QR codes have pretty much embedded themselves into daily life across the UK. You’ll spot them on parking meters, restaurant tables, and payment terminals—just about everywhere.

But here’s the catch: criminals are now taking advantage of this tech with a scam called quishing. Quishing is a type of fraud where scammers use fake QR codes to steal money and personal information, and it’s on the rise with organised crime gangs behind a sharp rise in fraudulent QR code incidents.

The threat’s ramping up fast. Action Fraud says that £3.5 million vanished to QR code scams in 2024, mostly because criminals slap sneaky stickers over car park payment machines.

Understanding how these scams work—and knowing what to watch for—can help you avoid becoming a victim.

This guide breaks down how quishing exploits QR codes, highlights common targets, and gives some practical steps to spot and dodge fraudulent codes. We’ll also touch on what to do if you’ve already scanned something suspicious and what security moves can help prevent these attacks.

Key Takeaways

• Quishing scams use malicious QR codes to redirect people to fake websites that steal personal data or download harmful software onto devices.
• Car parks are the most common spot for fraudulent QR code stickers, but scams also show up on restaurant tables, flyers, and payment terminals.
• Always check QR codes for signs of tampering before scanning, and verify the URL before entering any payment or personal info.

How Quishing Exploits QR Codes

Scammers create fake QR codes that send people to malicious websites or trigger dangerous downloads. The trick works because you can’t “read” a QR code with your eyes—so it’s easy to hide a nasty link behind what looks like a normal code.

The Mechanics of a Quishing Attack

A quishing attack follows a structured process designed to trick you into scanning a dodgy QR code. Attackers make a fake code that links to a phishing site or malware.

Then, they distribute these codes in a bunch of ways.

The fake QR code might show up in a phishing email as an image. Victims get messages saying they need to scan the code to verify an account, finish a payment, or get some “important” info.

Some attackers use PDF attachments with the malicious codes instead.

Once you scan the code, the malicious QR code redirects you to a bogus website. These sites often look just like real login pages for banks, email, or other trusted services.

People enter their usernames, passwords, or payment details, and the criminals grab them.

QR codes slip past a lot of email security filters. Most security tools scan text and links, but threats in images often go unnoticed.

Most folks scan QR codes on their phones, which usually have weaker security than computers.

Why QR Codes Are Targeted by Scammers

QR codes are a goldmine for scammers because they hide the real destination. Unlike a text link, you can’t preview where you’re headed before scanning.

People have gotten used to scanning codes without a second thought.

Key vulnerabilities scammers love:

• You can’t check the destination before scanning.
• Most QR scanners don’t warn you about dodgy links.
• Public trust in QR code tech is sky-high.
• Not enough awareness about QR fraud risks.

Mobile devices make things worse, since people often scan codes while distracted or in a hurry. Scanning in public, especially, can lead to trouble.

QR Fraud in Physical and Digital Contexts

Fake QR codes show up in both the real world and online. In person, scammers stick their codes over legit ones on tables, parking meters, or counters.

They also print fake codes on flyers and post them around town.

Digitally, attackers send emails with QR codes claiming you need to update your account, confirm a payment, or respond to a security alert.

These emails often try to make you panic and scan quickly.

Some criminals even cover the real QR code on a payment terminal with their own. You think you’re paying the business, but your money goes straight to the scammer.

This kind of QR phishing has hit millions as these codes pop up more and more in public places.

A fake QR code on a restaurant table just feels more legitimate than one in an email, doesn’t it?

Common Targets and Real-Life Examples

Criminals place fraudulent QR codes where people expect to scan them for real reasons. Contactless payment spots like parking meters and restaurant menus are favorite targets—they just stick their own codes over the proper ones.

Parking and PayByPhone Payment Scams

Car parks are a hotbed for quishing attacks. Scammers slap fake QR codes on parking meters and payment signs, sending drivers to fake payment pages mimicking real services like PayByPhone.

The bogus page grabs your card details, personal info, and, of course, your payment. Most people don’t realize they’ve been scammed until a parking fine lands or they spot strange charges on their bank statement.

Drivers are rushed and trust that codes on official-looking equipment are genuine. Scammers often make their stickers match the real provider’s branding perfectly.

Restaurants, Retail, and Public Venues

Organised crime gangs have targeted QR codes at restaurants, shops, and public spaces, especially since contactless interactions became the norm.

Attackers stick malicious codes on tables, walls, or over the real ones. Diners scan, expecting a menu or to pay, but end up on phishing sites asking for payment or personal info.

Retailers and event venues face the same risks. Scammers post fake codes promising discounts or loyalty sign-ups, just to harvest customer data.

Subscription and Trial Traps

Fraudulent QR codes often dangle fake free trials or subscription deals. They promise discounted streaming, software, or exclusive content.

Scan the code and enter your payment details, and suddenly you’re enrolled in recurring subscriptions you never wanted. Charges show up under weird company names, making them tricky to track.

Some offers want payment info “just to verify identity” during the trial. It’s a sneaky way to steal card details while making you feel like you’re in control.

Online Shopping and Delivery Exploitation

Package delivery scams use QR codes in texts or emails, claiming a parcel needs payment or address confirmation. The codes lead to fake courier sites asking for your info.

E-commerce scams post fake product listings on social media or classifieds, where the “buy now” is a malicious QR code. Shoppers scan, expecting to pay, but end up giving away their financial details and get nothing in return.

Some scammers stick QR codes in public places, advertising deals from big brands. These codes lead to fraudulent shopping sites built to steal your payment info.

Recognising and Avoiding Fake QR Codes

Spotting a dodgy QR code means paying attention to signs of tampering, checking URLs, and using smart scanning habits. A few simple steps and safer payment options can really lower your risk.

Warning Signs of a Quishing Scam

Fake QR codes often show up as stickers slapped over the real ones on machines or meters. The edges might be peeling or not quite lined up.

Printing quality might be off compared to official materials.

QR codes in odd places should make you pause. Real businesses usually put codes in consistent, obvious spots.

If the code looks different from others nearby—odd size, color, or casing—it could be fake. Seeing more than one code where only one should be is a big red flag.

Messages around the QR code that scream urgency, like “scan now” or “immediate payment required,” are classic scam tactics.

Verifying QR Codes Before Scanning

Preview the destination URL before you open any site. Most smartphones show the web address after scanning, before you tap through.

Check that the domain matches the business exactly.

Look for HTTPS in the URL, and watch for sneaky misspellings or extra characters. Scammers build fake sites that look almost identical to trusted brands.

Give the physical code a quick once-over. Feel for sticker edges or layers, and tilt your phone’s light to spot texture changes.

If you can, compare the code to images from the company’s official site or app. Call the business directly using a number you trust to check if they actually use QR codes for that service.

Never enter sensitive info or payment details right after scanning a random QR code. Real services rarely ask for this through QR links alone.

Protective Steps for Individuals

Pick a QR scanner app with security features instead of just using your camera. These apps can warn you about suspicious links.

Turn on multi-factor authentication for your important accounts. It’s a lifesaver if you accidentally share your login details.

Keep an eye on your bank statements for any weird charges. Catching fraud early can stop further damage.

Report dodgy QR codes to the company and local authorities. Action Fraud got 1,386 reports of quishing scams—reporting helps everyone.

Update your phone software and security apps. New updates often protect against fresh phishing tricks and malware.

Safer Alternatives for Payments and Offers

Type website addresses straight into your browser instead of scanning QR codes for payments. That way, you avoid being sent to a fake site.

Use official apps from trusted app stores for parking, tickets, and payments. These apps connect you securely to real services.

When you can, pay by contactless card or cash at parking machines. It’s old school, but it sidesteps QR code risks.

For offers, go directly to the retailer’s website or app. Scanning promo QR codes from random sources is risky.

Ask for physical receipts or email confirmations for transactions. Legitimate services offer more than just QR codes for proof.

Tactics Used in Advanced QR Code Fraud

Criminals have gotten clever at making fake QR codes look totally legit. They bank on how comfortable we’ve all gotten with scanning codes everywhere, from parking meters to emails.

Phishing Emails and Messaging Tactics

Attackers love sending QR codes through email because spam filters can’t read images. It’s one of the fastest-growing phishing tricks.

These quishing emails usually sound urgent—account verification, payment confirmation, or security alerts. The code’s right there in the email or attached as a picture.

When you scan with your phone, it takes you to a fake login page.

This works so well because people use their personal phones, which are often less secure than work computers. Employees might scan a code that leads to a phishing site built to steal Microsoft 365 or work credentials.

The QR phishing scam works because the scanning device and the email security system aren’t connected, so threats slip through.

Impersonation of Trusted Brands

Criminals make fake QR codes that look like they’re from real companies, just to steal your info. These quishing attacks target banks, government sites, and popular services.

The fake codes show up on things like parking meter stickers, restaurant tables, and event posters. Scammers stick their QR code over the real one, so payments or data go straight to them.

Physical placement makes these scams convincing—after all, who questions a code on a restaurant table?

Brand impersonation happens online, too. Scammers copy login pages for big companies, grabbing your username, password, and even two-factor codes before sending you to the real site.

You might not even notice, since everything seems to work as usual.

Evolving Techniques in Quishing Attacks

Quishing represents a modern cyber fraud tactic that keeps evolving as security improves. Criminals now design codes that drop malware straight onto your device, not just grab your credentials.

Attackers have started using time-delayed redirects. The code first sends security scans to a safe site, then flips to a malicious one after the coast seems clear.

Some scam QR codes check your device type and location before triggering anything nasty. That way, they can target specific people while looking totally harmless to security teams.

Cases have increased 14-fold over five years, and authorities still seem to be playing catch-up. Attackers love slipping into everyday transactions, promos, or info-sharing moments—QR codes are everywhere now.

Responding to QR Code Scam Incidents

Quick action right after you scan a sketchy QR code can make a real difference. Victims should lock down their accounts, alert the right agencies, and let banks know if anything financial might be at risk.

Immediate Actions After Scanning a Suspect Code

If you scan a suspicious QR code, disconnect from the internet right away. Aeroplane mode or just shutting off Wi-Fi can stop malware from sending your info out.

Check what you entered. If you typed in any passwords or logins, change them immediately from a different device.

Take a close look at your bank and credit card accounts for weird transactions. If something looks off, act fast.

Grab screenshots of the scam website. Snap photos of where you found the QR code, especially if it was on a meter or payment machine.

Run antivirus software to see if anything slipped in. If you entered financial info, put a fraud alert on your credit files for extra safety.

If you gave away a lot of personal details, you might want to freeze your credit. It’s a pain, but it can stop identity theft.

Reporting to Authorities and Fraud Agencies

Reporting quishing scams to Action Fraud helps create an official record and lets law enforcement spot patterns. The national fraud centre keeps tabs and shares info with police.

Local trading standards offices should hear about fake QR codes on parking meters or public payment systems. They can pull down the bad codes and warn others nearby.

If the scam involves investments or financial products, report it to the Financial Conduct Authority (FT). Most banks have dedicated fraud teams who can try to recover stolen funds.

Notifying Financial Providers and Service Platforms

Contact your bank or credit card company right away if your payment details got out. Most offer 24-hour fraud hotlines—they can freeze accounts and get you new cards.

Building societies and digital payment apps like PayPal or Apple Pay have their own steps for reporting unauthorized access. The sooner you notify them, the better your chances of getting a refund.

If your login details were stolen, tell your email and social media providers. Change all your passwords, especially on services that are linked together.

Turn on two-factor authentication wherever you can. It’s not perfect, but it helps.

Prevention, Security Measures, and Regulatory Oversight

Businesses, government agencies, and individuals all have a part to play in stopping quishing. Banks and regulators have sounded the alarm as QR code scams keep rising across the UK.

Role of Businesses and Local Authorities

Businesses should use secure QR codes to protect customers from malicious redirects. That means picking systems with built-in security and checking regularly where their codes actually send people.

Trading standards officers work with local shops and venues to make sure public QR codes follow safety rules. They investigate complaints and take action when they find dodgy codes.

Local authorities need to check high-risk spots—car parks, restaurant tables, payment kiosks—since scammers love to stick fake codes there. Regular inspections help catch and remove these.

Companies should train staff to spot suspicious QR codes and know what to do if they find one. Clear policies about who can create and place QR codes keep things safer.

Official Warnings and Industry Guidance

Action Fraud logged 1,386 reports of quishing scam incidents. National authorities have issued warnings, and the FT says organized crime gangs are doubling down on fraudulent QR codes.

Security experts suggest a few practical steps:

• Verify QR sources—don’t scan codes from random places.
• Check URLs before you visit any linked site.
• Skip codes offering wild prizes or deals that sound too good.
• Use QR scanner apps with security features built in.

Financial regulators have pushed banks to do more. That includes monitoring transactions and running customer education programs.

Best Practices for Ongoing Protection

Mixing general phishing prevention with QR-specific habits is your best bet. Always look for signs of tampering—stickers over original codes are a red flag.

Organisations should use detection and prevention systems that catch malicious QR codes in emails and files. Standard filters often miss QR code phishing emails, so updated tools are a must.

Regular security training helps everyone spot quishing attempts. Employees should know how to report sketchy QR codes, whether at work or out in public.

Keep your devices updated with the latest security software and operating systems. It’s boring, but it really matters.

Frequently Asked Questions

Criminals use fake QR codes to steal money and personal info through parking meters, emails, and social media. If you know how to spot a scam code and act fast, you can protect your accounts.

How can you tell if a QR code is genuine or a malicious replacement?

Check physical QR codes for any signs of tampering. If you see a sticker slapped over an original code or one that looks freshly added, be suspicious.

Location makes a difference. Legit QR codes on parking meters or payment machines should be printed on or professionally attached—not just stuck on haphazardly.

Look at the area around the code. Poor print quality, crooked stickers, or edges that peel up often mean it’s fake.

What information can criminals obtain after you scan a fraudulent QR code?

Fake QR codes often send you to bogus login pages to grab your username and password. Banking logins, email, and social media accounts are all targets.

Sometimes, scammers ask for more personal details—names, phone numbers, addresses, even your date of birth—using forms that look legit.

If you enter card details on a scam site, they can steal your number, expiry date, and security code. That’s usually enough for them to empty your account or make unauthorized purchases.

What should you do immediately after scanning a suspicious QR code link?

Close the browser or app right away—don’t type in anything. Don’t click pop-ups or buttons on suspicious pages.

Change your passwords for important accounts, starting with banking, email, and social media. Better safe than sorry.

Keep an eye on your bank statements for odd charges. If you spot anything, contact your bank and consider putting a fraud alert on your accounts.

How do QR code scams typically work on iPhone devices?

iPhones face the same risks as other phones when scanning bad QR codes. The camera app reads the code and shows a notification with the link before you open it.

That preview is your chance to check the URL. Does the address look right? If not, don’t tap it.

Malicious links on iPhones work just like on Android or computers. They can send you to fake login pages to steal your info or trigger unwanted downloads.

How are QR code scams used to take over Instagram accounts or steal login details?

Scammers make fake Instagram login pages that look almost identical to the real thing. QR codes in emails or DMs might claim you need to verify your account or check a security alert.

If you log in on the fake page, they grab your username and password. Criminals jump into your real account, change the settings, and lock you out.

Then they usually target your followers next—sending messages about fake giveaways or asking for money. It’s a nasty cycle.

Are QR code scams common with parking payments, and how can you pay safely?

Car park QR code scams seem to pop up a lot lately. Basically, scammers slap fake QR code stickers right over the real ones on parking meters and machines.

If you want to pay safely, always double-check the web address before you type in your card details. The official parking apps and council websites should match what you know—watch out for weird domains or odd spellings.

When a code feels off, it’s smarter to try something else. Download parking apps straight from the app store, call the phone number posted on the machine, or just pay at a physical pay station if you can.