QR codes have become a normal part of daily life. We scan them to pay bills, view menus, check into buildings, even access government services. As adoption grows, so too does the opportunity for fraud. Criminals are now weaponising QR codes to deceive consumers, employees and even entire organisations. At PORGiESOFT Security, our Threat Intelligence Function has been monitoring the sharp rise in “quishing” - QR-code phishing - across both public and private sectors.

A new entry point for fraud

A QR code is simply a digital bridge. It connects a physical environment to a web destination in seconds. Fraudsters exploit this by swapping or overlaying genuine codes with malicious ones that redirect to cloned websites or install malware.

In 2024, we detected fraudulent QR codes targeting car-park payment machines, event tickets, and council notices. Some even mimicked NHS vaccine booking links during the pandemic’s later stages. The subtlety of the attack – and public familiarity with scanning – makes detection extremely difficult.

How QR-code scams operate

  1. Physical tampering. Stickers or posters with fake QR codes are placed over legitimate ones in cafés, public buildings or parking areas.
  2. Digital embedding. Fraudsters embed malicious codes in emails, PDFs or social-media ads to bypass link filters.
  3. Impersonation. Criminals impersonate banks or councils, claiming “security verification” is required via a QR scan.
  4. Data exfiltration. Once scanned, the code can direct victims to phishing portals that harvest credentials or trigger downloads.

In one UK case analysed by PORGiESOFT Security, fraudsters distributed fake parking-fine notices bearing the logo of a local council. Victims were instructed to scan a QR code to pay their fine. The QR led to a cloned payment page that captured card details. Over £200,000 was stolen before the site was taken down.

Why QR-code fraud works

People trust what they can see. QR codes appear neutral – simple black-and-white squares – so victims rarely question them. Research has shown that consumers indicate that they would “instinctively scan” a QR code if it appeared to come from a familiar organisation.

The psychology mirrors that of smishing: curiosity and convenience override caution. Fraudsters design campaigns around public moments - council tax payments, delivery updates, energy rebates - so the scam feels routine.

Counter-measures for organisations

1. Implement QR-code authentication. Dynamic, trackable QR codes can be digitally signed or embedded with traceable metadata.
2. Audit public-facing materials. Regularly inspect posters, kiosks and parking machines to ensure stickers haven’t been replaced.
3. Educate citizens. Councils and companies should issue clear guidance: “Always check the full web address after scanning.”
4. Monitor incidents. Incorporate QR-related reports into your Fraud OS Control Model to identify localised trends.

The next wave: Deepfake QR campaigns

Our analysts predict that by 2026, fraudsters will begin blending AI-generated content with QR-based lures - for example, fake AI-voice ads prompting viewers to “scan to claim”. Combining visual and auditory deception makes the fraud more persuasive.

Key takeaway

QR codes are efficient but invisible gateways. As society embraces convenience, security must evolve in parallel. Organisations should treat every QR interaction as a potential attack surface and integrate monitoring into their wider anti-fraud strategy.