Skip to content
Back to Security Center

QR Code Scams (Quishing)

What Is Quishing?

Quishing (QR code phishing) is a form of social engineering attack that uses QR codes to direct victims to malicious websites. Just as traditional phishing uses deceptive links in emails, quishing uses QR codes to bypass the vigilance people have developed towards suspicious URLs. Because QR codes are opaque, you cannot tell where they will take you just by looking at them, making them an effective tool for scammers.

QR codes have become a routine part of daily life, used for restaurant menus, parking payments, event tickets, and product information. This familiarity is precisely what scammers exploit: people scan QR codes without thinking twice about where they lead.

How QR Code Scams Work

Tampered QR Codes in Public Places

Scammers place fraudulent QR code stickers over legitimate ones in public locations. Common targets include:

  • Parking meters: A fake QR code sticker is placed on or near a parking meter, directing drivers to a fraudulent payment page that captures their card details. The victim believes they have paid for parking but instead has handed their financial information to a criminal.
  • Restaurant table signs: With many restaurants using QR codes for digital menus and ordering, scammers replace legitimate codes with ones that direct to phishing sites designed to capture payment information.
  • Public transport: Fake QR codes placed on bus stops, train stations, or cycle hire docking stations can redirect victims to credential-harvesting websites.
  • Advertising posters: Scammers place stickers over QR codes on legitimate advertisements, redirecting scanners to malicious sites.

Fake Delivery and Post Notifications

Physical cards or letters left at your door claiming a parcel delivery was missed may include a QR code to "rearrange delivery" or "pay a redelivery fee". Scanning the code takes you to a convincing replica of a postal service website that requests your payment details or personal information.

Royal Mail, Evri, DPD, and other legitimate delivery companies have official apps and websites for managing deliveries. Always use these directly rather than scanning a QR code from an unexpected notification.

QR Codes in Emails and Messages

Scammers embed QR codes in phishing emails to bypass email security filters that scan for malicious links. Because the QR code is an image rather than a clickable URL, many automated security tools do not detect it as a threat. The email might claim to be from your bank, employer, or a platform you use, urging you to scan the code to verify your account or resolve an issue.

Fake Payment QR Codes

In peer-to-peer transactions or marketplace settings, a scammer may present a QR code that they claim will initiate a payment to you, but which actually triggers a payment from your account to theirs. Always verify the direction and amount of any QR-code-initiated transaction before confirming it.

How to Verify a QR Code Before Scanning

  1. Check for tampering: Before scanning a QR code in a public place, look for signs that a sticker has been placed over an original code. If the code appears to be a sticker applied on top of another surface, be suspicious.
  2. Preview the URL: Most modern smartphone cameras and QR scanning apps display the URL before opening it. Read the URL carefully. Does it match the organisation's official domain? Look for misspellings, unusual subdomains, or unfamiliar domain extensions.
  3. Use official apps: If a QR code claims to be for a specific service (such as a parking provider or delivery company), open that service's official app instead of scanning an unknown code.
  4. Be cautious with payments: If a QR code initiates a payment, verify the recipient and amount before confirming. Legitimate payment QR codes from established businesses will display the business name in your payment app.
  5. Do not scan codes from untrusted sources: Treat QR codes from unknown or unexpected sources with the same suspicion you would apply to an unsolicited link in an email.

What to Do If You Scanned a Suspicious QR Code

If you scanned a QR code and suspect it was fraudulent:

  • Do not enter any personal information or payment details on the website it directed you to.
  • If you already entered information, change your passwords immediately and contact your bank if financial details were provided.
  • Run an antivirus scan on your device, as some malicious websites attempt to install malware.
  • Report the fraudulent QR code to the venue or location where you found it, so it can be removed.
  • Report the scam to Action Fraud.

The National Cyber Security Centre (NCSC) provides regularly updated guidance on emerging scam techniques, including QR code fraud. Staying informed about new tactics is one of the most effective ways to protect yourself as scammers continually adapt their methods.

Common Online Scams and How to Spot Them

Online scams are constantly evolving, but the tactics behind them follow recognisable patterns. Understanding these patterns is your best defence.

Read article

Recognising Phishing Emails and Messages

Phishing attacks trick people into revealing passwords, financial details, and personal data. Knowing the warning signs is your strongest defence.

Read article

Safe Browsing Habits for Social and Marketplace Users

Safe browsing habits protect your personal data and financial information when using social platforms and online marketplaces.

Read article
Back to Security Center