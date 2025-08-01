Smartphone users in South Africa should avoid scanning random QR codes posted online, in text messages, or in public spaces, or risk exposing their personal or financial information.

Several major banks have recently observed that this phishing tactic — informally called “quishing” — is making a comeback among criminals.

Late last week, Standard Bank issued a warning to customers via its mobile app and explained how quishing worked.

The notice came shortly after a Standard Bank customer told MyBroadband about an incident where a malicious party claiming to represent a banking employee had tried to steal their card details.

The caller claimed that the customer’s bank account had been compromised and that he would receive a QR code he must scan to enter his card details and block his account.

Fortunately, the target was well-informed about common phishing tactics. He ended the call and contacted his bank to confirm the status of his account.

The bank duly informed him that his account was secure and that the fraudster had likely tried to get him to open a malicious link to phish his information or deploy malware on his device.

Standard Bank’s Anti-Fraud and Security division has also warned people never to scan a QR code sent via e-mail, WhatsApp, or another communications channel.

While the resurgence of this type of attack is relatively recent, QR code technology has existed for decades.

Quick response (QR) codes were initially developed by Japanese engineer Masahiro Hara in 1994 to act as identifiers for car parts linking to additional information.

A QR code is fairly simple on a technical level. Its pattern of black-and-white segments represents a binary code that can hold many kinds of data.

That includes a URL for a website or other online service. For consumers, scanning a QR code to open a link on their phone is often far simpler than manually entering the URL.

South African banks have adopted QR codes for various features in the past few years, including payments and online banking logins.

Their use in scan-to-pay apps may create the impression that QR codes are secure. However, they are merely specific types of data encoded for reading by a camera.

South Africa’s biggest bank by customers — Capitec — told MyBroadband it has observed multiple cases where fraudsters impersonating Capitec officials sent QR codes via WhatsApp, SMS, e-mail or apps.

These scams aim to trick clients into authorising fraudulent online banking sessions, visiting fake Capitec websites, and providing sensitive details like ID numbers or card information.

The bank uses QR codes as an online banking login option on its official website — capitecbank.co.za — and in the Capitec app for scan-to-pay or for receiving payments.

However, Capitec said it would never ask a client to scan a QR code during phone calls or messaging conversations.

Discovery Bank and Absa not seeing similar impact

Discovery Bank said it was unaware that any of its customers were suffering fraud as a result of quishing.

The bank does not use QR codes to authenticate, validate, or authorise transactions or interactions with customers.

Absa Personal and Private Banking chief fraud strategy and analytics officer, Ulrich Janse van Rensburg, told MyBroadband the bank knew the industry was experiencing some risk on this front.

However, Absa has not observed the tactic being applied in an attempt to defraud its clients, possibly because the bank did not offer QR-based login capability to access internet banking.

Janse van Rensburg said that although Absa had services that incorporated QR codes, it ensured these were rolled out responsibly to protect its customers against QR code risk.

Among the measures he recommended for banks was to deploy dynamic QR codes and create awareness of QR code fraud risks.

Nedbank has advised its customers to exercise caution when scanning QR codes in public or from unsolicited sources. Its key recommendations included:

Only scan QR codes from official platforms such as the bank’s website or ATM. Do not use your banking app to scan QR codes sent via social media platforms or messaging apps.

such as the bank’s website or ATM. Do not use your banking app to scan QR codes sent via social media platforms or messaging apps. Avoid scanning codes from e-mails, SMSs, or posters unless verified through official channels.

unless verified through official channels. Manually type URLs into your browser rather than clicking on links or scanning codes from unknown sources.

into your browser rather than clicking on links or scanning codes from unknown sources. Install apps only from trusted sources like the Apple App Store or Google Play Store.

like the Apple App Store or Google Play Store. Report suspicious QR codes or phishing attempts via your bank’s official channels.

In addition to targeting people through phone calls and texts, fraudsters may also post QR codes linking to malicious websites or software in public spaces.

MyBroadband recently found several videos on TikTok showing people putting up QR codes to scan with messaging, trying to get the better of their curiosity.

These may lead to something as innocent as a Rick Roll video. However, Janse van Rensburg advised against scanning codes in public areas, as there was no way to validate whether they had a malicious link.