Scams using ‘fake’ QR codes hit the headlines this week after fraudsters put bogus QR codes on pay and display machines in Chesterfield that directed users to fake sites set up to take funds from bank accounts.
Similar QR car park scams have also been seen in areas including Barking, Northamptonshire and South Tyneside, with the RAC issuing a warning this summer to be cautious. But the scam codes also appear in other places including vending machines, car parks and restaurants.
RAC head of policy Simon Williams said: “A car park is one of the last places where you’d expect to be caught out by online fraud. Unfortunately, the increasing popularity and ease of using QR codes appears to have made drivers more vulnerable to malicious scammers.”
Known as ‘quishing’ (from QR code and phishing) the scams are lucrative. Last year, a study by cybersecurity platform Hoxhunt revealed that 22% of phishing attacks used QR codes, while security vendor Keepnet has suggested that there has since been a 270% rise in such attacks in 2024.
Who is targeted with QR code scams?
One of the more recent high-profile warnings about quishing came during the Euros football tournament in Germany, where experts warned fans were being targeted in pubs.
There have also been reports of scammers sticking fake QR codes to EV charging stations.
Businesses have also been targeted with QR codes emailed in PDF files in a bid to sidestep anti-virus software.
The scams work by directing victims to fake websites that either steal their money directly, install malicious software on a device or attempt to trick users, says Akhil Mittal, senior security consulting manager at security company Black Duck.
Mittal says: “These scams are spreading fast because QR codes blend so easily into everyday spaces. One common tactic is placing fake QR codes in busy spots like parking meters, vending machines and restaurant tables, hoping people will scan without a second thought.
“Scammers also send unsolicited emails or texts to trap people to fake websites that steal personal information or install malware. You’ll even see these scams in social media ads or “too good to be true” online promotions designed to tempt people into scanning.”
How can you stay safe from QR code scams?
One of the more concerning aspects of QR code scams is that many people don’t realise they have fallen victim – with Helpnet suggesting just 36% of victims realise they have been targeted.
Mittal says, “To protect yourself, always think twice before scanning any QR code in public or from unknown sources. Be extra cautious with codes on machines like ATMs or parking meters, where tampering often goes unnoticed. At a restaurant or business, it’s smart to ask a staff member if the QR code is legitimate, as scammers sometimes cover real codes with fakes.
Dodgy website links are a giveaway, Mittal says.
He says: “After scanning, check the website URL closely before clicking—scammers often use URLs with subtle misspellings or unusual endings to mimic real sites. If anything looks off, don’t proceed.”
If you’re asked for sensitive information like passwords or credit card numbers, it’s a scam, Mittal advises.
Several cybersecurity firms offer free QR scanner apps with scam warnings.
Mittal says: “When scanning a QR code in public, look for signs of tampering, such as smudges, misalignment, or stickers that seem out of place. Taking a few extra seconds to be cautious can help you enjoy the convenience of QR codes safely.”
