QR codes are becoming an increasingly easy way to make a payment, which criminals are starting to exploit. Dalvider Kular, assistant editor at FStech, explores some of the risks and challenges associated with the technology and what can be done to protect users.

QR codes, or quick-response codes, were invented in Japan in 1994 by Masahiro Hara. He originally designed them as labels for car parts at Denso Wave, the manufacturing company where he worked. Hara was influenced by the white and black counters found on the board of the Japanese game Go.

However, it wasn’t until a couple of decades later that these small square matrix barcodes made their way onto posters, products and packaging.

During the pandemic, these black and white squares gained popularity as a hands free, environmentally friendly way of communicating information without the risk of also passing on germs.

Since then, scanning a QR code has become second nature to many around the world. Their uses include everything from downloading restaurant menus to paying for parking and validating tickets.

Yet as with any tool of convenience, cyber criminals have found ways to exploit them, profiting from the a new habit of scan now, think later.

Quishing, a portmanteau of QR code and phishing, is on the rise and both customers and financial institutions need to be aware of the risks.

The rise of quishing

Scammers are using a variety of methods to catch their victims, these include fake QR stickers pasted onto parking meters, rogue codes on shopping platforms, and official-looking letters claiming to be from HMRC.

Cyber criminals are actively corrupting QR codes with fake replacements, which have malicious links embedded in them. When the unsuspecting victim scans the QR code, it takes them to a malicious website or downloads harmful malware onto the victim’s device which prompts them to input payment details.

Unlike phishing emails or suspicious text messages, QR scams evade traditional link filters and appear visually uniform. These factors make it harder for potential victims to spot.
In June this year, Action Fraud issued a stark warning when it revealed that almost £3.5 million was lost in 2024 to fraudulent QR code scams.

Between April 2024 and April 2025 alone, 784 reports of quishing were logged, with many more likely going unreported.

Claire Webb, acting director of Action Fraud, said that QR codes are becoming increasingly common in everyday life, whether it’s scanning one to pay for parking, or receiving an email asking to verify an online account. However, reporting shows cyber criminals are increasingly using quishing as a way to trick the public out of their personal and financial information.

“We’re urging people to stop and check before scanning QR codes, to avoid becoming a victim of quishing,” she added. “Look out for QR codes that may have been tampered with in open spaces, or emails and texts that might include rogue codes.

“If you’re in doubt, contact the organisation directly.”

Exploiting the desire for convenience

Marc Rocker, head of cyber at Towergate Insurance, describes quishing as “a new cyber threat for the unwary, deliberately aimed at exploiting the desire for convenience.”

According to Rocker, corrupted codes have been discovered on emails, TV adverts, parcels, menus, and even pay-and-display meters. He warns that criminals can act quicker than victims expect.

“One lady was scammed £13,000 after scanning a fake QR code in a railway station in Stockton-on-Tees,” he said. “Within minutes, the cyber criminals made a string of fraudulent payments on her credit card and even succeeded in taking out a £7,500 loan in her name.”

The rise of quishing is part of a broader trend of cyber-crime, according to Jonathan Frost, director of global advisory for EMEA at BioCatch, a fraud prevention technology company.

“The growth in quishing is a great example of displacement, with improved filtering causing threat actors to switch from email and SMS as a means of reaching consumers,” he says. “Humans’ inability to read QR codes is hugely advantageous, with many consumers paying little attention to the URL their device loads when they scan one.”

Frost highlights that quishing reports to Action Fraud have grown from 115 per month in 2024 to 167 per month in early 2025. Similar tactics are being reported across Europe, with Germany seeing a wave of fake codes on EV charging stations.

He adds that criminals seem to be adapting to consumer digital habits and are targeting QR code transactions to provide themselves with a steady source of income.

Alyssa Iyer, head of AML at software firm Lynx Tech, agrees that attackers are exploiting new routines.

“From menus and parking to payments and deliveries, QR codes have become a part of everyday life, which makes them seem trustworthy by default,” she says. “Combined with low levels of public awareness around quishing, this creates a prime opportunity for fraud.”

Iyer adds that some fraudsters are simply printing stickers and overlaying them on legitimate QR codes in public places.

“Detection is extremely difficult for the average person,” she warns.

A threat to businesses and consumers

While individuals bear the brunt of losses, quishing also poses serious risks to small and medium-sized enterprises (SMEs). Many SMEs use QR codes on business cards, exhibition stands, email signatures, and authentication apps, but lack sufficient cyber insurance to cover the fallout of an attack.

“The threat to SMEs is significant as many don’t have sufficient cyber insurance,” Rocker warns. “In reality, the risk of cyber-crime to businesses far outweighs many other risks that they would have cover for, without a second thought.

“SMEs need to take a much more serious interest in protecting themselves against this dangerous new threat.”

With cyber liability policies still inconsistent among smaller firms, a single attack could compromise sensitive data, customer trust, and balance sheets.

Defence strategies in the financial sector

The financial sector is also starting to suffer as a result of quishing scams as cyber criminals prey on the value of customer credentials, payments, and personal data.

Frost said that once a consumer’s details are captured through a fake QR, fraudsters often collect personal data to support social engineering.

“It is a lot easier to impersonate a bank when you can call up a customer, address them by name, and even point to a transaction on their card,” he says.

Iyer echoes this, stressing the importance of machine learning and AI-driven detection systems that can flag suspicious transactions in real time.

“To better protect customers, financial institutions benefit from having defence strategies in place that can help detect suspicious transactions in real time and intervene early,” she says.
This includes monitoring behavioural anomalies, blocking outbound transfers, and halting loans before fraudsters get away with the proceeds.

Regulation and responsibility for financial institutions

As with other types of fraud, regulation is struggling to keep pace. Under GDPR and the upcoming Digital Operational Resilience Act (DORA), financial institutions are expected to secure customer data and maintain resilient systems.

However, this is much harder to do when criminals target infrastructure outside of a bank’s direct control, such as a parking meter or a spoofed email.

Frost suggests the solution lies in a united front where regulators, law enforcement, tech firms, and local councils work together to detect and remove malicious QR codes.

“Whilst financial institutions are at the sharp end of the quishing phenomena they should be part of a ‘whole of ecosystem’ approach with equal effort from regulators, law enforcement, and technology platforms,” he argues.

Without this collaboration, banks risk becoming liable by default even if they had no control over where and how the quishing attack happened.

Protecting consumers

There are a number of ways that consumers can protect themselves against quishing attacks. Additionally, banks and payment companies need to raise awareness and warn their customers to remain vigilant against the risk of attack.

Before scanning a QR code, users should confirm its origins and avoid scanning codes in unsolicited emails, messages or stickers.

Prior to making a payment, customers should also check for signs of tampering, such as misaligned or low-quality prints.

People should also avoid scanning a QR code if they are pressured with urgent instructions such as “scan immediately to avoid fees.”

“Many times, phones will give a visual representation of the URL before proceeding to a site,” says Iyer. “Taking a moment to review the URL, looking for errors in the spelling or unusual formatting, can highlight illegitimacies.”

Frost says that people should approach QR codes with the same caution they would apply to unfamiliar links or suspicious emails.

“Where possible, it’s safer to manually navigate to a company’s website or download an app through a recognised app store,” he continued.

The RAC, a car insurance and roadside assistance firm, has gone further, advising drivers not to use QR codes on parking meters at all.

It advises its members to instead rely on cash, cards, or manually downloaded apps.

Alternatives and innovations

Both Iyer and Frost stress that QR codes are here to stay, explaining that steps need to be taken to make the technology safer to use and less susceptible to fraud.

Ways to guard against quishing included encrypted or time-sensitive QR codes generated in real time, app-generated codes linked to specific devices or using tokenised payment systems such as Apple Pay or Google Pay.

Banking and government apps should also look into enhanced verification mechanisms such as two factor authentication.

“The solution is not to abandon them, but to improve their safety and support users in identifying fraudulent activity,” Frost says. “Strengthening the integrity of QR-based systems will not only make them more resilient to attack but also reinforce public trust in their continued use.”

Balancing convenience and security

Quishing may be a relatively new term, but the scam it describes is growing at an increasing speed. With losses in the millions, and reports climbing year on year, financial institutions, businesses, and regulators need to take the threat seriously.

As the QR code looks to remain part of the digital landscape for the foreseeable future, Frost calls on financial institutions to be proactive in their defence by staying vigilant and educating their customers.

Ultimately, he concludes, defence tactics need to evolve in response to methods used by the fraudsters.

“Efforts should focus on making them more secure,” he says. “This includes using app-generated codes, enhancing the security of the scanning process, and educating the public about potential risks.”

---