Skip to content

Trust & Safety

Last updated: May 2026

QRLynx blocks phishing, malware, and scam destinations before a QR code can be saved. Every URL-type QR goes through the URL safety gate at creation time; non-shortlisted destinations are checked against multiple independent URL threat-intelligence and reputation signals. High-traffic active URL QRs are also rescanned on a daily schedule. Reported QR codes are typically disabled within minutes of verification. Static QR codes never expire. Dynamic QR codes never expire and have unlimited, uncapped scans, but any redirect we identify as malicious is paused immediately.

Is QRLynx safe?

Yes — QRLynx is a legitimate QR code platform operated by Jorbox LLC, a US software company in Albuquerque, New Mexico, and safety is enforced in the product rather than promised in policy. Every destination URL passes a four-layer security check before a code is issued: lexical risk scoring, domain-age and DNS checks, reputation signals, and Google Web Risk. High-traffic codes are rescanned daily, and a code reported through the abuse form is typically disabled within minutes of verification. All traffic is encrypted with TLS 1.3 in transit and AES-256 at rest, scan pages carry no third-party tracking pixels, and QRLynx publishes its own security research openly — including the finding that 12.7% of submitted URLs are flagged before ever reaching a scanner. Anyone can report a suspicious code at qrlynx.com/report-abuse without an account. (Facts checked June 10, 2026.)

What we don't allow

QRLynx has a zero-tolerance policy for QR codes that redirect scanners to harmful content. We disable QR codes that point at:

  • Phishing and credential harvesting — fake login pages for banks, email providers, exchanges, social platforms, or any service that asks for credentials on a domain that doesn't own them.
  • Malware distribution — destinations that drop executables, drive-by-download payloads, mobile profiles, or browser exploit kits.
  • Scams and fraud — fake investment schemes, gift-card harvesters, "pay this parking fine" and "package undelivered" SMS scams, fake utility shutoff notices, and the rest of the smishing playbook.
  • Brand impersonation — QR codes that imply they're from a brand the creator doesn't own or represent, including fake support pages for major SaaS / banking / telco brands.
  • Illegal content — content that's illegal in the jurisdiction of the scanner or the QR creator, including CSAM, illegal drug sales, and trafficking.
  • Spam and abuse chains — QR codes that link to shortener chains, redirect mazes, or off-platform cloakers used to hide a final destination from our scanners.

The full reporting flow lives on the Report Abuse page. You don't need a QRLynx account to file a report.

How we detect abuse before a scan happens

URL-type QR codes pass through a safety gate before they become scannable, and higher-traffic active URL QRs are checked again afterwards. The goal is to fail closed: if a destination looks high-risk, the QR doesn't save.

  1. Threat-intelligence lookup. For non-shortlisted destinations, QRLynx checks the URL against industry threat-intelligence and URL-reputation services. Known-malicious destinations are blocked at save time.
  2. Automated risk analysis. Each destination is scored by automated checks for the common signatures of phishing and scam URLs. High-risk destinations are blocked outright; uncertain ones are routed to a warning interstitial.
  3. Domain reputation. QRLynx weighs destination and domain reputation signals, and gives well-established, widely-trusted services an allowlist pass to avoid false-positive friction.
  4. Daily re-scan. High-traffic active dynamic URL destinations are re-checked on a daily schedule, so a destination that was safe at save time but later compromised can be flagged for review.
  5. Manual review. Reports filed through /report-abuse are triaged by humans, not auto-actioned. A clear, verifiable phishing report is typically resolved within minutes.

For non-URL QR types (Wi-Fi, contact card, payment, calendar, email/SMS templates), the QR payload is structured data with no remote destination — there's nothing for a phisher to swap later. Those types skip the URL scan path entirely.

Quishing — the threat we're specifically built against

"Quishing" — phishing via QR code — has been one of the fastest-growing attack categories since 2022. The attack is simple: print or paste a QR sticker on top of a legitimate one (parking meters, restaurant tables, package labels, payment terminals), wait for someone to scan it, and harvest credentials or payment data on the destination page. Because the QR is opaque to the human eye, traditional anti-phishing training (hover-the-link, check-the-URL) doesn't apply.

QRLynx is built specifically to make quishing harder. Every dynamic QR redirect through r.qrlynx.com is owned by a real QRLynx account with a verified email address. That single fact lets us disable a malicious destination in seconds without taking down legitimate QRs that share the same redirect infrastructure. The 2026 QR Code Security Report documents what we see across our scan dataset.

What happens when you report a QR code

Anyone — including people who don't have a QRLynx account — can report a QR code through the Report Abuse form. Every report gets a tracking ID. The flow:

  1. You submit the suspicious QR's short URL (or the destination URL, or both), pick a category, and describe what you saw.
  2. Our trust & safety team reviews the report. Clear, self-evident phishing or malware is actioned immediately.
  3. If we need more information, we email the address you provided (optional — reports can be anonymous). If not, we don't.
  4. If the report is upheld, the destination is disabled and the QR redirect is paused. The QR's short URL still resolves — but to a warning interstitial, not to the malicious destination.
  5. We never disclose the reporter's identity to the QR owner. We never sell or share abuse-report data.

Appeals and FAQ

We try hard to never take down a legitimate QR. Sometimes we get it wrong — automated security checks have false positives, and a legitimate domain can be reported in error. Here's what to do.

What happens when someone reports a QRLynx QR code?

Our trust & safety team triages every report. Reports that include a clear phishing, malware, or scam destination are typically actioned within minutes — the destination URL is disabled and the QR redirect is paused. Reports without enough information get a follow-up email asking for the QR's short URL, a screenshot, or the suspicious destination.

What if my QR code was disabled and I think it was a mistake?

Email support@qrlynx.com from the email address on your QRLynx account, include the QR code's short URL, and describe what the destination actually does. We review every appeal — most resolved within 24 hours. If we agree the takedown was wrong, the QR is restored and analytics continue from where they left off.

Do you scan destination URLs before they go live?

Yes. Every URL-type QR code goes through the URL safety gate before it can be saved. Non-shortlisted destinations are checked against multiple independent URL threat-intelligence and reputation signals. High-risk URLs are blocked at creation; lower-confidence ones trigger an interstitial warning page that the scanner sees before reaching the destination.

What kinds of QR codes won't QRLynx let me create?

We block destinations classified as phishing, malware distribution, credential-harvesting login pages, investment scams, brand impersonation, and other content covered by our zero-tolerance policy. We also block QRs that point at known shorteners chained to high-risk endpoints, since those are a common quishing tactic.

Can I report a suspicious QR code that isn't mine?

Yes. The /report-abuse page accepts reports from anyone — you don't need a QRLynx account. We never disclose reporter identity to the QR owner. The form shows a tracking ID after submission, and if you leave an email address we can follow up when more detail is needed.

Privacy and data minimisation

When someone scans a QRLynx dynamic QR, the owner-facing analytics dataset records geography at country/city granularity, device class, OS, browser, and referrer. Scanner IP addresses are used only in infrastructure-level processing such as unique-scan counting, abuse prevention, and standard platform logs; they are not shown to QR owners, not exported in scan CSVs, and not written as Analytics Engine dimensions. We don't fingerprint scanner devices.

Scan analytics live in Cloudflare's Analytics Engine — designed for high-volume time-series telemetry, not personal profiling. The full data-handling story lives in the Privacy Policy.

Security disclosure for researchers

We welcome reports from security researchers. The security.txt file lists our contact channel, supported languages, and current policy. Email abuse@jorbox.com with a clear reproduction, affected URL or endpoint, and impact assessment. We respond within 5 business days, fix issues we confirm, and credit researchers who report responsibly (if they want credit — anonymous reports are equally welcome).

We're a small team and don't currently run a paid bug-bounty programme. Reasonable, good-faith research that follows the coordinated-disclosure norm is appreciated and acted on.

Transparency commitment

Starting Q3 2026 we'll publish a quarterly trust & safety summary covering: abuse reports received, reports upheld, average time-to-action, false-positive rate on appeals, and the composition of takedowns by category (phishing vs. malware vs. scam vs. other). Reports are published on this page and linked from /llms.txt so AI search engines can cite the live numbers rather than guessing.

Related