Trust & Safety: How Our Abuse Detection System Works

An overview of QRBYT's anti-abuse platform — how we keep the QR Codes created on our platform safe to scan.

At QRBYT, we want to make the internet — and the physical spaces QR Codes inhabit — a safer place. QR Codes are designed to be frictionless: you scan one, and something happens. That immediacy is what makes them useful, and it's also what makes them exploitable. Unlike a URL you can hover over in an email, a QR Code reveals nothing about where it leads until your device has already begun navigating to it.

Our Trust & Safety efforts exist to close that gap. In this article, we'll walk through our anti-abuse platform — the lifecycle of a dynamic QR Code on our platform, the services and systems involved in evaluating its destination, and what happens when we determine a link isn't safe.

Our abuse detection service

Every destination URL behind a dynamic QR Code is evaluated by our abuse detection service. The service consults continuously updated industry threat intelligence — the same kind of data that powers safe browsing protections across billions of devices. It scans for several categories of abuse:

  • Phishing and social engineering — pages built to trick people into handing over passwords, payment details, or personal information.
  • Malware distribution — sites that host or trigger downloads of malicious software.
  • Unwanted software — pages that try to install programs without clear consent.

If a destination matches any of these categories, the QR Code is flagged and blocked immediately.

A QR Code's abuse status is our single source of truth for whether it's safe to redirect. This status is what gets checked every time someone scans one of our codes — and it's what determines whether you reach your destination or see a warning instead.

Automated detection and public reporting

Two sources contribute to setting a QR Code's abuse status.

The first is automated detection — the abuse detection service described above. Our scanners evaluate destination URLs against known threat databases and classify them based on the type of abuse involved. When a harmful URL is identified, the associated QR Code is blocked.

The second is public reporting. Automated detection catches a lot, but no system is perfect. Some malicious pages are too new to appear in threat databases. Others are designed to evade automated scanners — showing harmless content to bots while serving something dangerous to real users. To help close that gap, anyone — whether they use QRBYT or not — can submit a report through our abuse report form. We review every submission, evaluate the reported destination, and if we confirm it's harmful, the associated QR Code is blocked.

What happens when you scan a QR Code

This is the moment the entire system is built around. When you scan a dynamic QR Code created on QRBYT, your scanner opens a QRBYT link, and we check the abuse status before sending you anywhere.

If nothing is flagged, the journey ends quickly: you're redirected to the destination, and you can get on with whatever you scanned the code for.

If the QR Code has been blocked, you won't be redirected. Instead, you'll land on a warning page that explains the destination has been flagged — for example, due to phishing, malware distribution, or other policy violations. The harmful URL is never loaded on your device. The page also gives you a way to get in touch with us if you believe the block is a mistake.

A note on static QR Codes

The protections described in this article apply to dynamic QR Codes — those that redirect through our platform. Static QR Codes encode data directly into the pattern and don't pass through our redirect service, so there's no opportunity to intercept or block them.

Key takeaways

  • Every destination URL is evaluated against continuously updated industry threat intelligence — our abuse detection service scans for phishing, malware, and unwanted software
  • A QR Code's abuse status is the single source of truth for whether a redirect is safe — detected threats result in an immediate block
  • Blocked QR Codes show a warning page instead of redirecting — the harmful URL is never loaded on the user's device
  • Public reporting acts as a second layer, catching threats that automated scanning misses — anyone can submit a report
  • These protections apply to dynamic QR Codes only — static codes encode data directly and don't pass through our redirect service