QR codes have been around since the 90s, although in the UK they really came to prominence during COVID lockdowns where they were used for everything from ordering food to indicating vaccination status.
They work when the user scans them via a digital device, usually a smartphone. They are widely used for quickly directing users to websites, logging into devices, or ordering or paying for goods and services.
Cyber criminals are increasingly using QR technology to scam victims, by creating their own malicious QR codes designed to trick people into handing over banking or personal information.
Analysis of Action Fraud reports reveals that the majority of QR code related fraud tends to happen in open spaces, such as car parks or parking meters. A common scam involves malicious QR code stickers being placed on top of a legitimate one at car parks. The QR codes link to genuine-looking payment sites that steal personal and financial information. We are also seeing an increase in the number of phishing emails using QR codes.
Between October 2023 to June 2024, Action Fraud received 199 reports relating to a fraudulent activity involving a QR code.
Advice on how to use QR codes safely
When scanning a QR code, use the QR-scanner that comes with your phone, rather than using an app downloaded from an app store.
The QR codes used in pubs or restaurants are probably safe for you to scan, but always double check with staff to make sure.
Scanning QR codes in open spaces (like stations and car parks) might be riskier. Check for tampered QR codes (stickers), if in doubt do not scan them, use a search engine to find the official website or app for the organisation you need to make a payment to.
If you receive an email with a QR code in it, and you’re asked to scan it, you should exercise caution as we are seeing an increase in these types of ‘quishing’ attacks.
For further guidance on protecting you and your business from hackers, contact [email protected]. You can also stay up to date with the ever-changing digital landscape and security threats, by signing up for our free core membership.
The NEBRC is a Police led non-profit organisation that seeks to educate, inform, and support businesses across the UK on how to protect their business online through good cyber security practices.
If you live in England, Wales and Northern Ireland and have been a victim of fraud or cybercrime, report it at www.actionfraud.police.uk or by calling 0300 123 2040. In Scotland, victims of fraud and cybercrime should report to Police Scotland on 101.