Major warning issued over car park QR code scams amid rise in ‘quishing’
Scammers are using QR codes to trick individuals into visiting fraudulent websites or downloading malware
Criminals are using fraudulent QR codes in car parks to steal personal and financial information, Action Fraud has warned.
Almost £3.5 million has been lost due to QR code scams with more than 780 reports of ‘quishing’ made to the UK's national reporting centre for fraud and cybercrime between April 2024 and April 2025.
Also known as QR code phishing, ‘quishing’ is a type of cyberattack where QR codes are used to trick individuals into visiting fraudulent websites or downloading malware.
Fraudulent QR codes are most frequently used in car parks, with criminals using stickers to tamper with the scan codes already in place on parking machines.
The scam is also used on online shopping platforms, where sellers received a QR code via email to either verify accounts or to receive payment for sold items.
Some phishing attacks impersonate HMRC, or other UK government schemes, targeting people with QR codes designed to steal personal and financial details, reports show.
People are being asked to stay vigilant and double-check QR codes to see if they are malicious, or have been tampered with, before scanning them online or in public spaces.
Claire Webb, Acting Director of Action Fraud, said: “QR codes are becoming increasingly common in everyday life, whether it’s scanning one to pay for parking, or receiving an email asking to verify an online account. However, reporting shows cyber criminals are increasingly using quishing as a way to trick the public out of their personal and financial information.
“We’re urging people to stop and check before scanning QR codes, to avoid becoming a victim of quishing. Look out for QR codes that may have been tampered with in open spaces, or emails and texts that might include rogue codes. If you’re in doubt, contact the organisation directly.”
Although QR codes used in pubs and restaurants are usually safe to scan, ones in open spaces like train stations or car parks, might pose a greater risk.
Action Fraud suggests checking for signs that codes may have been tampered with, such as a sticker placed over a legitimate QR code.
If you are unsure, it’s best to not scan the QR code at all and instead find the official website or app of the organisation you are trying to make the payment to.
If you receive an email with a QR code in it, and you're asked to scan it, you should be cautious due to an increase in these types of 'quishing' attacks.
Another precaution to take is to always use the QR scanner that comes with your phone, rather than using an app downloaded from an app store, because it is more secure.