What are the risks for businesses when using QR codes?

QR code risks

Since the pandemic, the UK has become accustomed to using QR codes to share information, make an inquiry, or to complete a purchase. However, while the increased use of QR codes developed from a time when safety was the primary concern, their ease of use has now evolved into a new phishing threat. Here, we look at this threat and how businesses and individuals can protect their data.

The issue with QR codes

There’s no denying that QR codes are a helpful tool, especially for businesses that want to convey information easily and receive quick click-throughs. For most QR codes, these links are legitimate, taking the user to a web address where they can give or receive information or complete a purchase. The threat comes in the hidden aspect of the codes and where they are sending the user.

Given their ease of use and presence in public settings, many people will follow the QR code’s click-through link without taking much notice of where they are being sent. This means that users are prey to exactly the same risks as with other types of phishing scams, where they are lured to a seemingly legitimate site that then requires them to input sensitive information. This is why this type of fraud has been given the nickname “Quishing”.

One of the more severe QR code scams recently occurred at a railway station. A woman was defrauded over 13k after following a QR code link on what appeared to be a legitimate public sign. She gave her card details and personal information, which allowed the fraudsters to make several purchases, set up online banking, and take out a loan in her name.

This case is one of over 1,200 QR scams investigated by the UK’s National Fraud Reporting Centre in the last three years, outlining the increasing danger of this type of fraud.

How can businesses protect themselves from QR code risks?

QR code generation and advice

Many businesses now use QR codes in their promotional materials, business cards and for their day-to-day operations. However, companies need to be aware that once this code is generated and released to the public, it could be manipulated to a criminal’s advantage. It is well worth adding a reminder to any correspondence or branded literature from your business to double-check that the destination of the QR is legitimate before proceeding.

Cyber policy and staff training for QR code risks

If your business interacts with QR codes, no matter the form, your cyber security policy must outline the risks and safeguarding measures. This also needs to be reiterated to staff through cyber awareness training to outline best practice when interacting with QR codes and how to scrutinise where they are being sent to and what information they are being asked for.

One practical measure for staff in their day-to-day is only to use their phone camera to scan a QR code rather than an app because this method reveals the full URL address, allowing staff to decide if it is a legitimate link before clicking through.


While QR codes are a valuable tool for both businesses and customers, there are risks. Cybercrime awareness and proper scrutiny need to be adopted for better fraud protection in the day-to-day.

Find out more

If you would like to speak to us about your business’scyber security or anything else from this article, please contact Andrew Wayman at andrew.wayman@sdt.co.uk or call our office on +44 (0)1344 870062.