QR code 'quishing' scams up 14-fold in five years

Organised crime gangs are behind a sharp rise in scams linked to fraudulent QR codes, experts say.

The national fraud reporting centre Action Fraud received 1,386 reports of people being targeted last year, compared with 100 in 2019.

Contactless payment hotspots - like parking meters and restaurant menus - are common targets of criminals who stick their own QR codes on signage.

Katherine Hart, lead officer at the Chartered Trading Standards Institute, said: "We've seen huge amounts lost this way. People have seen their life savings gone and that money is going to finance criminals."

She said quishing was significantly under-reported and presented a "huge challenge" to authorities globally.

Fraudulent and misleading codes have also been spotted on parcels, in emails and on television.

People who scan them using mobile phones and other electronic devices are directed to websites controlled by the scammers and tricked into handing over data such as bank details.

Ms Hart said some of those placing the codes were likely to be at the bottom of a hierarchy of organised criminals and may not be aware of the implications of their actions.

Action Fraud statistics obtained by the BBC's Shared Data Unit suggest a rapid growth in this kind of scam, with recorded incidents more than doubling in the UK between 2023 and 2024.

Over the past five years, Action Fraud received almost 3,000 reports in total, with a fifth of those linked to the Metropolitan Police force area.

Milton Haworth used his mobile phone to scan a QR code at a council-run car park in Castleford, West Yorkshire.

It directed him to download an unauthorised app, from which he agreed a 90p fee to verify bank details.

But instead of paying to park, he found himself signed up to a subscription service with a £39 yearly fee and no refunds offered.

"I'd assumed I'd paid for my parking but realised it was a scam when I noticed the next day that £39 had gone out of my account," he said.

"The sign said to use the code to park and I hadn't ever heard of QR codes being used as a scam."

Mr Haworth blames the spike in cases on authorities "not taking this seriously enough".

He said: "Nobody seems to care, there doesn't seem to be anyone trying to find these people.

"It's incumbent on the authorities to go after them but I don't think they do because it's small amounts taken, not multimillions.

"But if it's £39 a month, what if there's a million people being duped?"

Ms Hart said victims often lost small amounts initially as those responsible gathered the data they needed to launch a "secondary scam".

"You might lose £2.99 and a lot of people won't report that and don't realise they've passed on their information to a criminal organisation," Ms Hart said.

"Days or weeks later, they get a call telling them they've been the victim of a fraud and they can pinpoint a day, because they already have all of the information you shared with them earlier.

"They convince you using very coercive tactics that they're from your bank, police or Trading Standards and they want to take everything you've got."

Experts including the National Crime Agency and the National Cyber Security Centre say it is vital that people "stay vigilant to cyber criminals".

Kirsty Blackman, Scottish National Party MP for Aberdeen North, spoke to the BBC after removing fake QR codes from parking machines in the city.

She said tackling the problem was "genuinely difficult", adding: "Organised criminals are there to make money in whatever way they can and I think they'll scam people whatever we do. It's about trying to whack the moles as they pop up."

She said the more victims filed reports with Action Fraud, the better police could take action.

"QR codes can be really useful," she said. "My kids' school sends them out regularly to share information, for example. That's why it's difficult for people to tell the difference between a legitimate code and a fake one.

"When you're scanning a code to pay for something, that's when you really need to stop and think."

Joe Hall's girlfriend inadvertently scanned a fraudulent QR code when trying to pay for parking in Luton before Christmas.

The couple now refuse to use QR codes after £400 was taken from her bank account the next day.

Mr Hall said: "I drove back to the car park and found the code she scanned was a sticker. They print them so everything's the same font and colours as the signage and it blends in.

"If you know what you're looking for, you might spot it but a lot of the time, you might not even think about it.

"It's so easy for them to make money out of it - there were four others behind my girlfriend doing the same thing as she did.

"She got her money back but that's not always the case. They could easily just empty your bank account."

National Car Parks, which runs 800 car parking sites across the UK, is considering removing QR codes from its signage.

It said a "rigorous process" had already been introduced to prevent its QR codes being compromised, with signs inspected and codes checked every day.

A spokesman said two of its car parks had been targeted by scammers and the business was "reviewing options" to reduce the impact of fraudulent QR codes.

He said: "This could include removing a QR code from our signage that directs customers to a payment page, and instead emphasising the use of our website.

"We understand the value of QR codes and will still look to use them where we can safely."

Det Supt Gary Miles, head of the National Fraud Intelligence Bureau, encouraged users to "stay alert" to signs of fraudulent codes.

"You should stop and check before scanning one," he said. "If you're in person, check for signs it has been tampered with, or online, look out for phishing emails or rogue social media posts with QR codes.

"We know that QR codes can be used in all aspects of life, online and in-person, however this doesn't stop fraudsters finding new ways to target members of the public."

More about this story

The Shared Data Unit makes data journalism available to news organisations across the media industry, as part of a partnership between the BBC and the News Media Association.

Read more about the Local News Partnerships here.