QR codes are now part of everyday life. Whether you’re paying for parking, viewing a restaurant menu, or tracking a parcel, they offer quick and convenient access to digital services. But behind that convenience lies a growing cyber threat that’s catching out thousands of people every year.
In 2025, so-called quishing scams have surged, with cyber criminals increasingly using fake QR codes to steal personal and financial information.
What is quishing?
Quishing is a type of phishing attack that uses QR codes to trick people into visiting malicious websites. Once scanned, these fake codes can lead users to fraudulent pages where they’re asked to enter sensitive details such as bank information, passwords or even download rogue apps.
Victims often think they’re doing something simple, like paying for parking or viewing a menu. But instead, they might be giving criminals access to their data or even their bank accounts.
The sharp rise in QR code scams
The UK’s national fraud reporting service, Action Fraud, received nearly 1,400 reports of quishing in 2024 alone. That’s a massive jump from just 100 in 2019. And experts warn the real number is likely much higher due to under-reporting.
Organised crime groups are heavily involved in these scams. Criminals are targeting high-traffic areas like car parks, restaurants and public spaces by sticking fake QR codes over legitimate signage. These codes are often designed to look identical to the original, making them difficult to detect.
One example comes from Castleford, West Yorkshire, where a man scanned a QR code at a local council-run car park. It redirected him to download an unauthorised app, and while it seemed like he was paying 90p for parking, he was actually subscribing to a £39 yearly service with no refund options.
These scams are often dismissed by authorities due to the relatively small sums involved, but when scaled across thousands of victims, the financial impact is significant. Worse still, many of these attacks are just the first step in a larger fraud attempt.
Why businesses should be paying attention
While consumers are the direct victims in most of these cases, businesses can easily become part of the problem if they use QR codes in customer-facing environments without the right checks in place.
The risks include data theft, loss of customer trust, payment fraud, reputational damage and even compliance breaches. For mid-sized businesses that depend on digital tools and mobile workforces, quishing presents a serious and often overlooked risk.
Spotting the red flags
Quishing attacks are designed to blend in, but there are signs to watch for:
- QR code stickers that look out of place or poorly attached
- URLs that seem strange or contain misspellings after scanning
- Requests to download apps outside of trusted app stores
- Unusual requests for payment or verification details
What you can do to protect your business
There are practical steps you can take to defend against these attacks:
- Train your staff to recognise QR scams and suspicious behaviour
- Regularly inspect signage and printed materials for signs of tampering
- Avoid linking to third-party QR tools without proper vetting
- Use mobile device management (MDM) to control what staff can install
- Implement web filtering tools to block malicious sites
How Neuways can help
At Neuways, we work closely with businesses to strengthen their cyber defences against both well-known and emerging threats like quishing.
Whether you use QR codes internally or in public spaces, we can help assess your current risk, implement safe usage policies, and train your teams to stay alert. Our security solutions include endpoint protection, threat detection, and regular audits to make sure nothing slips through the cracks.
If you’re concerned about how new threats like this could impact your business, our experts are here to help. We offer tailored cyber security support for medium-sized organisations looking to stay secure in a changing digital landscape.
Get in touch today to find out how Neuways can help protect your business from modern cyber threats.