Beware of QR Code Phishing Scams: How to Stay Safe from 'Quishing'

QR codes have become a convenient way to access information, make payments, and visit websites quickly. However, cybercriminals are now exploiting this technology to scam unsuspecting individuals in a form of fraud known as "quishing" (QR phishing). The National Cyber Security Centre (NCSC) has issued a warning on the risks associated with QR code scams and provided key advice on how to stay protected.

How QR Code Scams Work

Fraudsters use QR codes to deceive people into visiting fraudulent websites, where they aim to:

• Steal account credentials such as usernames and passwords.
• Gather sensitive financial details, including bank or credit card information.
• Trick users into paying for a fake service.

Scammers often impersonate legitimate businesses or organisations to gain the trust of their victims. There are two primary ways they carry out these scams:

1. QR Codes Sent via Email

Cybercriminals send phishing emails containing QR codes in an attached image or document. Since email security systems primarily detect suspicious links or attachments, QR codes can bypass these protections. When scanned, these codes redirect users to fake login pages designed to steal personal information.

2. Fake QR Codes in Public Places

Fraudulent QR codes can be placed over legitimate ones in high-traffic areas such as:

• Restaurants and cafes.
• Parking payment stations.
• Public posters, leaflets, or signage.

Because personal mobile devices often lack security protections like antivirus software or website restrictions, users who scan these codes may unknowingly enter their details on fake websites, leading to financial loss or identity theft.

How to Protect Yourself from QR Code Scams

To avoid falling victim to QR phishing, follow these precautions:

• Use a trusted QR code scanning app that warns against suspicious links.
• Check the preview URL before opening it—does it match the official website?
• Beware of urgency tactics—scammers often pressure victims into acting quickly, such as requesting immediate payment to avoid a fine.
• Inspect the QR code—is it a sticker placed over an existing code? Is it behind glass or on a digital display? Tampered QR codes may indicate fraud.
• If the QR code seems suspicious, do not use it.

What to Do If You’ve Been Scammed

If you believe you’ve fallen for a QR phishing scam, take the following steps immediately:

1. Change your passwords—especially for any accounts linked to the scam.
2. Contact your bank to report any suspicious transactions and secure your accounts.
3. Run a full antivirus scan on your device to check for malware.
4. Report the scam to your local Garda station.

Reporting QR Code Scams

If you encounter a suspicious QR code or fall victim to a scam, report it to An Garda Síochána at your nearest station: Garda Station Directory.

You can also report fraudulent QR codes to the organisation being impersonated or send details to the NCSC at phishing@ncsc.gov.ie.

For more information on staying safe from phishing and cyber scams, visit:

• An Garda Síochána – Online Scam Advice
• NCSC Phishing Guide
• NCSC UK – QR Code Risks

As QR codes become more integrated into daily life, awareness of potential scams is crucial. Always verify before scanning, and stay cautious to protect your personal and financial information.