Gone ‘Quishing’ – Spotting QR Code Scams

Post Author:

Rona Burns

Date Posted:

October 16, 2025

Share This:

In this increasingly digital world, online safety is more important than ever. Scammers are becoming more sophisticated, always coming up with new ways to access data and steal personal information.

Action Fraud, the UK’s national reporting centre for fraud and cyber crime, have recently highlighted a rise in a new type of online scam dubbed ‘Quishing’. Quishing involves the use of fraudulent QR codes which direct victims to malicious websites intended to steal their personal and financial data.

Legitimate QR codes can be found everywhere, from restaurant menus to parking meters, and are convenient ways of marketing, facilitating payments, or simply sharing information. When the pixelated barcode is scanned with a smartphone camera, a link will pop up giving quick access to the associated website.

However, QR codes are free and easy to generate, which means they can be created by anyone – not just legitimate businesses. As HMRC are now including QR codes on their correspondence, it is more important than ever that you know how to spot codes which are fraudulent or have been tampered with.

What to look out for

  • QR codes in public spaces such as train stations and car parks are easy targets for scammers, however it is usually fairly easy to spot if they have been tampered with – if the QR code looks like a sticker which has been added in place of something else, it is possible that it is not genuine.
  • Most smartphones have a built-in QR scanner, which should display a preview of the website URL. If the URL is not what you expect, do not click on the link.
  • Emails which include QR codes should be treated with caution. Make sure that the email address it has come from is legitimate, and check for other obvious signs of phishing like poor spelling and grammar, or time limits to provide information.

HMRC’s use of QR codes

HMRC usually uses QR codes in their correspondence to direct you to their guidance – if the QR code is intended to take you anywhere else, you will be advised in the letter that this is the case.

They advise that ‘You will never be taken to a page where you have to input personal information’, so any link requesting personal data should be immediately viewed with caution.

A legitimate link from HMRC will take you to GOV.UK – if the URL preview shown on your QR scanner does not show this, do not follow the link. Instead, log in to your HMRC account the normal way to check whether the communication is genuine.

Further information regarding HMRC phishing scams can be found on their website: Examples of phishing emails, suspicious phone calls and texts – GOV.UK

When using QR codes, always be vigilant and seek advice if you’re unsure.

Photo by Lala Azizli on Unsplash