What is quishing? The food and drink scam you need to be aware of this summer

Watch more of our videos on Shots! 
and live on Freeview channel 276
Visit Shots! now
Don’t get caught out 😨
  • Quishing is a modern scam involving QR codes. 
  • Pub-goers heading to their local this summer are being warned to stay vigilant. 
  • Telltale signs that the QR code you’ve scanned is a malicious one includes asking for too much personal information. 

It might not be the summer we were all excited for and expecting weather-wise, but nothing beats popping to the pub to quench your thirst on a warm day. And when the sun finally does decide to show its face, you can bet that your local will be jam-packed with punters hoping to make the most of it. 

Since the on-set of the coronavirus pandemic at the start of the decade, trips to the pub have been revolutionised with the widespread adoption of QR codes and apps to order. In many watering holes, you are likely to find a code on the table you can scan to avoid having to brave a queue to order the next round. 

Hide Ad
Hide Ad

But pub-goers are being warned that with the prevalence of QR codes there is a major new scam they need to watch out for. Known as quishing (try saying that one after a couple of pints) it could put you at risk of falling prey to nefarious fraudsters trying to take advantage of you. 

What is quishing and how does it work? 

The name might not be one you recognise quite yet, it is not among the most widely known scams. It is a portmanteau of QR and phishing - the later of which is the name for a common tactic used by fraudsters in the 21st century, 

Cloudflare warns that quishing “is a cybersecurity threat in which attackers use QR codes to redirect victims to malicious websites or prompt them to download harmful content”. It adds: “The goal of this attack is to steal sensitive information, such as passwords, financial data, or personally identifiable information (PII), and use that information for other purposes, such as identity theft, financial fraud, or ransomware.” 

How to avoid falling victim to quishing? 

Marc Porcar, CEO of QR Code Generator, has shared his top tips for spotting ‘fake’ QR codes and what to do if you suspect one isn’t legitimate. He advises that you should inspect the QR code for signs that a fake has been placed over a preexisting one. 

Hide Ad
Hide Ad

Another sign to watch out for is peeling edges, weird bumps in the material and anything else that generally looks suspicious. If the corners of the sticker are peeling and it appears there is something underneath, this can be a surefire red flag. 

If in doubt and if you have suspicions that your table’s QR code isn’t legitimate, it is always best to double check with a staff member before ordering.

Quishing is the new scam you need to look out for. Quishing is the new scam you need to look out for.
Quishing is the new scam you need to look out for. | Cameron Spencer/Getty Images

Check the URL

When you scan a QR code, your phone allows you to preview the website’s link before you click to visit the site. Use your judgement to assess the website URL and whether it matches up with the establishment’s actual website. 

Some scammers will set up a copycat website using a domain name that looks similar but is slightly different to the real thing. For example, the imposter URL could be ‘https://www.pubname.net’ when the genuine website is ‘https://www.pubname.co.uk’. 

Hide Ad
Hide Ad

Also make sure that the website you are visiting on your mobile browser has a padlock symbol next to it, and that the URL begins with ‘https://’ rather than just ‘http://’. This ensures that the website is encrypted with a Secure Sockets Layer (SSL) certificate. Some phishing websites now also use SSL protection in an attempt to trick visitors, so this is a risk that should be taken into consideration when visiting the site.

Suspicious website content 

If you click through to a website from a QR code and the webpage content looks unusual or things feel out of place, this can be a sign you are not ordering through a legitimate channel.  

Some telltale signs that you are on a phishing website include spelling mistakes, lack of correct capitalisation, text being misaligned, and logos and graphics appearing pixelated or out of date. 

Asking for too much personal information 

When paying online, establishments should only require your email address to provide confirmation of your order, your card number, its expiry date and the last three digits on the back of your card (CVV/CVC). If the site is asking for additional information such as your home address, phone number or even your card’s pin number, this can be a sign that it isn’t legitimate. 

Hide Ad
Hide Ad

Offers too good to be true 

Websites that offer things such as free money or products could be an indication that the QR code is not legitimate. If you scan a code and are confronted with deals that seem too good to be true, they probably are. 

Check if pub has its own app

Many chain bars and pubs, such as Greene King and Wetherspoons, have their own dedicated apps which you can use to order food and drinks to your table. Where possible go through the establishment’s official website, which will redirect you to their self-order app from the Apple or Google Play store. If you scan a QR code and it doesn’t redirect you to the app, you could be dealing with a phishing website. 

Marc Porcar adds: “The Euros are a fantastic opportunity for people to come together to cheer on their national team. Unfortunately, scammers see these events as an opportunity to take advantage of people, especially those who have been drinking and may be less vigilant than usual. 

“It’s important that people continue to exercise caution when scanning QR codes, to prevent falling victim to this type of phishing scam.”

If you are wanting to learn more about the dangers of QR scams (quishing), the FBI issued a warning earlier this year. ABC news has a video explaining what the US agency has said.