UK sees surge in QR code ‘Quishing’ scams, Action Fraud reports
A stark warning has been issued regarding a dramatic increase in “quishing” scams, where fraudsters use malicious QR codes to deceive victims.
Experts reveal that organised crime gangs are increasingly behind these schemes, which have seen a staggering rise in reported incidents. Data from the national fraud reporting centre, Action Fraud, shows a surge from just 100 reports in 2019 to 1,386 in the past year.
These fraudulent QR codes are often deceptively placed over legitimate contactless payment points, such as parking meters and restaurant menus, tricking unsuspecting individuals into scanning them. Upon scanning, victims are directed to websites controlled by the scammers, where they are then manipulated into divulging sensitive data, including bank details.
Katherine Hart, lead officer at the Chartered Trading Standards Institute, told the BBC that losses are “huge,” with victims losing their life savings, funds that subsequently finance criminal activities. She emphasized that quishing is significantly under-reported, posing a substantial challenge for authorities worldwide.
Action Fraud statistics indicate a rapid escalation of this scam, with reported cases more than doubling in the UK between 2023 and 2024. Over the last five years, nearly 3,000 reports have been filed, with a fifth of these originating within the Metropolitan Police force area.
Victims like Milton Haworth, who scanned a fake QR code at a council-run car park and ended up with an unauthorised subscription, highlight the deceptive nature of these scams. Fraudsters often meticulously create fake QR code stickers that blend seamlessly with legitimate signage, making them difficult to distinguish.
Experts advise the public to exercise extreme caution when encountering QR codes, particularly when used for payments. Checking for signs of tampering on physical codes and being wary of QR codes received via unsolicited emails or suspicious online posts are crucial steps in avoiding these increasingly prevalent scams. Authorities, including the National Crime Agency and the National Cyber Security Centre, urge vigilance as organised criminals continue to exploit this method to defraud the public.
Says Nathaniel Jones, VP, Security & AI Strategy, Field CISO at Darktrace:
“Alongside bogus QR codes being positioned in public spaces to target citizens, employees are also being targeted on email with both ‘traditional’ QR codes and a newer variant – the ACSII code attack. ASCII QR code attacks involve threat actors switching a typical QR code for ‘ASCII’ characters in emails, using black spaces and hashtags arranged to look like a QR code. Recently, we detected a campaign of fake DocuSign emails using this method, which helped to bypass normal security software and would have stolen victims’ credentials, had it not been caught.
“The surge in ASCII QR code attacks, with our data revealing that attacks peaked in October with 6461 attacks, is just one example of how phishing techniques are becoming more sophisticated. AI is also playing a significant role in this evolution, underscoring the need for organisations to stay ahead of emerging threats by adopting proactive security measures and fostering a culture of cybersecurity awareness.”
