June 1, 2026
QR Code Phishing: How "Quishing" Works and How to Avoid It
QR code phishing, or "quishing," is an emerging cybersecurity threat. Attackers embed malicious links in QR codes to steal login credentials, personal information, and payment data.
This guide explains how quishing works and how to defend against it.
What Is Quishing?
Quishing is a phishing attack that uses QR codes instead of traditional email links or attachments. The QR code leads to a fraudulent website designed to steal information.
Why Attackers Use QR Codes
| Reason | Explanation |
|---|---|
| URL hidden | Cannot see the destination before scanning |
| Trust factor | QR codes appear legitimate |
| Bypasses email filters | Images in emails bypass text-based filters |
| Mobile targeting | Phone screens show less URL detail |
How Quishing Attacks Work
Attack Pattern
- Create: Attacker creates a fake website that looks legitimate
- Code: Attacker generates a QR code linking to the fake site
- Distribute: QR code is placed on posters, stickers, or in emails
- Trap: Victim scans the code and is directed to the fake site
- Harvest: Victim enters credentials, which are captured
Common Lures
| Lure | Example |
|---|---|
| Account alert | "Your account has been locked. Scan to verify." |
| Payment needed | "Scan to pay your outstanding balance." |
| Exclusive offer | "Scan for a special discount." |
| Package delivery | "Scan to track your package." |
| Event access | "Scan for event entry." |
Real-World Quishing Examples
Parking Payment Scams
Attackers place QR code stickers on parking meters, linking to fake payment pages.
Email-Based Quishing
Emails containing QR code images with urgent messages:
Subject: Your Microsoft 365 password expires today
Scan the QR code below to verify your account and keep your email active.
[QR CODE IMAGE]
Microsoft Security Team
Fake 2FA Setup
Attackers send QR codes that appear to be for two-factor authentication setup but actually link to credential harvesting sites.
How to Detect Quishing
Visual Inspection
| Red Flag | What to Check |
|---|---|
| Unexpected QR code | Did you expect to see a QR code here? |
| Urgency in message | Is the message pressuring you to act quickly? |
| Generic greeting | "Dear user" instead of your name |
| Poor design | Typos, low-quality logos, odd formatting |
| Sticker overlay | QR code on a sticker, not printed directly |
Technical Inspection
| Tool | How It Helps |
|---|---|
| URL preview | Phone camera shows the URL before opening |
| QR scanner with preview | Apps that show the decoded URL |
| Link checker | Paste the URL into a link-checking service |
Protecting Your Organization
Employee Training
| Training Topic | Key Message |
|---|---|
| QR code awareness | QR codes can lead anywhere |
| URL previewing | Always check the URL before opening |
| Reporting | Report suspicious QR codes to IT |
| Verification | Verify QR codes with the source |
Technical Controls
| Control | Implementation |
|---|---|
| URL filtering | Block known malicious domains |
| Mobile device management | Enforce security policies on work phones |
| QR scanner policy | Approve specific QR scanning apps |
| Multi-factor authentication | Even if credentials are stolen, MFA blocks access |
Case Study: Office Building Quishing
Attackers placed fake QR code posters in an office building lobby claiming to offer "free coffee" to employees who scanned.
The attack: QR code led to a fake Microsoft 365 login page.
The result: 30+ employees entered their credentials before IT was alerted.
The fix: IT reset all affected passwords and implemented mandatory QR code security training.
What to Do If You Fall Victim
- Change passwords immediately on the affected account
- Enable MFA if not already enabled
- Contact IT/security team in your organization
- Monitor accounts for suspicious activity
- Report the attack to law enforcement
Creating Secure QR Codes for Your Business
Create secure QR codes — use dynamic QR codes with tracking to monitor for unusual activity.
Conclusion
Quishing is a growing threat, but awareness is the best defense. Always preview URLs before opening, verify QR code sources, and never enter credentials on a site you reached via an unsolicited QR code.
Create verified QR codes — generate QR codes with secure practices and monitoring for your business.