What are ‘quishing’ scams? And how do I avoid them?

Last month, we revealed how so-called “quishing” scams have been sweeping the UK, with nearly a third of all local authorities and more than a dozen hospitals targeted.

But what exactly is quishing, and how does it work?

Originally developed in the 1990s, QR codes – short for quick qesponse – have in recent years become ubiquitous in day-to-day life. They are all around us: on menus, adverts, concert tickets, WiFi logins and parking meters.

But as their use has surged, so has their exploitation by criminals. Data from the UK’s Action Fraud found that scam cases involving QR codes have risen 14-fold in the past five years.

It’s also given rise to a new term: “quishing”, a portmanteau of “QR” and “phishing”, to describe the way in which a seemingly harmless code is used to con people out of their money or private information.

We’ve all been on the receiving end of traditional phishing attempts, typically from an email or text asking you to click on a suspicious link. But these days, most of us are careful not to visit a link from a source we don’t know – which presents a problem for the scammers.

Quishing schemes try to get around this problem by leveraging the everyday trust and convenience associated with QR codes, particularly where they are used in public spaces like car parks.

An unsuspecting user might scan the code with their phone, expecting to pay for their parking space. They are then directed to a fraudulent website, built to resemble the real payment site, which prompts them to enter card details or download harmful software.

Sometimes, the victim will then be signed up to some form of bogus subscription, which takes small amounts of money from their bank account every few weeks. The scam often relies on victims failing to notice these payments or confusing them for something legitimate.

Sooner or later, the imitation site will be reported and shut down. But its role was merely to sign users up to the fake subscription, which remains active.

In our latest investigation, part of the Dirty Payments project led by European Investigative Collaborations (EIC), we found that a criminal network based in Dubai was responsible for creating thousands of these fake subscription websites, many of which targeted their victims via QR codes.

But this network is just one player in a fast-growing scene. And the rapid rise of quishing raises broader concerns about digital security: what can be done by payment companies, banks and tech firms to protect the public?

Action Fraud has issued guidance on how to avoid quishing scams. It recommends taking extra caution when scanning codes in public spaces and looking out for QR codes that are on stickers or look like they've been tampered with.

If in doubt, the guidance says, don’t scan the code and instead use a search engine to find the website or app in question.

It also recommends using the phone’s pre-installed QR-scanner rather than using an app downloaded from an app store.

The QR code, once a symbol of convenience, is fast becoming a digital Pandora’s box, and few are prepared for what might lie inside.