Classroom 30x redefines education by integrating smart technology, flexible seating, and collaborative practices, fostering engagement, creativity, critical thinking, and improved learning outcomes for students in modern schools worldwide today effectively.
It is now completely normal to point your phone at a QR code without thinking. You do it to pay for parking, see a menu, claim a discount or download an app. Fraudsters have noticed. Across the UK, police forces and Action Fraud are warning about “quishing” – phishing via QR codes – where criminals plant fake codes on posters, parking machines, EV chargers and in spoofed emails that look like delivery updates or bank alerts.
This sits on top of a wider fraud problem. The new national fraud reporting service says it is “here for the 4.6 million people affected by cyber crime and fraud every year” across England, Wales and Northern Ireland. The National Crime Agency estimates that around 67 per cent of fraud reported in the UK is cyber-enabled, much of it driven by online payment redirection and authorised push payment scams where victims are tricked into sending money themselves.
Within that landscape, QR scams are small in volume but growing fast. Action Fraud has reported hundreds of “quishing” cases in the past year alone, with almost £3.5 million lost and reports more than doubling in some recent quarters. Fake QR stickers have been discovered on parking machines in English seaside towns and Scottish city car parks, while drivers have been tricked into entering card details on convincing but bogus payment screens.
Key point
QR scams are a small but fast-growing slice of an already huge fraud problem, riding on the back of our habit of scanning codes without pausing to think.
What quishing is and how QR scams actually work
At a technical level, a QR code is just a barcode that stores a short block of information, usually a web address. Your phone’s camera reads the code, your browser opens the link, and whatever sits behind it does the rest. In a quishing attack, criminals simply swap the destination. They either print their own code and stick it over a real one, or they embed a malicious code in an email or leaflet that looks legitimate.
Once you scan, you are sent to a phishing page that impersonates a parking service, delivery company, charity or bank. That page asks you to “pay a small fee”, log in to your account or confirm card details. In some variants, the site attempts to install malware on your device; more often it is just collecting credentials and card numbers.
Law enforcement agencies describe cases where victims scanned a QR code on a station parking machine, entered their details, and later had thousands of pounds drained via follow-up calls where fraudsters posed as their bank, urging them to move money to a “safe account”.
The endgame is usually one of two things. Either the criminals use your card details directly to make remote purchases, or they use captured logins and one-time codes to stage authorised push payment fraud persuading you to send money yourself under the illusion that it is protecting you. Because the transfers look voluntary and use genuine banking channels, they can be harder to unwind and often leave victims fighting for reimbursement.
Key point
A rogue QR code is just a shortcut into the same phishing and payment redirection tricks that have powered online fraud for years.
How big is the threat in Britain right now?
Fraud has become Britain’s defining volume crime. Banks now record millions of fraud cases each year, with losses running into the billions, and fraud accounts for a large share of all reported crime. The government’s national fraud strategy notes that incidents have climbed sharply since the pandemic, driven by the shift to online payments and remote services.
The 4.6 million people affected by cyber crime and fraud each year across England, Wales and Northern Ireland are the tip of a larger iceberg.
The National Crime Agency’s assessment that 67 per cent of fraud is now cyber-enabled reflects how far everyday tasks from ordering food to paying utility bills have moved onto screens. In that context, QR codes are simply another surface attackers can exploit, especially when they are glued onto the physical infrastructure of daily life.
The numbers for quishing itself are still modest compared with text or email phishing, but they are rising fast. Action Fraud has logged hundreds of QR specific reports, with losses running into the millions, and police forces have launched local campaigns after discovering fake codes on more than 100 car park machines in some areas.
For a typical victim, the direct loss might be a few hundred pounds small compared with some investment scams but the attacks are widely distributed and often hit people who assume they are doing something mundane and safe.
Key point
Quishing is still a minority threat in absolute terms, but it is growing in lockstep with cashless payments and QR-based services.
Real UK scams: from car parks to fake deliveries and charity posters
The most high-profile quishing cases so far involve parking and transport. In several towns and cities, drivers found QR codes on parking meters and tariff boards that mimicked logos of well-known apps. Scanning them took users to payment pages that looked much like the genuine services, complete with car park names and branding. Only later, when bank alerts or statements arrived, did victims realise they had paid a criminal website and handed over card details.
Delivery scams are evolving too. For years, fake texts and emails claiming to be from Royal Mail, DPD or Evri have pushed people to click links and pay small redelivery fees. Now some campaigns add QR codes into the mix, on the assumption that scanning feels quicker and safer than tapping a suspicious looking link.
Consumer research shows that delivery brands are among the most impersonated in text scams, particularly around Black Friday and Christmas when people are expecting parcels. Once criminals have your card and contact details, they may keep taking low-value payments for months or pivot to more aggressive fraud.
Charities and local causes are also being dragged into the problem. Police and regulators warn that scammers are printing fake posters for events or appeals and sticking them up in bus shelters and shopping centres, complete with QR codes that route donations to their own accounts. Even genuine charities are being advised to check that their displayed codes have not been covered with lookalike stickers. In these cases, victims lose money, and legitimate organisations lose trust.
In many of these scenarios, worried users screenshot the message or poster and send it to friends for a second opinion. If you are swapping screenshots in a group chat to ask “is this real?”, it is worth taking a few seconds to crop the image online first so your email address, ticket number or vehicle registration are not shared around as well. That extra step makes it harder for opportunists in open groups or forwarded threads to harvest those details for other scams.
Key point
Quishing piggybacks on ordinary tasks – paying for parking, checking a parcel, giving to charity – which makes it feel legitimate until money has already moved.
Why our brains fall for QR bait
From a fraudster’s perspective, QR codes are clever because they compress several psychological levers into one quick action. Behavioral economists have long shown that people are highly sensitive to loss – we fear losing £50 more than we enjoy gaining the same amount. That bias is exactly what makes fake parking fines and missed delivery notices powerful: they suggest an immediate loss (a fine, a redelivery fee, a lost parcel) if you do not act.
The design of many services adds “hurry-up” pressure. Parking apps warn that time is running out. Delivery texts say your parcel will be returned if you do not respond. Restaurant staff tell you the menu is only online. In busy or unfamiliar settings a crowded car park, a railway platform, a new restaurant you are already juggling navigation, time and social pressure.
Cognitive psychologists describe this as overload: the brain shifts into autopilot, relying on habits and visual shortcuts instead of slow, analytical thinking.
QR codes are pure shorthand. You do not have to parse a web address or decide whether a link looks odd; you just see a square and a brand logo and respond. That is why small frictions help.
If you get used to hovering and checking before you scan for instance, asking yourself whether a car park has other payment options, or whether a charity poster looks tampered with you give your slower, more sceptical brain time to catch up. If you do still screenshot a suspicious message to ask for advice, use a basic tool to crop image online so only the relevant text is visible, not your inbox layout or partial card digits.
Key point
QR scams work because they combine urgency, familiarity and low effort at exactly the moment when people are distracted and in a hurry.
Practical safeguards before you scan or share
The goal is not to stop using QR codes altogether. They are genuinely useful. The aim is to add just enough friction that you notice when something is off. A simple mental checklist can help before you scan.
- Check the context. Does it make sense that this car park or restaurant uses QR payments, or is there a perfectly good card reader or printed menu right next to you?
- Inspect the code. Look for stickers placed over original codes, misaligned labels, spelling mistakes in surrounding text, or low-quality printing.
- Verify the brand. For parking and charging, check the app name or website independently in your app store or browser instead of relying on a QR shortcut.
- Scan with caution. If your phone shows a preview of the web address, read it. Look for odd domains, strange subdomains or missing padlock icons before you proceed.
- Guard your details. Be wary if a QR page asks for full card details, bank logins or one-time codes when you were only expecting to see a menu or basic information.
If you do receive a suspicious delivery or fine notice, it is often safer to delete the message and contact the organisation using details from its official website. National guidance also encourages people to forward scam texts to the 7726 spam reporting number and to report phishing emails or QR scams so patterns can be tracked.
There is also a privacy angle when you share suspicious content. Screenshots of QR codes, boarding passes, parking tickets or emails can reveal card suffixes, booking references and home addresses. Before you forward anything outside a very trusted circle, you can crop image online to remove barcodes, reference numbers and personal identifiers. It is a small hygiene habit, but it stops those details circulating in large group chats where someone less careful might later repost them publicly.
Key point
A few seconds of inspection and light editing before you scan or share can block the majority of opportunistic quishing attempts.
In summary
Quishing is not science fiction. It is the latest twist on a familiar story: criminals following the money as everyday tasks move onto screens. QR codes have become a convenient bridge between the physical world and online services, which makes them attractive both to legitimate businesses and to fraudsters looking for low-effort, high-volume scams.
For British users, the response does not need to be paranoid, but it does need to be deliberate. Understanding that QR codes can be tampered with, recognising the pressure tactics in fake fines and delivery texts, and building small habits like checking for stickers or using official apps rather than anonymous codes can dramatically lower your risk. When in doubt, slow down, verify through a separate channel and share less information than you think scammers could use.
FAQ
What is “quishing” in simple terms?
Quishing is a type of phishing where scammers use QR codes to send you to fake websites that try to steal money, passwords or card details.
Can scanning a QR code infect my phone with malware?
Yes, a malicious QR code can lead to a site that tries to download harmful software or trick you into installing a fake app, although many scams stick to phishing pages.
Are all QR codes in car parks and restaurants risky?
No, many are genuine. The risk comes when fake stickers are placed over real codes or when criminals design posters and emails that closely mimic legitimate brands.
What should I do if I have scanned a suspicious QR code and entered details?
Contact your bank immediately, monitor your accounts for unusual activity and report the incident to Action Fraud or the police. Change any passwords you may have shared.
Is it safer to type a web address than scan a QR code?
Often, yes. Typing an address you know is correct or using an official app from your app store removes the shortcut that scammers rely on when they stick fake QR codes in public places.
