Whether you’re ordering drinks to your table in a pub or want to pay for car parking, QR codes make life simple.
A quick scan of a black-and-white grid on your mobile phone takes you straight to a website to carry out the transaction.
But that harmless-looking square can now hide a cunning scam.
This is known as “quishing”, where fraudsters trick you into handing over bank details or personal data, or download dangerous malware to your phone. Here’s what you need to know.
What is quishing?
Quishing is a mashup of ‘QR’ and ‘phishing’. A QR – or Quick Response – code is a type of two-dimensional barcode that can be scanned with a smartphone camera and will instantly take you to a website, app, payment page, or digital file.
Phishing is a form of cybercrime where scammers contact you via email, text, or phone to trick you into revealing sensitive information such passwords, credit card numbers, or bank details.
John Shier, information security officer at cybersecurity firm Sophos, told The Independent: “These QR codes are replacing links in phishing emails to make them more difficult to identify as being harmful.
“When scanned, the QR code often directs users to phishing websites that are designed to steal credentials and personally identifiable information. Because QR codes are increasingly used, both in the digital and physical world, this updated phishing method has become a growing threat.”
Quishing is on the rise
Figures from Action Fraud show that 784 reports of quishing were made to the fraud reporting service between April 2024 and April 2025, with almost £3.5m lost to this latest type of hi-tech fraud – more than two incidents daily, costing about £10,000 a day.
But Naomi Grossman, compliance manager at software firm VinciWorks, warns that this figure is almost certainly an underestimate. “Most victims don't realise a QR code was the main cause of the scam, until they receive unexpected charges or when they receive a parking fine. And reports are rising sharply into 2025,” she says.
“These aren’t one-off or insignificant losses. At Thornaby Station, a 71-year-old woman scanned a fake QR code in the car park. After impersonating her identity, scammers then impersonated her bank, set up online banking in her name, changed her address, and took out a £7,500 loan, leaving her locked out of her accounts, living on her son’s help, and enduring sleepless nights.”
Several similar cases reveal a disturbing pattern. What starts as a minor transaction, such as a parking fee, can unravel into identity theft, financial fraud, and lasting distress.
Cifas’s Fraudscape 2025 report revealed a record 421,000 fraud cases last year – the highest ever recorded. Even the Financial Conduct Authority (FCA) itself has been targeted.
In the first half of 2025 alone, 4,465 reports were filed about fraudsters impersonating the regulator, with 480 victims tricked into sending money. These scams exploit public trust in official bodies, often claiming to help recover lost funds but instead demanding payments or personal information.
Where are fake QR codes being found?
According to Action Fraud, car parks are the most common hotspot for quishing scams, with fraudsters placing fake QR code stickers on payment machines.
Action Fraud’s findings are backed up by The Bureau of Investigative Journalism (TBIJ) which found similar evidence. TBIJ sent freedom of information (FOI) requests to every council in the UK asking about quishing attacks.
Of the 373 local authorities that responded, 123 said they had received reports of their car parks being targeted in the past year.
Quishing in car parks not only exposes drivers’ personal and financial details to scammers but also means the genuine parking fee goes unpaid – leaving motorists at risk of penalty charges on top of their losses.
How to avoid quishing scams
Like most phishing scams, quishing works by catching people when they’re rushed or distracted. The best defence is to pause, stay alert, and think before you scan.
“Quishing banks on our impulse to act quickly. But a moment’s caution is all it takes to outwit the scammers and protect both your money and your peace of mind,” says Grossman.
Action Fraud advises using your phone’s built-in QR scanner rather than third-party apps, which are often less secure. Adding mobile protection or anti-virus software is also a good safeguard, helping block malicious links or downloads.
Be wary of public QR codes that look tampered with – for example, stickers placed over the original. If in doubt, don’t scan. Instead, go directly to the company or service through its official website.
If you do scan a code, check the URL carefully before clicking further. Never enter login details or payment information unless you’re certain the site is legitimate.
When investing, your capital is at risk and you may get back less than invested. Past performance doesn’t guarantee future results.
