Quishing Explained: Stopping QR-Code Phishing Before It Reaches Finance

QR codes have slipped into daily life so quietly that most of us hardly notice them. Scan to pay for parking. Scan to view a menu. Scan to confirm delivery. Attackers have noticed too. Quishing – phishing that starts with a QR code – turns that tiny square into a trap that moves victims off protected devices and onto personal phones where company defences are thin. UK press and law-enforcement briefings point to a sharp rise through spring and summer 2025, including parking-payment scams that send drivers to realistic fake sites and drain accounts within minutes. The Guardian national report counted more than 500 cases in the first quarter alone, with losses mounting and many incidents going unreported.

If you want a quick refresher on wider phishing tactics, our piece on Emerging Phishing Trends and How to Stay Ahead explores the social engineering moves quishing now amplifies with QR codes. That background helps when you start designing controls.

What quishing looks like in 2025

The core trick is simple. The victim scans a QR code that looks legitimate. The phone opens a site that impersonates a trusted brand, then asks for bank cards, login details or a one-time passcode. Sometimes the page requests a device-admin permission so malware can read messages and intercept future codes. Because the scan happens on a personal handset, the corporate email gateway and browser filter never see it.

Modern quishing campaigns spread in several ways:

• Email with a QR image inside a PDF. The text says your session has expired and you must scan to reset access. 
• Stickers on parking meters, parcel lockers or desk signage. The sticker covers the real code and points to a clone site. 
• Screen-shared QR codes in rushed meetings. The “supplier” flashes a code and says, “scan this to confirm the payment authorisation”. 
• Fake customer-support posters pinned in shared spaces. A code labelled “Wi-Fi help” routes staff to a credential-harvesting form. 

Attackers prefer QR because it pushes people onto a device that IT does not fully manage. Proofpoint’s mid-August analysis tallied 4.2 million QR-code threats in the first half of 2025, a strong signal that criminals are scaling this channel while inbox filters catch up.

Why it slips past your controls

Most companies focus controls on email and laptops. Quishing detours around both.

First, the moment you scan a code on a personal phone, corporate filtering falls away. The mobile browser may have weaker protections than your managed desktop. Second, the target site looks clean to email security because there is no clickable link in the message to analyse. Third, people trust signs, PDFs and screens in meetings more than links in email. That normal-looking square inherits trust from its surroundings.

Finally, QR codes are perfect for “out-of-band” pressure. A fake code on a parking terminal creates urgency. A code flashed during a call feels official. Attackers know stress shortens attention spans.

Where quishing bites hardest

Quishing is not just a consumer problem. These are the business pinch points we see most often:

• Supplier bank-detail changes. A PDF invoice carries a QR code for “quick payment”. The code routes to a clone site that confirms new account details. 
• Parking and travel. Staff on the road scan fake codes and later field follow-up calls from “the bank”. Social-engineering moves fast once criminals have partial data from a convincing payment page in a known context. Investigations suggest hundreds of such cases this year across the UK, with a steady upward trend. 
• Shared offices and events. QR posters promise Wi-Fi help, agenda downloads or prize draws. Attendees hand over credentials inside two taps. 
• On-device authenticator fatigue. The fake site prompts repeated approval requests or a “temporary security add-on”, which quietly captures future codes.
  

A practical plan that does not wreck the day job

You do not need a giant programme. You need tidy basics, clear decisions and small iterations that stick.

1. Set policy before tech

Write a one-page rule that any request involving money, identity or remote-access tools must be verified on a second channel if a QR code is part of the journey. No exceptions for “urgent” supplier changes. Make it easy to follow: a short checklist beside every finance screen beats a 40-page policy nobody reads.

2. Train people on what “good” looks like

Show three examples side-by-side in a five-minute huddle: a genuine parking app code, a stickered fake and an email-PDF hybrid. Teach two habits:

• Inspect the surface. If it is a sticker or looks tampered with, do not scan. 
• If you do scan, read the whole address bar. If the domain is new or odd, stop and use a bookmarked route instead.
  

Reinforce the message quarterly. Keep the language plain. Humour helps. “If a code pops up in a meeting and it wants your card, that is not a meeting. That is a mugging.”

3. Fix finance first

Most quishing damage lands in finance. Build a “never alone” rule for any bank-detail change or payment above a set threshold. Two people must approve, and one must confirm over a known phone number or a pre-agreed messaging channel. Repeat the check even if a QR code started the process in a familiar app.

4. Tweak the tech you already own

You probably own enough tooling to cut risk sharply:

• Email and file gateways can extract and analyse QR images inside PDFs. Enable that feature and send hits to quarantine or rewrite with a clear interstitial warning. 
• Mobile-device management can force scanning to open links in a managed browser with safe-browsing controls. For BYOD, use app-protection policies that keep corporate links inside the managed app boundary. 
• Browser controls can block risky site categories and flag newly registered domains. Combine with URL-rewrite banners that make destination domains obvious before the page fully loads.
  

Proofpoint’s report notes attackers are leaning on URL-based delivery more than attachments, and quishing is part of that pivot. Expect more hybrid lures that start with a QR image and end with credential theft.

5. Clean up your physical environment

Do a monthly sweep of reception, lifts, canteens and meeting spaces. Remove third-party QR posters unless approved. For any genuine code you publish internally, add a tiny tamper-evident mark and a short link underneath so staff can type it instead of scanning.

6. Tell customers what you will never ask them to do

If you offer QR codes to customers, publish a short “safe scanning” page and link to it from invoices and emails. Spell out that you will never ask for full card details or authenticator approvals after a QR scan. This reduces complaints and limits reputational harm if a clone page appears.

7. Bake it into supplier questions

Add a couple of lines to procurement templates: do you use QR codes in your customer flows, and how do you secure them; do you support alternate non-QR routes for critical actions. You will be surprised how many vendors have not thought this through. Push them to add warnings and non-scan options.

What to measure

You cannot manage what you cannot see. Track:

• The number of QR-bearing emails or PDFs blocked each month. 
• Click-through rates on training snippets and the short quiz that follows. 
• Finance verification exceptions caught before payment. 
• Time to validate a suspected quishing attempt from first report to safe resolution.
  

Publish a simple chart at the monthly all-hands. Visibility keeps attention high.

Handling incidents calmly

When a scan goes wrong, speed fixes the day. Keep steps short:

1. Capture a screenshot of the page and copy the full URL. 
2. Put the device in flight mode to stop follow-up prompts. 
3. Call the known bank number from your own records, not the page. 
4. Raise a ticket with the URL, time and any entered data. 
5. If credentials may be exposed, reset through the normal route and re-issue tokens.
   

Do not play blame games. The trick works because it hijacks habits.

Costs, savings and what to buy last

You can move far without new spend. Most costs sit in staff time for sweeps, short training and small policy edits. If you buy anything, start with tamper-evident labels for approved internal codes and a managed mobile browser for staff who scan for work. Hardware scanners are rarely needed. The biggest saving comes from fraud avoided and the hours you do not spend unwinding a supplier-payment mess.

Law-enforcement and sector data you can cite to the board

If you need air cover, point to two signals. First, Action Fraud UK consumer reporting shows a material jump, with national fraud teams urging people to treat unsolicited QR codes with care and logging almost £3.5 million in quishing losses across a recent 12-month window. The tally reflects only reported cases. Second, industry telemetry shows attackers at scale. Proofpoint’s latest Human Factor analysis tracks millions of QR-led threats in H1 2025 and a broader swing from attachments to URL-driven lures. That aligns with what front-line teams are seeing.

Tie-ins with other controls you already have

Quishing prevention plugs neatly into work you may be doing anyway.

• Zero-trust sign-ins. If all high-risk apps require phishing-resistant authentication, a cloned page that harvests passwords gets you nowhere. 
• Data classification. If staff know which data matters most, they are likelier to pause before scanning a code that asks for it. 
• Crisis comms. Add a quishing scenario to your comms playbook. If a fake poster appears in the lobby, who removes it, who emails staff, who updates customers.
  

For further reading on insider risk and the human layer, see our guide to Detecting Insider Threats – How to Safeguard Your Company from Within. It covers privilege creep and the small process slips that social engineers love to exploit.

Quick case study: cutting quishing off at the car park

A facilities company in Manchester saw a run of staff complaints about parking-payment glitches. The IT lead and office manager walked the site and found counterfeit stickers covering the real codes on three machines. They replaced the plates, added a bright stamp to every genuine code and printed a tiny short link under each one so staff could type the address instead. Finance introduced a two-person check on supplier bank changes the same week. The next month, the firm logged two attempted invoice QR scams via email, both spotted early because staff now knew that any QR touching money needed extra checks. False-alarm tickets dropped quickly because the rules were clear and simple.

What good looks like by the end of the quarter

• A one-page verification rule that mentions QR explicitly. 
• A monthly sweep of shared spaces for unapproved codes. 
• Email and file gateways extracting and analysing QR images. 
• Managed mobile browser for staff who scan as part of their job. 
• Finance approvals that never rely on a single scan and a single person. 
• A short paragraph in supplier templates that covers QR use and alternatives.
  

The bigger picture

Quishing is popular because it is cheap, quick to copy and good at slipping past old controls. The good news is that the fixes are boring. Clear rules, a few practical tweaks and calm practice will take most of the heat out of it. Treat random QR codes like untrusted links, keep payment checks human, and give staff a simple way to ask for a second opinion without feeling silly.

UK coverage has shown the consumer face of the problem, from fake parking pages to QR-led refunds that never arrive. It is a short hop from there to supplier fraud and account takeover in business settings. The warning signs are visible now – and so are the fixes.

If you want help turning this into a simple, low-stress playbook, we can map the steps, set up the checks and train your champions so the habits stick.

Ready to reduce QR-code risk without slowing the workday? Contact the Mustard IT team