Stay informed with free updates
Simply sign up to the Cyber Security myFT Digest — delivered directly to your inbox.
Banks and regulators are warning that QR code phishing scams — also known as “quishing” — are slipping through corporate cyber defences and increasingly tricking customers into giving up their financial details.
Lenders including Santander, HSBC, and TSB have joined the UK National Cyber Security Centre and US Federal Trade Commission among others to raise concerns about a rise in fraudulent QR codes being deployed for sophisticated fraud campaigns.
The new type of email scam often involves criminals sending QR codes in attached PDFs. Experts said the strategy is effective because the messages frequently get through corporate cyber security filters — software that typically flags malicious website links, but often does not scan images within attachments.
“The appeal for criminals is that it’s bypassing all of the [cyber security] training and it’s also bypassing our products,” said Chester Wisniewski, a senior adviser at security software company Sophos.
Researchers and fraud managers said it was hard to estimate the costs of “quishing” as cyber security companies and banks do not typically log the format of malicious links and because such emails may be just one element in a broader cyber attack.
But research by IBM found that “phishing” attacks — which involve scammers send targeted emails with malicious links — are increasingly expensive to companies, with the global average cost of a data breach rising nearly 10 per cent to $4.9mn in 2024.
QR codes contain data, such as URLs or payment information, in binary code. Invented by Japanese company Denso Wave in 1994 as a tool for tracking auto parts, these codes are designed to be quickly readable by machines, particularly smartphones, but are generally illegible to humans.
Although most smartphones display a short preview of the URL contained in a scanned QR code, researchers have said that this pop-up is generally not sufficient for users to be able to detect that a link might be fraudulent.
“These attacks take advantage of the fact that QR codes, by nature, are difficult to interpret visually, so victims often don’t know where they are being directed to until it’s too late,” said Amir Sadon, director of research at cyber security consultancy Sygnia.
Banks said that the prevalence of this kind of scam has accelerated since QR codes surged in popularity during the Covid-19 pandemic, when they were used to display everything from vaccine passports to restaurant menus. “It’s definitely a growing trend in terms of the number of reports we’re seeing,” said Steph Harrison, a senior fraud operations manager at TSB.
A survey by security software company McAfee in May found that more than a fifth of all online scams in the UK probably originated from QR codes. Reports of QR code scams in the UK more than doubled in the year to August 2024, according to Action Fraud.
The US Federal Trade Commission, as well as multiple local authorities across the UK, also warned this year about a specific kind of “quishing” scam targeting drivers, including cases where stickers directing users to fraudulent sites have been placed on top of legitimate QR codes used to pay for parking.
These links may direct users to an incorrect website and ask them to enter their details, or lead them to download malware. Worse still, said Harrison, “you could also get fined for not actually having a parking ticket”.
Victims have also reported fraudulent QR codes being placed over legitimate ones at EV charging points, train stations and restaurant tables.
But researchers said that “quishing” scams are most commonly deployed in emails — a threat that has put corporate security vendors under pressure to adapt their online defences.
“Today almost no [cyber security] products are looking through attachments,” said Wisniewski. “If this continues to be a problem, I suppose the industry will have to move there — but it will slow down the delivery of emails, and it will also make things more expensive.”
Read the full article here