trending
Once a niche tool for tracking car parts in Japan, the quick response (QR) code has become a global mainstay of digital convenience.
Quishing: Rising cyber threat
From restaurant menus to parking payments, consumers have embraced the small black-and-white squares as a frictionless gateway to information and transactions.
Yet the very speed and simplicity that made QR codes indispensable has also opened the door to a new form of cybercrime: “quishing”.
Quishing—an amalgamation of QR code and phishing—uses corrupted or counterfeit QR codes to lure unsuspecting users into fraudulent websites or to install malicious software.
Unlike suspicious emails or text messages, QR scams are visually indistinguishable from legitimate codes, bypassing many of the filters designed to block traditional phishing attempts.
The result is a fast-growing threat that has already cost UK consumers millions. Action Fraud, the national reporting centre, revealed losses of nearly £3.5 million in 2024 alone, with incident reports climbing steadily in 2025.
Exploiting the Culture of Convenience
Cyber criminals are adept at exploiting everyday habits. Stickers with rogue QR codes have been found pasted over legitimate ones on parking meters, public transport hubs and even restaurant tables.
Victims are redirected to convincing websites that request login credentials or payment details.
In one striking case, a commuter in Stockton-on-Tees lost £13,000 within minutes of scanning a fake code, with fraudsters not only draining her credit card but also securing a loan in her name.
Experts warn that this evolution in fraud is a natural consequence of more robust filtering of emails and SMS.
As Jonathan Frost of fraud prevention firm BioCatch notes, criminals are adapting to new digital routines, targeting QR code interactions precisely because users rarely scrutinise the URLs they generate.
Reports of quishing to Action Fraud have jumped from an average of 115 per month in 2024 to 167 in early 2025.
Similar patterns are emerging across Europe, with Germany experiencing scams at electric vehicle charging stations.
Risks for Consumers and Businesses
While individuals bear immediate losses, the corporate sector is far from immune.
Small and medium-sized enterprises (SMEs) frequently use QR codes in marketing campaigns, authentication apps and payment systems but often lack comprehensive cyber insurance.
A single attack can compromise sensitive data and undermine customer trust. Larger institutions face reputational risk, with financial firms particularly vulnerable as stolen personal data is weaponised in sophisticated social engineering attacks.
Defensive Strategies
Financial institutions are increasingly turning to machine learning and behavioural analytics to detect anomalies in real time.
Systems that monitor unusual transaction patterns or block suspicious outbound transfers are emerging as frontline defences.
Yet responsibility cannot lie with banks alone. Regulators, technology providers, and local authorities must collaborate to identify and remove malicious codes before they proliferate.
Public awareness is also critical.
Consumers should approach QR codes with the same scepticism applied to unsolicited links, checking for signs of tampering and verifying URLs before entering sensitive information.
Where possible, navigating manually to official websites or using secure, app-based payment tools such as Apple Pay or Google Pay offers an extra layer of protection.
Innovation, Not Abandonment
Despite the risks, QR codes are unlikely to disappear. Instead, the challenge lies in making them safer.
Time-sensitive or encrypted codes, device-linked authentication, and stronger two-factor verification can all reduce vulnerabilities.
As Frost argues, the solution is not to abandon QR technology but to reinforce its integrity and bolster user confidence.
Balance Ahead
Quishing encapsulates a wider dilemma in digital payments: how to reconcile convenience with security.
As QR codes continue to embed themselves in daily life, criminals will undoubtedly refine their tactics.
The task for regulators, financial institutions and businesses is to stay one step ahead—through innovation, vigilance and education.
The alternative is a steady erosion of trust in one of the most versatile tools of the digital economy.
Comments