eSafety 101
Published on
Start hereDigital safety basics · Part 6

Links, Attachments and QR Codes: Why You Should Be Careful

Quick read

For everyone

Main point

Main point: be careful before you click a link, open an attachment, or scan a QR code.

Links, attachments, and QR codes are common ways scammers move you from a message into the next step of a scam.

They may lead to:

  • Fake login pages
  • Fake payment pages
  • Malicious downloads
  • Forms asking for personal information
  • Websites that look like real companies
  • Requests to approve a sign-in or share a security code

If a message is unexpected, pause before opening anything.

If the message is expected but involves money, bank details, identity documents, passwords, or account access, verify separately before acting.

A safer habit: instead of clicking the link, open the app directly or type the website address yourself.

A little deeper

For curious readers

Context

In the earlier articles, we looked at pausing, why scams work on smart people, what scammers usually want, the emotional triggers they use, and why important requests should be verified separately.

Links, attachments, and QR codes are often the bridge between the scam message and the scam action.

A scammer might send a message that says your parcel is waiting, your account is locked, your payment failed, your invoice is ready, or your refund can be claimed.

The message may include a link, attachment, or QR code that seems like the easy next step.

That next step is where the risk often begins.

A link might take you to a fake website that copies a real bank, delivery company, government service, streaming service, or online store.

The website address may even look almost right. It might contain a small typo, an extra word, a different ending, or a character that looks similar to the real one.

An attachment might contain a fake invoice, fake receipt, fake form, or unsafe file.

A QR code might send you to a website without showing the destination clearly before you open it.

This does not mean every link, attachment, or QR code is dangerous. They are used safely every day.

The problem is that they can be used to hide where you are really going or what you are really opening.

A safer habit:

  • Be cautious with links in unexpected messages.
  • Be careful with attachments you were not expecting.
  • Treat QR codes like links, not magic shortcuts.
  • Do not enter passwords after clicking a suspicious link.
  • Do not enter card details or bank details unless you are sure the site is real.
  • Do not install software because a message, pop-up, or caller tells you to.
  • Use the official app or type the website address yourself where possible.

For a bank or important account: open the app directly instead of using the link.

For a delivery or order: go to the official website or app and check the tracking there.

For an invoice or document: confirm with the sender through a trusted contact method if anything feels unusual, especially if payment details are included.

For a QR code: check where it is taking you before entering any information. Be extra careful if the QR code was sent in a message, printed on a sticker, or placed somewhere public.

The safest option is not always to ignore links and attachments completely. The safest option is to avoid letting them control your next step.

When in doubt, find your own way to the website or service.

Technical notes

For confident users

Technical

Links, attachments, and QR codes are common delivery mechanisms for phishing, credential theft, malware, payment redirection, fake payment portals, and account takeover attempts.

A link can disguise the destination in several ways. The visible text may say one thing while the actual destination is different. The domain may look similar to a real brand. A shortened URL may hide the final destination. A compromised legitimate website may redirect to a malicious page.

Some fake domains are designed to look almost identical to real ones. They may use small spelling changes, extra words, different endings, or lookalike characters from other alphabets.

These are sometimes called lookalike domains. A more technical version of this uses characters from other alphabets that look similar to normal letters.

Credential phishing often uses links to send people to fake login pages. These pages may copy the branding, layout, and wording of a real service. The goal is to collect usernames, passwords, multi-factor authentication codes, or session-related information.

Attachments can be used to create trust or deliver risk. Some attachments are simply fake documents that ask the reader to pay, call, or click a link. Others may contain malicious scripts, macros, embedded links, or files designed to exploit software weaknesses.

QR codes are effectively links in image form. They can be useful, but they reduce visibility because the destination is not always obvious before scanning. Attackers can use QR codes in emails, posters, parking meters, restaurant menus, fake notices, or stickers placed over legitimate codes.

This is especially important for high-risk actions, including:

  • Signing in after following a link.
  • Entering card details or bank details.
  • Downloading or installing software.
  • Opening unexpected attachments.
  • Approving sign-in requests.
  • Providing multi-factor authentication codes.
  • Uploading identity documents.
  • Paying an invoice or fee through a linked page.
  • Scanning QR codes in public places or unexpected messages.

A useful rule is to separate the message from the destination.

If a message tells you there is a problem and provides a link, attachment, or QR code to fix it, treat that path as untrusted until verified.

For important accounts, use a known-good path: a saved bookmark, the official app, a typed website address, or a trusted contact method.

Good security tools can help block some unsafe links and files, but they cannot make every decision for you. The safest habit is to pause, check the context, and avoid following a path supplied by a message you have not verified.

Disclaimer: All content on this website is general in nature and is not in any way advice. While we strive to ensure the accuracy and relevance of the content, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to this website or the information, products, services, or related graphics contained on the website for any purpose. Therefore, any reliance on such information is strictly at your own risk.

In no event will we be liable for any loss or damage, including, without limitation, indirect or consequential loss or damage, or any loss or damage arising from loss of data or profits arising out of, or in connection with, the use of this website. Through this website, you can link to other websites that are not controlled by this website. We have no control over the nature, content, and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.