Reported by Stephanie Stacey

Banks and regulators are warning that QR code phishing scams — also known as “quishing” — are slipping through corporate cyber defences and increasingly tricking customers into giving up their financial details.

Lenders including Santander, HSBC, and TSB have joined the UK National Cyber Security Centre and US Federal Trade Commission among others to raise concerns about a rise in fraudulent QR codes being deployed for sophisticated fraud campaigns. 

The new type of email scam often involves criminals sending QR codes in attached PDFs. Experts said the strategy is effective because the messages frequently get through corporate cyber security filters — software that typically flags malicious website links, but often does not scan images within attachments.

“The appeal for criminals is that it’s bypassing all of the [cyber security] training and it’s also bypassing our products,” said Chester Wisniewski, a senior adviser at security software company Sophos.

Researchers and fraud managers said it was hard to estimate the costs of “quishing” as cyber security companies and banks do not typically log the format of malicious links and because such emails may be just one element in a broader cyber attack. 

But research by IBM found that “phishing” attacks — which involve scammers send targeted emails with malicious links — are increasingly expensive to companies, with the global average cost of a data breach rising nearly 10 per cent to $4.9mn in 2024.

QR codes contain data, such as URLs or payment information, in binary code. Invented by Japanese company Denso Wave in 1994 as a tool for tracking auto parts, these codes are designed to be quickly readable by machines, particularly smartphones, but are generally illegible to humans. 

Read full report: https://www.ft.com/content/8aca741e-6448-4511-a54d-64f3a97747b1