Counterfeiting is big enough to have its own economy. The OECD and EUIPO put global trade in fake goods at roughly USD 467 billion — about 2.3% of world imports. Faced with that, most brands reach for the obvious tool: print a QR code on the packaging and call the product “verifiable.”

It feels like protection. It usually isn’t.

A QR code is just a link in disguise

An ordinary QR code encodes a web address. Anyone can photograph it, print the same pattern onto a fake, and it scans exactly like the real one — opening the same “you’re genuine” page. A counterfeiter doesn’t need to break anything. They copy the sticker.

Picture an accessory brand that prints one QR design across a whole product line. A grey-market factory copies it onto 50,000 fakes. Every one of them “verifies.” The code didn’t protect the brand — it handed the fakes a credibility badge.

Uniqueness beats secrecy

The fix isn’t a fancier or “encrypted”-looking code. It’s a unique, serialised identity for every single unit. When each item carries its own code, the system stops asking “does this code exist?” and starts asking “does this specific unit’s history look genuine?”

That one change turns a QR code from a decoration into evidence.

Let the scans do the detective work

Once every code is unique and every scan is logged — with signals like approximate location, time, and a device fingerprint — cloned codes expose themselves:

  • One identity scanned in many cities within a short window → likely cloned.
  • Far more scans than units ever produced → likely cloned.
  • A first scan on the customer’s own phone, near the point of sale → a healthy, genuine signal.

No single scan proves anything. The intelligence comes from patterns across many — which is only possible when codes are unique in the first place.

The next step: codes that can’t be photographed

Even a unique printed code can be copied once and reused until someone notices. That’s why the strongest version moves the code somewhere it can change — for example, a rotating QR inside a wallet pass that regenerates every minute. A screenshot or a photocopied label goes stale within seconds, so the clone simply stops working.

You can copy a static sticker. You can’t copy a code that keeps changing on the owner’s phone.

What to do

  1. Serialise every unit — one code per item, never one design for the whole line.
  2. Log every scan and judge behaviour, not just existence.
  3. Flag the obvious clone patterns (many locations, impossible volumes) for review.
  4. For high-value or high-risk lines, use rotating codes so a copied code expires.

The takeaway

A QR code on its own proves nothing — it’s a link, and links copy perfectly. What protects a brand is unique identity plus the intelligence to judge how each code behaves. Platforms built for authentication, such as Traciqo, treat every unit as its own record and every scan as a signal. That’s the difference between a code that looks secure and one that is.