Skip to main content

QR jacks and quishing: How to protect yourself from the growing QR code scam threat

Estimated reading time: 5 minutes

Last updated December 2024

People love QR codes. The little chequered boxes make it easy to access websites or even make a payment. But now scammers are exploiting this trust. They’re using fake codes to phish for sensitive information. Let’s explore the world of ‘quishing’…

When a Singaporean woman saw a QR code in a shop promising free ice cream in exchange for completing a survey, she quickly scanned it. Who can blame her? Everyone loves ice cream – especially when it is free.

Regrettably, she never received her complimentary tub of chocolate chip. Instead, her free gift was an unwanted $7.99 subscription to a mobile service.

The customer was far from alone. QR code fraud – commonly known as QR jacking or quishing – is spreading across the world. Indeed, one estimate suggests it now accounts for 20 percent of all online scams

 

The new generation of QR code scams

Although it's a relatively recent fraud, the underlying scam is nothing new: the QR code usually directs victims to a fake website, which asks them for personal details. Today, criminals use bogus QR codes to trick customers in a wide variety of scenarios. In the 'real' world, they place them in restaurants, shops, gas stations and parking bays. Online they post them on websites or bury them in PDFs and Word documents. 

Plainly, QR codes are easy for criminals to deploy and (compared to other scams) hard for victims to identify. So how serious is the threat now? What new scams are emerging? And what can people do to protect themselves from this insidious new threat? Let's take a closer look at the world of quishing.
 

A very brief history of QR codes

The square QR code was invented in 1994 by Japanese firm DENSO Wave to solve a specific problem. The company's factory workers were using regular 'linear' barcodes to scan and identify products. But these analogue barcodes could store only a limited amount of information. Because of this one item might require multiple barcodes – and a worker would have to perform a number of scans to identify a single product. This made the process slow and prone to errors.

DENSO's invention made a big improvement. A single QR (Quick Response) code contains 250 times more data via its horizontal and the vertical components than a linear bar code. It can store website URLs, shipping information, parts numbers, and other complex information. Even better, a QR code is small, so it reduces the space required on the packaging.
 

The rise of QR codes

Despite the obvious advantages of the QR code, it took a long time for consumers to embrace them. Two events changed this. The first came in 2017, when Apple and Google made QR code scanning a native feature of the cameras in their smartphones (no need for a dedicated app). Then, in 2020, came the COVID pandemic. In response to social distancing rules, retailers and restaurants hurried to replace in-person tills with on-table QR codes.

As a result, the QR code usage enjoyed a huge spike. And it kept growing even after the pandemic ended. One estimate said the number of QR codes in circulation grew 238 percent between 2021 and 2023. According to Grand View Research, the global QR code payment market size could be worth $33.13 billion by 2030.

Why criminals have adopted QR codes for new scams

In 2023 alone, global phishing and scam activities increased by 27.8 percent. Security specialists believe that quishing is responsible for a growing proportion of these attacks. In the UK, for example, a 2024 survey by security software company McAfee found that more than a fifth of all online scams in the UK probably originated from QR codes

So why are criminals so keen on them? There are a few reasons. First, there's consumer adoption. Criminals go where the people are, and post-COVID, QR codes are everywhere. People trust them, and are happy to scan them. 

But this is about more than availability. Thanks to safety campaigns, consumers are more savvy about phishing. They look out for grammatical errors in emails and dubious-looking URLs. QR codes neutralise some of these defences. For example, they hide the actual URL inside the code. This means users can’t preview the URL before scanning it. Also, since attached PDF files are not as dangerous as .EXE or .LNK files, they rarely raise any suspicion with victims.

QR codes can also bypass technical defences: a QR code buried in a PDF can evade email cybersecurity detection, for example. 

How do quishing attacks work?

As we suggested earlier, QR code attacks are little different from any other phishing scam. Users receive emails or texts that appear to be from legitimate businesses (in 2023, 82 percent came from Microsoft or Docusign). These bogus messages ask users to enter login details – and they usually deploy social engineering techniques to panic the victim into complying. These might include: 

•    Losing email access 
•    Suspension of an account
•    Losing money 
•    A limited time offer
•    Legal action.

The alternative to an email attack is the bogus QR code placed in a physical location. Examples include fuel station pumps, restaurant tables, posters, packages, parking meters and more.  

When the victim scans a scam QR code, it routes them to a website that imitates the expected product or service. There, it will: 

•    Steal personal credentials 
•    Infect the device with malware
•    Obtain banking details or other logins 
•    Request a payment
•    Set up a subscription.
 

What are the defences against QR code attacks?

As we explained, quishing can be harder to detect than other scamming methods. But that doesn’t mean there are no counter-measures. 

First of all, organizations should ensure they have general security procedures in place. This might include mandating multi-factor authentication to make it more difficult for bad actors to steal sensitive credentials. Businesses should keep software up-to-date and configured correctly. They should also encrypt data in storage, at rest, and in use to protect it against theft or misuse by hackers.

Having installed a strong security foundation, businesses can then investigate more targeted QR code protections. One is email security. Specialist firms have developed security tools that analyse the sender, the sender’s patterns and the relationship of the sender and recipient based on past communication. They use these clues to identify suspicious senders. Then it uses optical character recognition (OCR) to find malicious URLs hidden within the QR code itself.

Companies that create and distribute their own QR codes can also play their part. Many of them use trusted and secure QR code generators to minimise the risk of hackers manipulating their codes. Meanwhile, any firm that places codes in physical locations should check them regularly to ensure scammers haven’t replaced them with malicious copies.
 
However, as with most forms of social engineering-based attacks, user education is critical too. Businesses should warn staff and customers to verify the source of any email containing a QR code. QR scanner apps can help here. They allow users to preview a link before it opens.

If a user does decide to open a URL, he or she should ensure the website begins with “https://” since scammers often use unsecured websites to steal information.

We can summarise these defences as follows:

1.    Investigate tools that screen emails and QR codes themselves
2.    Always verify the source before scanning (online or in physical locations)
2. Use QR code scanners that offer security features
3. Check the URL of any website triggered by a QR code
4. Keep devices and apps updated.

As we move into 2025, it’s highly likely that quishing scams will continue to grow – and that criminals will devise new methods for tricking their victims.  

However, awareness will go a long way to countering these threats. By understanding the risks and following best practices, people and businesses can avoid most QR code scams. Even if it means paying for your own ice cream.