QR Code ‘Quishing’ Scams Rapidly Rising

QR codes, found on contactless payment hotspots like restaurant menus and car park meters, can be highly convenient – but also very costly if they’ve been tampered with by a ‘Quishing’ QR code scam.

Quishing is an illicit practice carried out by fraudsters who stick their own QR codes on top of genuine company’s codes, redirecting unsuspecting victims toward mimicked payment apps and websites.

Experts have now revealed that the organised crime gangs behind QR code-related scams are showing no signs of slowing down their fraudulent activities, with scams up 14-fold over the past 5 years.

Action Fraud, the UK’s national fraud reporting centre, received 100 reports of people being targeted back in 2019, and 1,386 reports most recently in 2024.

These statistics, obtained by the BBC’s Shared Data Unit, revealed that the number of recorded UK incidents more than doubled during 2023 to 2024, and that of the 3,000 reports received over the past 5 years, 20% were linked to the Metropolitan Police area.

“We’ve seen huge amounts of money lost this way,” said Katherine Hart, lead officer of the Chartered Trading Standards Institute. “People have seen their life savings gone and that money is going to finance criminals.”

Ms Hart went on to say that Quishing is an under-reported crime, a huge challenge to authorities around the world, and that a hierarchal organised crime structure is likely at play, with low-level individuals being instructed to apply the bogus codes to signage.

Like many fraudsters, Quishing scammers are often after sensitive information like personal and financial data. Once a target has scanned a fake QR code, they will be taken to a malicious app or site designed to capture and steal data entered.

Not just found on public signage, Quishing (both fraudulent and misleading) can also be found in Phishing emails, and even on parcels and television advertisements.

According to Ms Hart, victims of this type of crime often lost small amounts of money initially while the scam perpetrators collected the necessary data to execute a more serious secondary scam.

“You may lose £2.99 and a lot of people won’t report that and don’t realise they’ve passed on their information to a criminal organisation,” the CTSI lead officer stated.

“Days or weeks later, they get a call telling them they’ve been the victim of fraud and they can pinpoint a day, because they already have all the information you shared with them earlier.”

“They convince you using very coercive tactics that they’re from your bank, the police or Trading Standards and they want to take everything you’ve got.”

UK car park operator NCP (National Car Parks) is currently considering the removal of QR codes from signage used across its 800 sites.

A spokesperson stated that, while the company understands the value of QR codes, it is reviewing options to combat fraudulent activity, including the removal of codes from signage in favour of emphasising usage of the NCP website for payment information.

“You should stop and check before scanning one,” Det Supt Gary Miles, head of the National Fraud Intelligence Bureau, warned of QR codes found in public spaces and online.

“If you’re in person, check for signs it has been tampered with, or online, look out for phishing emails or rogue social media posts with QR codes.”

The National Cyber Security Centre and National Crime Agency, among other experts, continually urge the public to remain vigilant to cyber criminals’ various evolving scam tactics.

While Quishing may be on the rise, there are still ways to shield your personal data and identity from fraudsters when scanning QR codes in places like restaurants and car parks and also online.Our industry-leading TotalAV iPhone app has a built-in QR Code checker, which makes sure QR codes are safe to use, protecting you from various Quishing scams, including hard-to-spot stickers that may be covering genuine codes.