Episode Summary
QR codes have become a weapon of choice for cybercriminals, with UK businesses losing £3.5 million in just one year to “quishing” attacks. This episode breaks down the alarming surge in QR code phishing, how these sophisticated attacks work, and provides five actionable steps every SME can take immediately to protect themselves.
Key Statistics & Facts
- 784 quishing reports to Action Fraud (April 2024 – April 2025)
- £3.5 million stolen from UK victims (reported cases only)
- £4,500 stolen daily through fake QR codes
- 5.3 billion QR code redemptions projected for 2025
- 500,000+ phishing emails now contain QR codes in PDF attachments
- 73% of people scan QR codes without any verification
- £300 average loss per victim in Manchester Trafford Centre attacks
Main Topics Covered
1. Understanding Quishing (QR Code Phishing)
- Definition: Criminals hiding malicious links inside fake QR codes
- Technical method: URL redirection through legitimate-looking intermediate sites
- Physical placement: Fake QR stickers placed over legitimate ones
- Digital distribution: QR codes embedded in PDF email attachments
2. Why Quishing is Exploding
- Massive increase in QR code usage (nearly one scan per person globally)
- Shift from traditional email links to PDF-embedded codes
- Bypasses traditional email security filters
- Exploits trust in QR code technology
3. Real-World UK Attack Patterns
- Car Parks: Fake codes on parking payment machines (primary attack vector)
- HMRC Impersonation: Fake tax-related QR codes timed around deadlines
- Online Shopping: Malicious codes targeting eBay/Facebook Marketplace sellers
- Microsoft 365 Targeting: Sophisticated campaigns targeting personal devices used for work
4. Why SMEs Are Prime Target.
- Employees scan codes using personal phones lacking corporate security
- Limited security awareness training compared to large corporations
- Financial constraints make them more likely to pay quickly when attacked
- Attacks bypass business email filters and firewalls
Sources & References
- Action Fraud (Official UK fraud reporting)
- Barracuda Networks threat research
- FBI cybercrime reports
- Manchester Police incident reports
- HMRC impersonation campaign analysis
- Microsoft 365 targeting research
- PayByPhone/RingGo official app recommendations
Episode Sponsor
Equate Group provides comprehensive security awareness training and mobile device protection, helping SMEs navigate evolving cyber threats while maintaining the convenience of modern technology. Their multi-layered security approach protects against threats from email, malicious websites, and manipulated QR codes in physical spaces.
Legal Disclaimer
The information in this episode is for general guidance only and shouldn’t replace professional cybersecurity advice tailored to your specific business. Cyber threats evolve rapidly, so always verify current threat status and consult qualified security professionals before making critical infrastructure changes. While content has been fact-checked with sources provided, neither the hosts, sponsors, nor production company can be held responsible for decisions made based on this briefing.
Sponsor Disclosure: Equate Group Ltd is the episode sponsor, but all security recommendations are based on independent research and industry best practices.
Production: Small Business Cyber Security Guy Production – All rights reserved.