Skip to content

Banks and regulators raise alarm on QR code scams in emails

  • by
  • 3 min read

Banks like Santander, HSBC, and TSB have joined forces with authorities like the U.K.’s National Cyber Security Centre (NCSC) and the U.S. Federal Trade Commission (FTC) to alert the public about the QR code phishing attacks surge. The core method behind ‘quishing’ exploits the fact that many cybersecurity systems, built to detect malicious web links in emails, often overlook QR codes embedded in images within email attachments.

By leveraging this loophole, fraudsters have gained a sophisticated tool for circumventing corporate defences and reaching targets more effectively, reports Financial Times.

The scam operates straightforwardly. Victims receive a malicious email that contains a PDF attachment featuring a QR code. When users scan this QR code, they are redirected to a phishing website or payment platform, where they are prompted to enter their card details or other personal information.

QR technology was first introduced in Japan by Denso Wave in 1994 for tracking auto parts, and since then, it has gained considerable popularity.

After COVID-19, QR-based services like digital menus and vaccine verification exploded in popularity. However, the codes’ binary nature means that users cannot visually assess the legitimacy of the URLs they contain, leaving a vulnerability for cybercriminals to exploit.

Cybersecurity experts argue that QR code attacks are particularly successful because most corporate cybersecurity filters aren’t designed to detect malicious URLs hidden with QR codes.

a person scanning a QR code on a package with their smartphone.
Cybersecurity experts report that currently, no company scans email attachments for counterfeit QR codes. Integrating this technology into security software is expensive and may slow email processing speed.

The prevalence of squishing scams has reached various sectors, impacting everything from public transportation to electric vehicle charging and digital payments. In several high-profile cases, scammers have placed fake QR code stickers over legitimate ones in public spaces like parking meters, leading users to phishing sites that request payment details.

In India, scammers have often used QR codes to facilitate payments to their bank accounts by placing harmful codes in locations where users typically scan for payments.

This escalating threat puts pressure on cybersecurity vendors, who are now being pushed to upgrade their products to recognise QR-based phishing attempts. Experts note that adapting security systems to scan image attachments will be costly and may slow down email processing speeds.

To protect themselves from QR code scams, users should check the legitimacy of the QR code, such as company branding on the code. When users open the URL, they should notice any suspicious website links. Users should also pay attention to the website’s UI. Many scammers lack the resources to mimic the original website accurately, which may result in less branding and poor design.

When paying via QR code, always ensure that the money is being sent to the legitimate owner by checking the business’s name on the UPI app.

Additionally, users should avoid scanning the QR code in anticipation of a reward. This is probably the easiest way to fall into the trap. And lastly, avoid scanning to contact someone. Head to the company’s website or customer support to get the number.

In the News: US healthcare has seen 300% rise in ransomware attacks since 2015: Microsoft

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>