Experts are warning the public to be on the alert for 'quishing' scams, the latest trick by fraudsters looking to steal money and personal information.

QR codes are seen everywhere in daily life nowadays, and can be used to order anything from a meal in a restaurant to paying for parking, hiring a bike or getting more information about a TV programme or upcoming film.

When the black and white code is scanned on a mobile phone using the camera function, a website link pops up which will take customers through to a particular website, allowing you to place an order or get more information about a particular product.

What to read next

However, fraudsters are reportedly trying to take advantage of customers ordering through digital menus, by placing fake QR codes over the genuine article. This form of phishing, often referred to as ‘quishing’, results in the customer being directed to a phony website, where they enter their personal information for the scammer to see.

quishing
LeoPatrizi//Getty Images

As schools break up for the holidays, it is a peak time for the hospitality industry, with pubs, restaurants, hotels and leisure attraction all hoping to welcome paying customers for the summer. Events such as the Olympics and music festivals are also an opportunity for people to relax, but, says Marc Porcar, chief executive of QR Code Generator, this means scammers are quick to see an opportunity.

"Unfortunately, scammers see these events as an opportunity to take advantage of people, especially those who have been drinking and may be less vigilant than usual," he warns. "It’s important that people continue to exercise caution when scanning QR codes, to prevent falling victim to this type of phishing scam."

How quishing works

Credit reference agency Experian says that 'quishing' can mean the scammers can access personal data, download malware onto your phone, or even reroute a payment intended for a legitimate recipient. Fake QR codes, says Experian, could:

  • send unsuspecting victims to a phishing website where they might give personal or financial information which could be used to steal the victim's identity.
  • infect smartphones with malware which could swipe sensitive data, steal files or lock devices until a ransom is paid.
  • access payment platforms, send emails or follow certain social media accounts.

To prevent falling victim to this type of scam, QR Code Generator's chief executive Marc Porcar has shared his tips for spotting rogue QR codes and what to do if you suspect one isn’t legitimate.

quishing scams
John Rensten//Getty Images

"QR code scams can mimic legitimate websites, depending on how skilled the scammer is, and convince customers to input sensitive information," Marc explains. "This could include credit/debit card details, other banking information, and passwords. These scams are used for financial gain and to steal one's identity.

"Customers could lose a considerable amount of money by handing over bank details to websites they believe are real. From there, scammers can take money from the account and/or rack up charges on the victim's card until the bank is alerted."

Matt Cooke, Cybersecurity Strategist EMEA at Proofpoint, says: "It's crucial to approach even seemingly harmless QR codes found at sales counters, and more recently, car parks, with caution to avoid falling victim to scams. If the QR code is in a public place, there’s a chance someone has changed it to point to their website or app instead of the intended original place. Scammers will do this to get you to send money to them, install their apps so they can access your phone or get your personal details so they can control your accounts and use your identity.

"If you are in an unknown car park and don’t know what payment app they use, maybe use the payment machine instead. If you’ve never interacted with the business or person asking you to scan their QR code, consider if you really need to do this and use another method such as going directly to their official website if you have any concerns."

How to protect yourself against 'quishing'

Inspect QR code stickers

Check the QR code for signs that a fake has been placed over a pre-existing one. Look for peeling edges, bumps in the sticker and anything else that looks suspicious. If the corners of the sticker are peeling and it seem there's another code, this is a surefire red flag. If you suspect that your table’s QR code isn’t legitimate, always ask a staff member from the establishment before ordering and alert them that fake QR codes might have been placed over the legitimate ones.

Check the URL

When you scan a QR code, your phone allows you to preview the website’s link before you click to visit the site. Check the website URL and whether it matches up with the establishment’s actual website. Some scammers will set up a copycat website using a domain name that looks similar but is slightly different to the real thing. For example, the imposter URL could end with .net when the genuine website ends with .co.uk

Make sure that the website you are visiting on your mobile browser has a padlock symbol next to it, and that the URL begins with ‘https://’ rather than just ‘http://’. This ensures that the website is encrypted with a Secure Sockets Layer (SSL) certificate. Be warned though: some phishing websites now also use SSL protection in an attempt to trick visitors, so it's not a cast-iron guarantee.

quishing scams
Tatiana Maksimova//Getty Images

Suspicious website content

If you click through to a website from a QR code and the webpage content looks unusual, this can be a sign you are not ordering through a legitimate channel. Signs that you are on a phishing website include spelling mistakes, lack of correct capitalisation, misaligned text and logos and graphics appearing pixelated or out of date.

Asking for too much personal information

When paying online, a pub, bar or restaurant should only require your email address to provide confirmation of your order, your card number, its expiry date and the last three digits on the back of your card (CVV/CVC). If the site is asking for additional information such as your home address, phone number or even your card’s PIN number, this can be a sign that it isn’t legitimate.

Offers too good to be true

Websites that offer things such as free money or products could be an indication that the QR code is not legitimate. If you scan a code and are confronted with deals that seem too good to be true, they probably are.

Check whether there is a dedicated ordering app

Many chain bars and pubs, such as Greene King and Wetherspoons, have their own dedicated app for ordering food and drink to your table. Where possible go through the establishment’s official website, which will redirect you to their self-order app from the Apple or Google Play store. If you scan a QR code and it doesn’t redirect you to the app, you could be dealing with a phishing website.

Make sure your phone is up to date

Regularly updating your mobile device and its apps ensures that it’s equipped with the latest security patches to keep you protected.