The Rise Of a New Cyberthreat: What Is Quishing?

5/21/2025 12:00:00 AM

The Rise Of a New Cyberthreat: What Is Quishing?

The cyber threat landscape is rapidly evolving. It is becoming increasingly sophisticated, impacting individuals and businesses alike.

Have you heard of a new cyberthreat called “quishing”? Quishing attacks are becoming increasingly popular for cybercriminals, so we felt it was important to raise awareness to try and protect you from this threat.

What is quishing?

A quick response code, more commonly known as a QR code, is a two-dimensional barcode that, upon being scanned on a smartphone or tablet, will conveniently take you straight to a website.

Quishing is when cybercriminals corrupt existing QR codes with fake QR codes which are embedded with malicious links. When the unsuspecting victim scans the QR code, it takes them to a malicious website or downloads harmful malware onto the victim’s device or prompts them to input payment details.

How common are quishing attacks?

QR codes are very common nowadays. You can quickly scan them to see digital menus in restaurants, pay for parking, initiate returns in stores, on advertisements and even billboards. From a business perspective, you could expect to see them on business cards, on exhibition stands, email signatures, or multifactor authentication applications.

While they were originally designed to offer a convenient way for users to access information, QR codes today are becoming increasingly problematic.

Marc Rocker, Head of Cyber at Ardonagh Advisory states that “QR codes are designed for convenience, criminals are targeting our desire to do things more efficiently and with as little thought as possible and this means that convenience can come at a high price and there are many examples of people unfortunately falling victims to scams using the codes.”

Action Fraud reported that last year they received 1,386 reports of quishing.[1] This has jumped considerably from 2019 when only 100 reports were logged. Lead officer at the Chartered Trading Standards Institute, Katherine Hart, states that quishing attacks are “significantly under-reported” meaning the actual figure could be even more startling.

Corrupted QR codes have been found on emails, television, parcels, menus and Pay and Display parking meters.

How big of a threat is quishing?

Sadly, there has been a string of examples of quishing attacks hitting the headlines in recent years.

One lady was scammed £13,000 after scanning a QR code in a train station in Stockton-on-Tees. After scanning the QR code, the cybercriminals managed to make a string of fraudulent payments on her credit card and even managed to take out a loan of £7,500 in her name in minutes.[2]

Parking meter quishing: a double whammy

The RAC recommends that you never use the QR codes on parking meters to pay for your parking.[3] Instead opt for cash, card or manually download the official apps by typing the name of the app into your app store.

Parking meter quishing scams are particularly problematic. Not only do you need to deal with the financial implications of being a victim to a quishing attack, you may also be subject to a parking fine as you never actually paid for parking because you were taken to a scam website.

How to avoid falling victim to quishing attacks?

You’ve already taken the first step in learning to avoid falling victim to quishing attacks by reading this article. Here’s a few more top tips on how to steer clear of this new threat:

  • Opt for safety over convenience

In light of the risk associated with QR codes, many officials recommend avoiding them entirely unless you are absolutely certain that it is safe.[4] Even then, we would advise you to exercise caution – if there is an alternative way to access that information, we strongly advise that you consider it.

When it comes to QR codes, you should always opt for safety over convenience.

We appreciate that it is more time-consuming to manually type in a URL, however, can you truly put a price on your financial security?

  • Look for the padlock, but also question it

If you do visit a website via a QR code, have a look for the padlock icon next to the site name in the URL. If it has a padlock, it means that the site is secured and has a digital SSL certificate meaning your communication with the website can’t be intercepted.

However, what many people don’t know that while the padlock icon means a website is secure, it does not mean that a website is safe. There is nothing stopping cybercriminals from trying to secure their illegitimate websites with a digital certificate. All it means is that the connection between you and the cybercriminal is secure.

In summary:

  • If you visit a website and there is no padlock, then that is a definite warning sign to stay clear.
  • If you visit a website and there is a padlock, yet you are still questioning it for whatever reason, try to find any alternative way of making sure the website is trustworthy. Think about searching for them on social media and see if the link takes you to the same account or simply Google it. You can often rule out scam websites by seeing what other people have posted on forums such as TrustPilot or Google Reviews.

 

  • Brush up on your cybersecurity training

This applies to both organisations and individuals; it is important that you keep up to date with emerging threats in the cybersecurity field. Businesses should ensure that staff are given regular, digestible training to ensure employees know how to protect themselves and the company against cyber threats.

Worried about cybercrime? 

When it comes to cybercrime, many SMEs don’t have sufficient cyber insurance. But the reality is, the risk of cybercrime to your business far outweighs many other risks that you would cover for without a second thought. It’s time to get real about the risk of cybercrime. Speak to your usual Towergate advisor to find out more.    

About the Author

Marc Rocker, Head of CyberMarc Rocker, Head of Cyber has been with Towergate for over 15 years advising commercial clients of all sizes on their business insurance needs.

As Head of Cyber Insurance, Marc has responsibility for ensuring that the advice and products that Towergate provides meet clients’ needs. Marc is a member of the British Insurance Brokers’ Association (BIBA) cyber technical committee.

 

 

 

 

 

Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.

[1] Organised crime gangs behind rise in QR 'quishing' scams - BBC News

[2] Thornaby: Woman targeted in £13k railway station QR code scam - BBC News

[3] UK motorists warned of fake parking QR codes being used in ‘quishing’ scams | Scams | The Guardian

[4] UK motorists warned of fake parking QR codes being used in ‘quishing’ scams | Scams | The Guardian