The latest Age UK scams newsletter has warned people about QR code scams.
QR codes are everywhere today, from parking machines to restaurant tables, and from parcels to posters at bus stops, but the Macclesfield branch of Age UK has warned people that they are also a target for scammers.
QR codes were originally designed to make life easier – simply point a phone camera at the square black-and-white code and go directly to a website.
But criminals have learned how to exploit that convenience, and Age UK said that in recent months, police and fraud prevention bodies across the UK had reported a “sharp increase” in QR code fraud – sometimes called “quishing” (QR phishing, phishing being where scammers deceive people into revealing sensitive information).
While anyone can be targeted, fraudsters often rely on the fact that many people are still becoming familiar with how QR codes work. The general advice is never to use QR codes that are outside and could have been tampered with.
Criminals place a sticker containing their own QR code over the genuine code on a parking machine. When a parker scans it, they are taken to a fake website that looks like a legitimate parking payment service. They enter their card details, thinking they are paying for parking, but the money – and their card information – goes straight to the fraudsters.
In some cases, victims only realise days later when suspicious transactions appear on their bank statement, or they receive a parking penalty notice.
Fraudsters increasingly send QR codes instead of links, claiming to be from HMRC, Royal Mail, NHS, or banks. The email may warn of taxes, missed deliveries, or appointments.
Instead of a link, it instructs you to “scan the QR code below.” This tactic is deliberate. Many email security systems are better at detecting suspicious links than suspicious QR images. Once scanned, victims taken to a convincing fake website asking for personal or financial details.
Fraudsters can use this to direct people to fake payment pages, capture banking details, install malicious software and steal login credentials.
“Because scanning feels quick and modern, people often do it without pausing to think,” warned Age UK.
Website links can asl be seen when browsing, but with a QR code, people cannot see where it will take them until after they scan it, but a QR code is simply a shortcut to a website.
Age UK’s Older Persons Scams Awareness and Aftercare Project said that people should stop and think if they did not request the QR code, or if it appears unexpectedly.
People should ask:
• Why am I being asked to scan this?
• Could I reach this organisation another way?
• If the message creates urgency (“Pay immediately”, “Last chance”, “Account suspended”), that is a red flag.
Anyone using a QR code on a parking machine or public surface should check for stickers placed on top of other stickers, and look for signs of tampering. Compare the machine with nearby machines and if something looks poorly applied or misaligned, do not scan it. Instead, use an official parking app or pay via card machine if available.
Legitimate organisations do not require customers to enter full banking passwords via a random QR code scan.
If a page asks for full online banking passwords, one-time passcodes sent to a phone or card PINs, stop immediately. No legitimate organisation will ask for these in that way.
Age UK said that instead of scanning a QR code in an email or text, people should manually type the organisation’s official website address into their browser; for example, for tax matters, go directly to gov.uk.
For deliveries, visit the courier’s official website. For healthcare matters, log in through official NHS channels. Do not rely on links or codes provided in unexpected messages.
Age UK said: “Technology itself is not the enemy. QR codes are simply tools. But like any tool, they can be misused.”
(Photo: Wei Huang / Dreamstime).
