QR ‘Quishing’ scams: Do you know the risks?

QR code scams, or Quishing scams, are rising and pose a threat to both private users and businesses as cyberattacks move towards mobile devices

QR code scams are an increasingly challenging threat for people and businesses alike, with fraudulent activity on the rise.

QR phishing, or Quishing, is a cyber threat that is able to bypass the usual checks individuals make to avoid the common signs of phishing. It moves a cyberattack from a protected email environment to the user's mobile device, which is often less secure.

A fraudulent QR code might redirect a payment through a convincing third-party website, allowing hackers to capture credit or debit card information and use it to make fraudulent purchases.

Quishing scams continually on the rise

Whilst QR codes are now widely seen as a new, more efficient way to share website links and information, or make payments, this convenience can be exploited. In fact, the number of QR code scams in the UK has soared, with over 400 reported this year alone and 1,200 investigated by Action Fraud since 2020.

QR codes have become immensely popular with businesses, as they can enable the sharing of critical information and other communications. However, in an ever-increasing threat landscape, it is inevitable that forms of exploitation do occur. A particular concern associated with QR codes is that they are viewed as less secure and so are not ideal for sharing confidential data.

For businesses, the impacts of such a cyberattack could be devastating. Fake QR codes created by bad actors could lead customers to fall victim to phishing scams, data breaches, or fake payment portals.

Microsoft has offered advice for identifying the different types of QR code scams, stating: “Using QR codes for payments was extremely popular during the height of the COVID-19 pandemic since it allowed customers to make purchases without touching card readers, minimising the spread of germs. However, scammers can place QR codes in public places to steal your money or credit card information.

“Make sure the URL seems legitimate and that it isn’t a misspelling of a real URL (for example, “Microsaft.com” instead of “Microsoft.com”).”

Threat actors exploiting everyday people, affecting business trust

2023 has seen a new era of new cybersecurity threats with cybercriminals leveraging sophisticated methods to exploit vulnerabilities and gain unauthorised access to sensitive information. 

Issues of Quishing scams have been raised again in 2023 when a victim was scammed out of £13,000 by a fake QR code at a railway station. The BBC reported that they were sent to a fake website which allowed the cybercriminals to redirect payments and card information, which resulted in the victim losing thousands of pounds.

This type of incident could result in some public mistrust of new technologies, ultimately impacting business use of the product itself.

James Dyer, Threat Intelligence Lead at Egress, comments: “When QR codes were first introduced in the 2010s, people were very sceptical of this new technology as they didn't really know how they worked and approached them with extreme caution. However, time and exposure have relaxed people’s attitudes.

“In recent years, multi-factor authentication apps have featured QR code verification, which has further eased people’s nerves and increased trust in using QR codes. Unfortunately, cyber gangs have been waiting for the perfect moment to strike. The sweet spot for them is where tech transitions from being new and alien to being used daily; this is where familiarity can breed complacency, and people scan QR codes without additional thought, making them more susceptible to attacks.

He continues: “QR codes act like a barrier between the public and the website which it links to, so people can’t hover over the hyperlinks to see the potential end destination before choosing to navigate there. With malicious QR codes popping up everywhere including emails and posters, we've seen a surge in typosquatting (lookalike domains) which mimic trusted organisations like Microsoft.

“Simple practices to prevent a QR-code attack include being wary before scanning a new image – does it look like there’s a sticker of a new QR code over an existing one? Does the preview hyperlink look suspicious? If in doubt, head to the official website in a browser or ask a member of staff if you’re at a shop or restaurant before scanning.”


For more insights into the world of Cyber - check out the latest edition of Cyber Magazine and be sure to follow us on LinkedIn & Twitter.

Other magazines that may be of interest - Technology Magazine | AI Magazine.

Please also check out our upcoming event - Sustainability LIVE Net Zero on 6 and 7 March 2024.  


BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.

BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.


Featured Articles

Barracuda: Why Businesses Struggle to Manage Cyber Risk

Barracuda Networks CIO report shows that six in 10 businesses struggle to manage cyber risk, with issues such as policy struggles and management buy-in

Evri, Amazon and Paypal Among Brands Most Used by Scammers

With the development of AI, cybercriminals are becoming more and more sophisticated in their attacks, using fake websites and impersonating popular brands

Tech & AI LIVE: Key Events that are Vital for Cybersecurity

Connecting the world’s technology and AI leaders, Tech & AI LIVE returns in 2024, find out more on what’s to come in 2024

MWC Barcelona 2024: The Future is Connectivity

Technology & AI

AI-Based Phishing Scams Are On The Rise This Valentine’s Day

Cyber Security

Speaker Lineup Announced for Tech Show London 2024

Technology & AI