QR code scams cost Brits thousands – how to stay safe

QR codes make it easy to order your favourite drink at your local pub, pay for parking, or even just get more information. They’re quick, easy and convenient. For many, they’re just another part of modern life.

Their growing popularity, however, has made them a prime target for a new type of scam – quishing.

Quishing, short for QR code phishing, is when scammers use fake QR codes to trick you into visiting dodgy websites or downloading harmful software. This new scam is costing people in the UK more than £10,000 per day.

So, what is quishing and how do you stay safe?

What is quishing?

Quishing looks a lot like regular phishing where you click a suspicious link. But, instead, you scan a QR code that looks legit. These codes are sometimes stuck on top of real ones in public places, printed on fake tickets, or sent in emails pretending to be from trusted companies.

Once you scan the code, it might:

• take you to a fake website that steals your login or bank details (if you don’t realise it’s fake before you submit your details)
• trigger a download of malware or ransomware
• sign you up for unwanted subscriptions that drain your account

Why is it so hard to spot?

QR codes are tricky because you can’t see where they lead just by looking at them. And unlike links in emails, many security filters don’t catch dodgy QR codes, especially when they’re printed or embedded in images.

That’s a big reason why quishing is on the rise. Between April 2024 and April 2025, Action Fraud received 784 reports of quishing scams. Victims lost nearly £3.5 million, equating to £10,000 every single day.

Car parks are a major target. Scammers stick fake QR codes on payment machines to steal drivers’ bank details and sign them up to fake subscriptions.

However, hospitals, train stations and council building are also being targeted.

How to stay safe from quishing

Quishing can be hard to avoid, but there are some precautions you can take to stay safe. Here are some tips:

Think before you scan

Here are a few things to consider before you can a QR code:

• only scan QR codes from trusted sources, like official signs, menus, or apps
• avoid scanning codes on random posters, stickers, or leaflets in public spaces
• watch out for tampered codes, like stickers placed over another QR code

Be cautious with emails

If you get a QR code in an email, double-check it’s real, especially if it’s asking you to log in or make a payment.

Contact the sender through another method if you’re unsure.

Use your phone’s built-in scanner

Stick to your phone’s camera app. Avoid downloading third-party QR scanners, which can be less secure.

Check the link before clicking

Most phones show the website address before opening it. If it looks odd or unfamiliar, don’t click.

Install mobile security

A good antivirus app can help block dodgy websites and warn you if something’s not right.

How to report a QR code scam

If you’ve been scammed, don’t feel embarrassed. Lots of people are caught out and these scams are designed to be convincing.

Here’s what to do:

• report it to Action Fraud: Visit actionfraud.police.uk or call 0300 123 2040
• forward suspicious emails to: report@phishing.gov.uk
• in Scotland, contact Police Scotland on 101

QR codes are so convenient when you’re out and about. But they’re not foolproof. So, if something feels off, trust your gut and don’t scan it. A few seconds of caution could save you hundreds of pounds.