What is Quishing? (QR Code Phishing)
Published: 10/26/2026
Written by: Brenda Buckman
Quishing is a type of phishing attack that uses malicious QR codes to trick people into visiting dangerous websites, downloading malware, or giving up sensitive information like passwords and credit card numbers. The term combines QR code + phishing.
Instead of clicking a suspicious link in an email, victims scan a QR code with their phone—which feels safer and slips past many traditional security filters.
As QR codes become common in everyday life (menus, parking meters, MFA logins, shipping labels, event check-ins), attackers are taking advantage of the trust people place in them.
Gemini said
Key Takeaways:
A Stealthy Evolution of Phishing: Quishing (QR code + phishing) bypasses traditional security filters by hiding malicious URLs within a QR code. Since many email scanners and browsers are designed to detect suspicious text links rather than images, these attacks often land directly in a user’s inbox or physical space.
Exploiting Mobile Vulnerabilities: The attack relies on the fact that scanning typically happens on mobile devices, which often lack the robust endpoint protection or corporate monitoring found on desktops. This shift to mobile makes it harder for users to preview URLs or for IT teams to intercept the threat.
High-Trust Social Engineering: Attackers capitalize on the everyday familiarity of QR codes—such as those found on restaurant menus, parking meters, and MFA prompts—to trick victims into visiting fake login pages, downloading malware, or making fraudulent payments.
Why quishing is growing fast
Traditional phishing needs users to click links. But modern defenses have gotten better:
Email security tools scan links before delivery
Browsers warn about suspicious domains
Security awareness training teaches users to hover over links
QR codes skip many of these protections because:
The actual URL is hidden until after scanning
The scan happens on a mobile device, often outside corporate protection
Users are trained to trust QR codes in public spaces
This makes quishing the next logical step in social engineering.
Common quishing attack scenarios
Fake MFA or Password Reset
Employees get an email: "Your Microsoft 365 session expired. Scan to re-authenticate."
The QR code opens a fake login page and steals credentials.
Parking Meter / Public Poster Scams
Attackers place stickers over legitimate QR codes on:
Parking meters
Restaurant tables
Event signage
Users scan and land on payment phishing pages.
Shipping & Package Notifications
Victims get a letter or email claiming a missed delivery with a QR code to "reschedule."
Fake IT Help Desk Messages
Employees are told to scan a code to:
Install security updates
Verify their device
Join VPN or wifi
This can lead to malware installation.
Why quishing is dangerous for businesses
Quishing blends phishing + mobile device risk + social engineering.
Key risks include:
Credential theft and account takeover
MFA fatigue and bypass attempts
Malware or mobile spyware installation
Access to corporate SaaS apps from unmanaged devices
Mobile devices are especially vulnerable because they often:
Lack endpoint protection
Operate outside corporate monitoring
Automatically trust QR scans
How a quishing attack works
Step | What Happens | Why It Works |
1. Delivery | Victim gets a QR code via email, poster, letter, or sticker | QR codes feel harmless and familiar |
2. Scan | Victim scans the code with their phone | No visible link to check beforehand |
3. Redirect | Phone opens a malicious site | Mobile devices often lack security tools |
4. Social Engineering | Fake login, payment, or MFA page appears | Looks identical to trusted services |
5. Data Theft or Malware | Credentials stolen or malware installed | Attack completes without suspicion |
How to spot a malicious QR code
Warning Sign | What to Look For |
Unexpected request | You weren't expecting to scan anything |
Urgency or fear | "Immediate action required" messaging |
Login or payment request | QR codes rarely need credentials |
Public stickers | QR code placed over another code |
Shortened or strange URL | Opens a suspicious domain |
How to prevent quishing attacks
For individuals:
Never scan QR codes from unexpected emails or texts
Preview the URL before opening it (many phones let you do this)
Avoid scanning codes from stickers in public spaces
Install updates and mobile security tools
Use password managers to catch fake login pages
For organizations:
Add QR phishing training to security awareness programs
Deploy phishing-resistant MFA (FIDO2/passkeys)
Monitor unusual mobile logins and impossible travel events
Use conditional access and device trust policies
Block newly registered domains and suspicious redirects
Quishing vs traditional phishing
Traditional Phishing | Quishing | |
How it gets to you | Email links | QR codes |
URL visibility | Can hover to check | Hidden until scanned |
Device hit | Desktop/laptop | Mobile devices |
Security scanning | Often scanned by tools | Often skips scanners |
User perception | Growing skepticism | Higher trust |
Why security teams care about quishing
Quishing works because it takes advantage of human trust + mobile blind spots.
Attackers are moving toward techniques that:
Avoid email filters
Go after identity systems and MFA
Take advantage of mobile device gaps
Quishing attacks will keep growing as QR codes stay embedded in everyday workflows.
FAQs about quishing
Malware downloads
Malicious app installs
Credential harvesting pages
The QR code itself isn't dangerous, but the site it takes you to can be!
Financial services
Healthcare
Logistics and shipping
SaaS and cloud users
IT teams
Treat QR codes like links
Verify requests through trusted channels
Avoid scanning codes from emails or letters
Protect What Matters
