Dangerous QR codes: UK drivers warned of ‘quishing’ scams

15 Aug 2024

Image: © OceanProd/Stock.adobe.com

Malicious QR codes are being used in car parks across the UK to steal credit card details and Ireland has witnessed its own recent examples of quishing scams.

A UK company is warning drivers about a scam involving QR codes placed on parking metres at multiple car parks in the country.

The automotive services company RAC said there has been a wave of fake QR codes over council-owned parking metres, in a scam tactic known as ‘quishing’ – QR phishing. This scam code leads its victims to a fake website that tricks users into believing they are paying for parking over the phone.

In reality, the scammers use this fake website to steal a victim’s credit card details so they can take money from their bank accounts. The scam has been spotted in multiple UK counties and most of the councils say they do not use QR codes on their parking signs normally, The Guardian reports.

“A car park is one of the last places where you’d expect to be caught out by online fraud,” said RAC head of policy Simon Williams. “Unfortunately, the increasing popularity and ease of using QR codes appears to have made drivers more vulnerable to malicious scammers.

“As if this quishing scam isn’t nasty enough, it can also lead to drivers being caught out twice if they don’t realise they haven’t paid for parking and end up getting a hefty fine from the council.”

The rise of QR code scams

There have been no reports of a similar scam taking place in Irish parking metres, but it would not be a surprise – other examples of quishing have been reported in Ireland in recent years. An Irish Examiner report last month warned of QR code scams targeting Irish people trying to purchase concert tickets.

Tim Callan, chief experience officer at Sectigo, said smartphone users scan QR codes for various purposes and that their rising popularity means “they have also entered into the cybercriminals’ arsenal of weapons”.

“It is scarily easy to manipulate and falsify QR codes in business emails in a myriad of ways,” Callan said. “It is worryingly easy for bad actors to falsify links and addresses.

“A bad QR code could infect your device or make you click on a link to a dangerous website. Therefore, it is not enough to trust the QR code, to avoid quishing scams users shouldn’t scan any QR codes that you cannot easily verify the identity of the end user.”

The advice from both the RAC and Callan is to avoid using QR codes and to take precautions if they are used. Callan said people should look up the organisations directly through a secure browser instead.

“Treat what you see in sites you access through unsolicited QR codes with a grain of salt and be very careful about installing software or sharing information on the sites they link to,” Callan added.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com