What Is QR Code Phishing (Quishing)?
QR code phishing, known as quishing, is a cyberattack in which a malicious QR code replaces a traditional hyperlink to deliver victims to a credential-harvesting page, malware download, or fraudulent payment portal. Because the attack payload is encoded in an image rather than text, it bypasses the URL-scanning filters used by most email security gateways. QR code phishing attacks surged 587% in 2023 and now represent nearly 11% of all phishing payloads observed in 2024.
What Is Quishing and How Is It Different from Standard Phishing?
Quishing is a variant of phishing that exploits the visual opacity of QR codes. A standard phishing email contains a hyperlink that security tools can inspect, flag, and block based on the URL's reputation, domain age, or known threat signatures. A QR code is a machine-readable image. The malicious URL is embedded inside the image, invisible to text-based filters and inaccessible to most legacy email scanning engines.
This fundamental difference gives quishing a structural bypass advantage over conventional phishing. An email containing only a QR code image and no suspicious text or links can pass through organizational email gateways, spam filters, and secure email solutions that were not built to decode image-based payloads.
NIST Special Publication 800-177 on trustworthy email identifies link-based deception as the core mechanism behind phishing attacks and recommends real-time analysis at the point of interaction rather than at the point of delivery. That guidance is especially relevant to quishing, where delivery-time scanning is largely ineffective.
Why Does Quishing Matter? The Statistics
The growth trajectory of QR code phishing is steep, rapid, and shows no sign of reversal.
QR code payloads in phishing emails represented just 0.8 percent of all phishing content in 2021. By 2023 that figure had risen to 12.4 percent, and it sustained a rate of 10.8 percent through 2024, according to research from Egress cited in their Phishing Threat Trends Report. Barracuda threat intelligence researchers found that QR codes appeared in 22 percent of all phishing attacks observed in early October 2023.
The FBI Internet Crime Complaint Center (IC3) 2024 Annual Report documented a sharp rise in schemes using QR codes, particularly in tech support scams, extortion cases, and government impersonation frauds. Losses from QR code and cryptocurrency ATM schemes combined reached nearly $247 million in 2024.
Abnormal Security research found that corporate executives receive 42 times more QR code phishing attacks than non-executive employees, reflecting attackers' awareness that executive credentials unlock significantly more valuable access. Recorded Future documented a 433 percent increase in QR code scans between 2021 and 2023, driven in part by pandemic-era normalization of QR code use in restaurants, retail, and healthcare settings.
The average cost of a data breach in 2023 was $4.45 million according to IBM, a figure that applies directly to quishing attacks that result in credential compromise, account takeover, or ransomware deployment.
How Does a Quishing Attack Work?
The attack combines visual trust, mobile behavior, and filter evasion into a sequence that is difficult to detect without purpose-built defenses.
Step 1: Lure Construction The attacker crafts an email that impersonates a trusted brand, Microsoft, Adobe, DocuSign, a financial institution, or a government agency. The email contains a QR code and urgent context: a document awaiting signature, an account requiring verification, a pending payment, or a two-factor authentication reset. More than half of all quishing emails impersonate Microsoft, according to Keepnet research.
Step 2: Filter Bypass Because the malicious URL is encoded inside the QR code image, the email contains no suspicious text links for scanning engines to evaluate. The message passes through organizational email gateways and lands in the recipient's inbox with no warning flags.
Step 3: Mobile Device Redirection The recipient scans the QR code with their smartphone. This shifts the interaction from a corporate-managed device, which may have endpoint protection, to a personal mobile device that almost certainly does not. Mobile browsers provide fewer security indicators than desktop equivalents and display abbreviated URLs that make domain inspection difficult.
Step 4: Credential or Data Capture The QR code resolves to a convincing clone of a legitimate login page. The victim enters credentials, completes a fake MFA prompt, or downloads malware. According to Keepnet, 89.3 percent of detected quishing attacks are designed to capture personal data or login credentials.
Step 5: Account Takeover or Payload Deployment Stolen credentials are used immediately to access corporate accounts, email systems, or financial platforms. In attacks targeting executives, a single compromised account can provide access to payment authorization systems, sensitive communications, and the ability to initiate downstream BEC attacks against clients and vendors.
What Does a Real Quishing Attack Look Like?
In 2023, a Microsoft Office 365 quishing campaign targeted employees across multiple organizations. Victims received emails appearing to come from internal IT departments, claiming a document was awaiting their signature in Microsoft 365. The emails contained a QR code. When scanned, the code directed victims to a convincing replica of the Microsoft 365 login portal.
The attack was designed to capture both the username and password and the MFA token in a single interaction. Phishing-as-a-service platforms including Tycoon 2FA and Greatness were observed incorporating this technique to intercept session cookies and bypass multi-factor authentication entirely, according to Recorded Future research published in 2024.
A separate real-world case documented by CNBC and security researchers involved a 60-year-old woman in Singapore who lost $20,000 after scanning a QR code affixed to a bubble tea shop window. The code appeared to offer a free drink in exchange for completing a survey. It instead downloaded a malicious application requesting microphone and camera access, ultimately compromising her banking credentials and enabling unauthorized account access.
How Can You Tell If a QR Code Is Malicious?
Use this checklist before scanning any QR code received by email, posted in a physical location, or embedded in a document.
- Preview the URL before visiting it. Most smartphone cameras display a URL preview before opening a browser. Read the full domain carefully. A legitimate Microsoft link does not contain random strings, hyphens, or unfamiliar top-level domains.
- Be suspicious of urgency. Legitimate services do not require QR code scanning to verify accounts, access documents, or complete payments under time pressure.
- Check for physical tampering. QR codes on restaurant menus, parking meters, ATMs, and retail signage can be overlaid with malicious stickers. If a QR code looks recently applied or sits unevenly over another surface, do not scan it.
- Question why a QR code is in an email. Internal IT communications, invoices, and account alerts from legitimate services generally do not require QR code scanning. This format is a quishing red flag.
- Verify through an independent channel. If an email from your bank or employer contains a QR code, call the sender using a number from their official website before scanning.
- Do not scan codes from unknown senders. Quishing campaigns frequently use spoofed or compromised accounts. A QR code from a known sender is not automatically safe if that account has been compromised.
- Use a QR code scanner with built-in threat analysis. Consumer camera apps provide no security evaluation. Dedicated scanning tools that check the resolved URL against threat databases before opening it provide a meaningful additional layer of protection.
What Steps Can Organizations and Individuals Take to Prevent Quishing?
For individuals: Treat every QR code as a link you cannot read in advance. Apply the same skepticism you would apply to clicking an unfamiliar hyperlink in an email. Preview, verify, and when in doubt, navigate to the service directly rather than through the code.
For organizations: NIST SP 800-177 recommends email security controls that analyze content at the point of interaction rather than only at delivery. Security tools that decode QR codes embedded in email images and evaluate the resolved URL against threat intelligence databases close the bypass gap that standard gateways leave open. Employee training that includes quishing simulation exercises measurably improves detection rates: security training improved QR phishing detection by 87 percent within three months in controlled studies cited by Keepnet.
DMARC enforcement at policy level (p=reject), combined with SPF and DKIM across all organizational domains, reduces the volume of impersonated emails that carry malicious QR codes to employee inboxes. Multi-factor authentication using FIDO2 hardware security keys rather than SMS or app-based TOTP provides the only MFA method that resists adversary-in-the-middle interception of the kind used in advanced quishing attacks.
For email security at the device level: Standard gateways do not decode QR code images. AI-native email security tools that extract, decode, and evaluate QR code payloads at the time of delivery and again at the time of interaction provide the coverage that legacy solutions structurally cannot.
Trust Aside: SO Email Security decodes and evaluates QR codes found in email content locally on your device. No email content is transmitted to external servers. No scanning behavior is logged. Your inbox remains entirely private while every QR code is evaluated before it reaches a browser.
What Is the Single Most Important Rule for QR Code Safety?
A QR code is a link you cannot read before you follow it. Treat it accordingly.
The convenience that makes QR codes useful is precisely what makes them dangerous in an attacker's hands. Any QR code that arrives unexpectedly, creates urgency, or requires you to log into anything deserves the same verification you would apply to a suspicious hyperlink. Preview the URL. Confirm the sender. Navigate directly if in doubt.
Sources: FBI IC3 2024 Internet Crime Report · NIST SP 800-177 Rev. 1 Trustworthy Email · Egress Phishing Threat Trends Report 2024 · Abnormal Security QR Code Attack Research 2023 · Recorded Future Insikt Group Q1 2024 · Barracuda Threat Intelligence 2023 · Keepnet QR Code Phishing Statistics 2025 · IBM Cost of a Data Breach Report 2023 · TitanHQ QR Code Phishing Research
We earn revenue from subscriptions, never from your data. That's the Ṣọ promise.
#Quishing #QRCodePhishing #EmailSecurity #Phishing #Cybersecurity #MobileSecurity #TitanHQ #SoEmailSecurity #PrivacyFirst