type discriminator concatenated with a server-held secret salt. The original payload cannot be reconstructed from any cache entry.
Why a separate domain from qr.abundera.ai?
qr.abundera.ai is a generator that promises everything-client-side: nothing leaves your device. This safety checker transmits the decoded payload to the server by necessity. We separate the two surfaces so the client-only promise stays clean on the generator domain, and the inverted-privacy-model surface stays clearly labeled here.
What's the mutation alert feature?
Pro tier. Submit a QR for tracking, and we re-walk the chain on a periodic cadence. Email when the redirect targets, terminal destination, or the set of indirection-service operators changes. This catches the most common quishing-in-the-wild pattern: print a clean QR, switch the destination to phishing months later, harvest scans from the printed asset.
Can I embed this in my security product?
Yes, on the Pro tier. The API is RESTful, returns a structured JSON verdict with payload-type, threat-class, mutability, redirect chain, per-hop control attribution, and sub-payload findings. Designed for embedding in wallet apps, mobile security suites, enterprise URL filtering, and corporate Slack / Teams link-preview enrichers.
Open-source?
Not at this time. The classifier is closed-source while the underlying patent work is in prosecution. We may publish reference implementations of disclosed algorithms after grant. The API contract is public and stable.