Criminals have been taking their scams to new level by targeting customers with fraudulent QR codes that could see them lose their life savings – or worse, purchase illegal drugs
You might want to think twice before you scan the menu at your next pasta date or cocktail night. QR code scams, also known as ‘quishing’, are on the rise and have seen victims lose their entire life savings. Worse still, they can be far more obscure to both identify and stop.
According to national fraud reporting centre, Action Fraud, there were 1,386 reports from people targeted by the scam in 2024, compared to just 100 in 2019. Experts have pointed to organised criminal gangs as the culprits and reveal that common targets for the scam include restaurant menus and parking metres, as these can be difficult to distinguish from the real thing.
READ MORE: Drug dealers stick QR codes on lampposts as slick tactic targeting kids with cannabis
Katherine Hart, lead officer at the Chartered Trading Standards Institute, told the BBC: “We’ve seen huge amounts lost this way. People have seen their life savings gone and that money is going to finance criminals.” She explained that the stickers were likely being pasted by those near the bottom of a criminal gang hierarchy who may not be fully aware of the implications of their actions.
The way the ‘quishing’ typically works is that the unsuspecting scanner will be directed to websites controlled by nefarious third parties. From there, they will be tricked into handing over their bank details or other personal information.
Often, the amounts asked to be sent over will be small, so as not to arouse suspicion. Milton Haworth revealed to the BBC that he fell victim to the scam when scanning a QR code at a parking metre. Initially, he said he was only asked to send over 90p to confirm his card details.
However, this quickly escalated, when he was duped into purchasing a £39 yearly subscription with no option for a refund. He complained that the authorities “weren’t taking this seriously enough”, given the relatively small amount of money involved.
Even more troubling, drug dealers have been accused of using the codes to target children. Locals in Watford recently discovered an assortment of cannabis stickers placed at eye level on telephone poles near a junior school, as reported by The Mirror.
Once scanned, the code would take them to a website registered in Belize, promising next-day delivery on cannabis products. Concerningly, some of these substances can even be discounted by as much as 33%.
QR codes have been around since the 90s and were originally used in automobile manufacturing as a way to label car parts. However, their public usage exploded on the back of Covid, making them a ubiquitous feature of everyday life. From plane tickets to digital birthday cards, QR codes are everywhere.
The problem with their proliferation is only heightened by the fact that quite literally anyone can make one. All you need to do is enter a link into a QR code generator, many of which can be found and used for free online. Then, voila, you have a shiny new code that is completely indistinguishable from one created by a reputable business.
How to avoid QR code scams
According to the UK’s National Cyber Security, the majority of QR code-related fraud tends to happen in open spaces, such as train stations or car parks. It often also involves a level of social engineering, such as criminals posing as staff members or calling victims once they have given their details. You can avoid QR code scams by checking for the following:
- The origin: Ensure the code is from a trusted source like official websites or verified marketing materials.
- Signs of tampering: Check the QR code to ensure it hasn’t been tampered with or covering the original code.
- The URL: Ensure the URL you’ve been taken to after scanning is verified, safe to use and matches the legitimate website.
The site also advises to watch out for the scam when using email. Most of us are able to spot a dodgy link or phishing attempt when they pop up in our inbox, but QR codes can be far more difficult to detect since you can’t actually read the link.