QR code phishing (also known as quishing) has surged in recent years. Fraudsters are turning convenience into chaos, and Jonathan Frost, Director of Global Advisory for EMEA at BioCatch, explores what banks, tech firms, and regulators must do to keep up.
Car parks have become a little less safe – thanks to scammers. Nearly a third of all UK councils have reported fake QR codes plastered on ticket machines or street signs. These schemes trick drivers into paying for bogus parking, sending money as far as Dubai, Cyprus and the Philippines.
Fraudsters continually devise new methods to scam people. After phishing moved from emails to text messages, QR code phishing, now called ‘quishing,’ has quickly become widespread.
According to Action Fraud, reports of quishing in the UK have increased 14-fold between 2019 and 2024, costing victims £3.5m. Reports have increased by an average of 45% further in the first quarter of 2025. Globally, nearly one in four phishing attacks use QR codes.
Quishing is growing because QR codes are everywhere, and it’s easy to hide where they lead. People use QR codes for everything from restaurant menus to parking meters, and criminals can easily exploit this. That’s why quishing is so effective.
The responsibility now falls on financial institutions, tech firms and regulators to shape a response and safeguard the use of QR codes.
A simple scam
Quishing takes advantage of the convenience of QR codes. As rules and security measures become stronger, traditional phishing becomes less successful, so criminals seek new ways to attack. People tend to trust QR codes, which makes them an easy target.
Quishing works because social engineering uses customers to bypass security measures that are designed to detect unauthorised use. Instead of breaking into systems, scammers trick customers into approving transactions on their own. As people use more digital services, attackers have even more chances to strike.

Fraudsters are capitalising by placing fake QR codes over legitimate ones in public places, such as parking meters and EV charging stations, or embedding malicious codes in letters disguised as those from HMRC or local councils and authorities.
This scam is simple and easy to repeat. Criminals can use a stack of QR code stickers to cover many parking stations. Most people don’t check the website that opens, so the scam often goes unnoticed until it’s too late.
The many faces of quishing
Once the victim scans the dodgy QR code, the scam can take numerous guises. In some cases, it is a simple phishing attack, with the QR code linking to a phishing site which tricks victims into entering sensitive details.
In others, the link triggers the device to download malware. A more direct use case sees fraudsters replacing a legitimate QR code used for payments with their own, diverting funds directly into their bank account. Other types attempt to redirect users to a different link, intercepting sensitive information intended for the original QR code’s purpose.
The global picture highlights the scale of this trend. In the US, for example, more than 26 million residents have fallen victim to quishing, while in Bangalore alone, more than 20,000 cases of fraud related to QR codes were reported in a six-year period. A similar scam, abusing the boleto bancário payment barcodes, has been rife in Brazil for over a decade.
A collaborative response
Financial institutions will be on the frontlines, helping their customers who have unwittingly exposed sensitive data or have authorised fraudulent payments.
Education by itself won’t stop these scams. To combat quishing and other emerging threats, banks need to develop innovative solutions. Today’s fraud and scam networks are connected in ways old security systems can’t handle. Attacks powered by AI are changing and spreading faster than traditional defences can keep up.
Banks should focus on security that examines how each customer behaves, such as how they type, swipe, or hold their device. Changes in these patterns can be a strong sign of risk and are one of the best ways to spot social engineering scams.
Adding smart security checks can catch suspicious transactions without blocking real ones, helping keep customers safe without causing frustration.
However, financial institutions cannot do this alone. Tackling quishing requires a ‘whole of ecosystem’ response with support from regulators, technology platforms, local authorities and businesses all playing their part.
We need to make QR codes safer. This includes building stronger digital protections, enhancing security in browsers and apps, and developing methods to verify the trustworthiness of QR codes.
Local authorities and businesses should adopt best practices, such as being cautious with QR codes and checking for signs of tampering, including stickers over the original code. Working together is key to protecting customers from this growing threat.
Fraud moves fast
QR codes are now an integral part of everyday life. Instead of getting rid of them, we should focus on making them safer. This could involve using codes generated by apps, enhancing security during scanning, and helping users stay informed.
But as defences against quishing get stronger, scammers will look for new tricks. The next wave of social engineering could be even more difficult to detect and more convincing. Recent reports suggest that criminals are already beginning to experiment with Near Field Communication (NFC) tags, which, like QR codes, are being attached to parking payment machines.
The growth of quishing shows how quickly criminals can take advantage of gaps in consumer awareness. Banks, regulators, and tech companies must act just as quickly to maintain people’s trust in digital services.
Jonathan Frost is Director of Global Advisory at BioCatch. Formerly with the City of London Police, he developed the UK’s National Fraud and Cybercrime Reporting system and contributed to the Contingent Reimbursement Scheme for APP fraud.
He has held senior roles at Stop Scams UK, collaborated with major tech firms to prevent fraud, and led data science projects for the UK government. Jonathan also serves on the board of the Stop Scams Alliance.