The digital arena is constantly evolving, and with it, the methods used by cybercriminals to exploit unsuspecting victims. One of the latest tactics gaining traction is “quishing”, that is, phishing attacks carried out via QR codes. While QR codes have become a popular tool for convenience, offering quick access to websites and payment systems, they have also become a significant target for cybercriminals.
The surge in quishing attacks
In recent months, the UK has witnessed a concerning rise in quishing activity. Reports from UK Action Fraud have revealed a significant uptick in quishing-related incidents. In 2024, the UK saw an average of 115 quishing reports per month. However, for the first three months of 2025, that figure surged to 167 per month. This represents a nearly 50% increase, underscoring the growing threat that quishing poses to both individuals and financial institutions alike.
Why is this happening? QR codes, while convenient, are easy to manipulate. Cybercriminals can place fake QR codes in public spaces, such as on posters, receipts, or even menus. When scanned, these codes can lead to malicious websites designed to steal personal information or commit fraud. As more businesses, especially in retail and financial sectors, adopt QR codes for payments and marketing, criminals are quick to adapt, finding new ways to exploit this growing trend.
What financial institutions can do to protect themselves and their customers
Financial institutions play a vital role in safeguarding both their systems and their clients against quishing attacks. With the growing adoption of QR codes in payment systems, these institutions must implement strong compliance protocols and proactive security measures to prevent fraud and protect sensitive data.
- Enforce robust authentication protocols
To ensure secure QR code payments, financial institutions should enforce multi-factor authentication (MFA). This adds an extra layer of security to prevent unauthorised access to accounts, aligning with regulatory standards for fraud prevention and data protection. - Educate customers on QR Code security
As part of their compliance obligations, financial institutions should actively educate their customers about the risks of quishing. Providing clear, accessible training on how to identify fraudulent QR codes through emails, social media, and mobile apps will help reduce the likelihood of consumers falling victim to scams. - Monitor transactions for fraudulent activity
Financial institutions should establish continuous monitoring mechanisms for transactions initiated via QR codes. Implementing AI-driven fraud detection tools can identify unusual or suspicious patterns and allow for immediate intervention, in line with best practices for anti-fraud measures. - Encourage secure payment methods
To ensure compliance with industry standards and mitigate quishing risks, financial institutions should promote the use of encrypted payment platforms. Encouraging customers to scan only legitimate, secure QR codes can help reduce the risk of fraud and protect both parties from exposure to malicious websites.
How consumers can protect themselves
While financial institutions have a crucial role in defending against quishing, consumers must also take personal responsibility for their own security. Here’s how individuals can stay safe when using QR codes for payments:
- Verify the destination after scanning
While you can’t always see the URL before scanning a QR code, it’s crucial to be cautious once the code is scanned. After scanning, check the URL that appears on your device to ensure it matches the legitimate business or service you’re expecting to interact with. If the URL seems unusual, contains extra characters, or is from an unexpected domain, it could be a sign of a fraudulent site.
- Use Your Phone’s Built-in QR Scanner
Most smartphones now come with built-in QR code scanners in their camera apps, which are typically more secure than third-party apps. Avoid downloading third-party scanning apps, as they may have security vulnerabilities that could expose you to threats. Always use your phone’s native camera app or trusted apps from reputable sources to scan QR codes.
- Be cautious with QR codes in public spaces
QR codes are everywhere these days—from restaurant menus to billboards and train stations. While it’s not always possible to avoid scanning them, consumers should exercise caution and assess the source before doing so. Only scan QR codes from trusted and verified sources, such as those from official company websites or reputable establishments. If you’re ever in doubt, visit the business’s official website or contact them directly to confirm the legitimacy of the QR code.
- Check for Encryption Indicators
Always ensure the site or app being accessed is using HTTPS encryption. This can be easily verified by looking for a padlock symbol in the browser’s address bar, which confirms that the connection is secure.
Is there a more secure payment method than QR codes?
While QR codes are undeniably convenient, they do come with security risks. For financial institutions and businesses that rely heavily on QR codes for payments, it’s crucial to consider alternatives that offer enhanced security features. Technologies such as Near-Field Communication (NFC) and biometric payments are emerging as viable options for businesses looking to enhance payment security.
NFC, for example, uses encrypted communication between devices, making it harder to intercept than QR codes. Similarly, biometric payment systems—using fingerprints, facial recognition, or voice authentication—add an extra layer of security that makes these methods less susceptible to fraud.
While QR codes aren’t going anywhere just yet, businesses and financial institutions should assess their payment methods and explore additional options that might better balance convenience and security.
Will QR codes be replaced?
Despite the rise in quishing, it’s unlikely that QR codes will be completely replaced in the near future. Their ease of use and quick adoption by businesses make them a staple in the payments and marketing sectors. However, as security concerns grow, we may see a shift towards more secure payment technologies like NFC and biometrics. QR codes will likely continue to evolve, with businesses and financial institutions implementing stronger security measures to counter the risks associated with quishing.
Learn more about phishing and quishing
With the rise in phishing attacks—whether via email or QR code—it’s more important than ever to equip your employees and customers with the tools to identify and avoid these scams. VinciWorks’ interactive phishing challenge challenges learners to spot red flags in real-world scenarios across email, text messages, and QR codes. From urgent subject lines to deceptive links and fake offers, users must identify suspicious elements and learn how to respond safely.
Also check out our information security courses which train employees on how to protect sensitive information.
