Skip to content

What is Quishing - QR code Phishing?

Home  /  Phishing Protection  /  What is Quishing - QR code Phishing?

What is Quishing - QR code Phishing?

Phishing takes many forms, and cybercriminals will find and use any opportunity to trick a person. The QR code is one of the latest technologies to be exploited for criminal gain. QR Codes are a widespread technology found everywhere, from restaurants to car parks to login pages. The popularity of the QR code is down to its convenience. This popularity is captured in a 2024 report on QR Code trends, which found a 47% increase in QR code usage each year. QR Codes are easy to use, with most Android and iOS smartphones offering in-built QR Code scanners. In the USA, around 80% of users trust QR code technology. It is this trust and convenience that scammers are exploiting.

Protect Your Business from QR Code Phishing - Book a Demo with PhishTitan Today!

Book Demo Now

Why are QR Codes Used for Phishing?

The COVID-19 pandemic promoted using QR codes as an ideal contactless way for customers to access information. The convenience, widespread use, trustworthiness, and popularity of QR codes made QR codes an attractive target for cybercriminals. QR Code phishing or “Quishing” is now an established form of behavior manipulation scammers use. Some recent examples of Quishing include the following:

Examples of QR Code Phishing

QR Code Voicemail Scams: QR code-enabled voicemail scams begin previously compromised legitimate employee account credentials. These login credentials are then used to gain unauthorized access to Microsoft Outlook accounts. The attackers use these legitimate accounts to send emails that purport to contain a voicemail from the account holder. The email states that to hear the voicemail, the recipient must scan a QR code contained in the email. If the employee scans the QR Code, they are taken to a spoof but realistic-looking Microsoft login page. The credentials will be stolen if the employee enters their credentials to listen to the supposed voicemail.

QR Code Banking Scams: Santander and other banks are aware of QR Code scammers that use spoof emails pretending to be from the bank. The emails ask customers to consent to a new data policy or review a security process by scanning a QR code in the email. Examining the code, the email customer is sent to a landing page that looks exactly like the bank’s login page.

QR Code Payment Scams: cashless parking is a part of the modern car park landscape. Often, to pay for parking, a driver will be offered a QR code to scan that will take them through a process to pay for parking. Scammers are exploiting the legitimate QR codes in many car parks, sticking fake QR codes over the top of these legitimate QR codes. When drivers scan the fake QR code, they are directed to a spoofed but legitimate-looking website, where they can enter financial card details to pay for parking. Once those details are entered, they are stolen by the fraudster.

The fact is that the QR Code is an ideal mechanism for fraud. Various tactics are evolving in this exploit, including using embedded image links in emails, which can load a QR code, and QR code images sent as attachments.

Protect Your Business from QR Code Phishing - Book a Demo with PhishTitan Today!

Book Demo Now

How Does Quishing Work?

Malicious QR Codes

The examples shown above, where spoof branded emails were used to carry QR codes, are examples of malicious QR code use. The email brand is cleverly replicated to trick employees into believing they are dealing with a legitimate company. In this type of QR code threat, attackers embed malicious QR codes in phishing emails as content or attachments. When victims scan the code using a personal mobile device, they are directed to a malicious website, where, ultimately, the execution of malware on the device occurs.

Spear Quishing

Targeted Quishing or Spear Quishing is where adversaries send spear-phishing emails with QR codes to targeted employees. The QR codes redirect the employee to spoof Microsoft Office 365 login pages. Unsuspecting users enter their login credentials, which are then stolen. These compromised credentials will then be used to access the corporate network, leading to various attacks, including ransomware infection, Business Email Compromise, and data breaches.

Why are QR Code Attacks So Dangerous?

The trustworthiness of QR codes means that individuals are more likely to interact with the code. This leads to employees feeling comfortable enough to use their mobile devices to scan the QR code. Cybercriminals understand that personal mobile devices are less secure and contain sensitive information. The hackers leverage this security flaw.

QR code attacks are also varied, making them more difficult for users to identify. Some companies are even using QR Codes to facilitate fast login. QR codes can take employees to spoof websites that steal credentials or even arrive embedded in malicious attachments that install malware.

How to Protect Yourself and Your Business from Quishing Attacks

Like other forms of phishing, the protection of employees and businesses requires an integrated and layered approach that includes the following:


QR code phishing or Quishing should be integral to security awareness training. Educate employees about Quishing dangers as part of more general phishing training and include QR codes in simulated phishing exercises. Teach employees about the various aspects of QR code technology and its exploitation. Ensure employees understand:

  • To be cautious of any QR codes embedded in emails with poor image quality or blurry.
  • QR code scanners often preview the link, allowing users to see where they’ll be taken before scanning.
  • Practice caution when scanning QR codes from unknown sources, unsolicited emails, or public places.
  • To check the URL after scanning the QR code. If the URL looks suspicious, shortened, or different from what you expected, do not proceed.
  • To swiftly report any Quishing attempt to the line manager, security team, or other company authority. This helps to mitigate incidents.

Advanced Quishing Detection

Education and mobile security are two layers of protection, but the third layer is to detect the QR code phishing threat before it enters the employee inbox. PhishTitan provides advanced phishing detection, including the detection of Quishing attempts. PhishTitan stops an employee from navigating to a malicious website that a QR code may initiate. Based on advanced AI-based algorithms to spot difficult-to-detect and complex phishing attacks, PhishTitan keeps ahead of the Quishing fraudsters.


Protect Your Business from QR Code Phishing - Book a Demo with PhishTitan Today!

Book Demo Now

Start My Free Trial Now

Sign Up
Get Your 14 Day Free Trial

Talk to Our Email and DNS Security Team

Call us on US +1 813 304 2544

Contact Us