Reading time 4 minutes
At a glance:
QR code scams (sometimes called quishing) are where scammers try to trick people into scanning a QR code that may take you to a fake website.
It might download malware to your device.
It may ask for sensitive information, like your bank details or your personal information, which can be used in identity fraud.
How does quishing work?
Quishing is a type of phishing attack. Phishing is where someone dishonest pretends to be someone trustworthy, so they can trick users into giving out personal information, like passwords or bank details.
For example, a phishing email may claim to be from a bank, asking for login details to see an urgent message.
Quishing scam example
QR codes are square barcodes which a phone or tablet camera can read.
When you scan them, they often open a webpage.
You’ll find QR codes everywhere, from parking machines and charging points to emails and restaurant menus.
Scammers want you to scan their code instead of the real one.
The link will go to a fake website to capture personal or banking details.
You may not know you’ve been scammed until later.
Fake QR code scams explained
Hannah Bingle, our Financial Crime Awareness Specialist, explains how QR codes target busy people:
The simplicity of QR codes means that it can be hard to tell when the code is linked to a website that isn't the one you’re expecting. These links could be used by criminals to capture your details or download malicious software, like viruses, to your device.
Because they're such a useful tool and have so many practical applications, it's difficult to avoid QR codes entirely. When you're presented with a QR code, keep an eye out for signs it might have been tampered with and if you’re not sure where it will lead, find another way to access the information.
How to spot a QR code scam
If the QR code is sent by email, check the email address. If the email is meant to be sent from a company and it’s from a personal email domain, it may be a scam.
Before you scan a physical QR code (for example, in a restaurant or on a parking meter), check if it looks to be stuck over the original.
Check where the QR code is taking you. When you scan a QR code, your device should show you a preview of the webpage address. It should match the company’s website. If it doesn’t, it could be a scam.
If you aren’t sure, do not scan the QR code. Search for the website yourself or download the genuine app from the official Google or Apple store instead.
How to report a fake QR code
If you think you might have scanned a fake QR code, here are some things you can do:
If you’ve just scanned the code, disconnect from the internet straight away. This might stop the data being sent.
If you entered any login information after scanning the QR code, access the genuine service and update your password.
If you are worried about malware, try downloading a trusted antivirus app onto your smartphone to check.
Check your bank accounts for any transactions you do not recognise.
Even if you do not spot anything straight away, it’s a good idea to contact your provider and stay alert to any usual activity on your account.
Report the scam to the business whose QR code has been impersonated. They might not know about this.
If you’re worried about your YBS account, contact us as soon as you can.
The content on this page is for reference. It is not financial advice.
For help with money issues, try MoneyHelper.
For help with money issues, try MoneyHelper.
