Quishing: QR Code Phishing Scams and What Every Irish Business Owner Needs to Know

You've seen them everywhere. On the table in a restaurant. On a parking meter. In an email from what looks like your bank or Revenue. QR codes have become part of everyday life — a quick scan and you're on a website, making a payment, or downloading a menu without having to type a single character.

That convenience is exactly what criminals are exploiting.

There's a growing type of scam called "quishing" — a blend of QR code and phishing — and it's catching out individuals and businesses across Ireland at an alarming rate. The NCSC (Ireland's National Cyber Security Centre) published a Quick Guide to QR Code Phishing Scams in January 2025, and it's worth every business owner reading. This article takes those core messages and puts them into plain language, with a particular focus on what it means for small and medium businesses in Ireland.

What Is Quishing?

A QR code is simply a barcode that stores a link or other information. Point your phone camera at one, and it takes you somewhere — usually a website. They're legitimate, widely used, and genuinely useful.

The problem is that anyone can create a QR code in seconds, and there is no way to tell by looking at one where it actually leads. Criminals figured this out quickly.

Quishing works like this: a fraudster creates a QR code that points to a fake website — one designed to look exactly like your bank, Revenue, a courier service, or a payment portal. They then get that QR code in front of you, either physically or digitally. You scan it, land on the fake site, and enter your credentials or payment details. The criminal now has them.

The reason quishing has grown so rapidly is that most email security systems are not built to scan QR codes. A suspicious link in an email body will often be caught by filters. A QR code embedded in an image or PDF attachment? It passes straight through.

The Two Ways It Happens

1. QR Codes in Emails

This is the version most likely to affect your business. You receive an email — perhaps appearing to come from Revenue, your bank, a courier, or even a supplier — with a QR code in an attached document or image. The email tells you to scan the code to verify your account, track a delivery, or complete a payment.

The QR code leads to a convincing fake login page. You enter your username and password. The criminal captures them and is into your account within minutes.

What makes this particularly dangerous for businesses is that the email may appear to come from a trusted source you already deal with. Criminals are increasingly impersonating specific Irish organisations, including Revenue Commissioners, Bank of Ireland, AIB, and An Post.

2. Physical QR Codes in Public Places

This one is less likely to affect a business directly, but it absolutely affects your staff and customers. Criminals place fake QR code stickers over legitimate ones in high-footfall locations — restaurant tables, parking payment machines, public noticeboards, and event posters.

A member of your team pays for parking using what they think is the council's payment system. They're actually entering their card details into a criminal's fake site. The same can happen to customers at your premises if you use QR codes for menus, payments, or check-ins.

Personal mobile phones are particularly vulnerable because they typically lack the security protections — antivirus software, web filtering, device management — that a properly managed business device would have.

Why This Matters More Than You Might Think

For a small business owner, the consequences of a successful quishing attack can be severe:

• Stolen banking credentials can lead to fraudulent transactions that are difficult to recover
• Compromised email accounts can be used to send fraudulent invoices to your customers (a scam known as Business Email Compromise)
• Stolen supplier login credentials can disrupt your supply chain or expose sensitive business data
• Staff personal accounts compromised on personal devices can still expose business information if those devices are used for work

The NCSC is clear: cybercriminals will impersonate trusted organisations to gain your confidence. The more professional and legitimate the fake site looks, the more effective the scam.

Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.

How to Protect Your Business

The good news is that the defences against quishing are straightforward. They don't require expensive technology — they require awareness and a few sensible habits.

For You and Your Team

Before scanning any QR code, pause and ask:

• Did I expect this? Was I waiting for an email with a QR code, or did it arrive out of nowhere?
• Does the preview URL match the organisation it claims to be from? Most QR scanner apps show you the destination link before opening it — check it carefully
• Is the QR code a sticker placed over something else? If it looks like it could have been added by someone other than the venue or organisation, don't use it
• Is there pressure to act quickly? Urgency is a classic manipulation tactic — "scan now to avoid a fine", "your account will be suspended", "your parcel is being held"

Use a QR scanner app that shows you the destination link before opening it. The built-in camera apps on both iPhone and Android do this, but many people tap through without checking. Make it a habit to read the URL before proceeding.

Apply the same scepticism to QR codes that you apply to links in emails. If you wouldn't click an unknown link in an email, don't scan an unknown QR code.

For Your Business Operations

If you use QR codes in your own business — for menus, payments, or customer check-ins — take these steps:

• Use tamper-evident materials for any physical QR codes, or display them on digital screens rather than printed stickers
• Check your QR codes regularly to make sure they haven't been covered by a fraudulent sticker
• Brief your staff on quishing as part of your regular security awareness — it takes five minutes and could prevent a costly incident

If You Think You've Been Caught Out

Act quickly. The faster you respond, the more you can limit the damage.

1. Change your passwords immediately — especially for any accounts you may have entered details into, and any accounts that use the same password
2. Contact your bank — report the incident and ask them to monitor for suspicious transactions or freeze the account if necessary
3. Run a full antivirus scan on the device you used
4. Report it to An Garda Síochána at your local station — cybercrime reports help build the picture of what's happening nationally
5. Report it to the NCSC by emailing [email protected] — they track these campaigns and can issue warnings to other businesses

The Bigger Picture: Security Awareness Is Your First Line of Defence

Quishing is one variant of a much broader category of threat: social engineering. Criminals exploit human psychology — trust, urgency, familiarity — rather than technical vulnerabilities. No firewall or antivirus software will stop a staff member from scanning a malicious QR code if they haven't been told what to look for.

This is why security awareness training is not a nice-to-have for Irish SMEs — it's a necessity. The NCSC's guidance is clear, practical, and free. But awareness needs to be embedded into your team's daily habits, not just read once and forgotten.

If your business handles customer data, processes payments, or relies on email for supplier communications (which is almost every business in Ireland), you have a responsibility to ensure your team knows how to spot these attacks.

Further Reading

The NCSC Ireland has published several practical guides that are worth bookmarking:

• NCSC Quick Guide: QR Code Phishing Scams — the source document for this article
• NCSC Quick Guide: Phishing — the broader phishing landscape
• An Garda Síochána: I've been caught out by an online scam — what to do if it happens to you

Not Sure How Exposed Your Business Is?

Quishing is just one of dozens of threats facing Irish SMEs right now. If you're not sure where your biggest vulnerabilities are, a structured security review will give you a clear picture — and a prioritised action plan that doesn't require a large budget or a full-time IT team.

Book a free 20-minute strategy call with our vCISO team. We work with small and medium businesses across Ireland, and we'll give you an honest assessment of your current security posture and the practical steps that will make the most difference.

No jargon. No scare tactics. Just clear, actionable advice from people who've spent decades working in cybersecurity at the highest levels.

Book Your Free Strategy Call

Sources: NCSC Ireland Quick Guide — QR Code Phishing & Scams (January 2025); An Garda Síochána Cybercrime guidance; NCSC UK QR Code Risk guidance.

Take the Next Step

If phishing risks and employee security awareness is something you're thinking about, the best starting point is a structured conversation.

Book a free 20-minute call with our vCISO team. We work with Irish SMEs across every sector — no jargon, no scare tactics, just clear advice on what to do next.

Book Your Free 20-Minute Call →