What Is Quishing?

Quishing—a portmanteau of "QR code" and "phishing"—is a cyberattack in which adversaries create malicious QR codes to redirect victims to fraudulent websites designed to steal credentials, personal information, or financial data, or to deploy malware. Unlike traditional phishing that relies on clickable links embedded in email, QR codes operate as encoded images that evade standard email security gateways. QR codes can be distributed through phishing emails, PDF attachments, social media, printed materials, or physical surfaces such as parking meters, menus, and public signage, creating both digital and physical attack surfaces that are difficult to monitor and control.

How does quishing work?

Quishing attacks follow a structured lifecycle that exploits the trust users place in QR codes as a modern, legitimate technology. The attacker begins by generating a QR code using freely available online tools or URL shorteners, encoding a malicious URL that either impersonates a trusted brand (Microsoft 365, DocuSign, or the victim's own company) or redirects to a credential-harvesting site. The attacker then distributes the QR code through multiple channels: embedded directly in phishing emails, attached within PDF documents, placed as stickers on physical locations like parking meters or restaurant menus, or shared via social media platforms. When the victim scans the code using their mobile device camera, the URL is executed immediately without displaying the destination to the user beforehand, bypassing the security decisions users typically make when hovering over links.

Once the victim scans the code, they are directed to a spoofed login page or a site triggering malware download. The attacker collects compromised credentials, financial information, or deploys malware for subsequent exploitation. According to Barracuda's 2024 threat research, Microsoft (including SharePoint and OneDrive) was impersonated in 51% of QR code phishing PDF attacks, DocuSign in 31%, and Adobe in 15%, demonstrating the targeting of widely used productivity platforms. The key evasion advantage lies in how QR codes appear to email security systems: they are encoded images without visible URLs, making them invisible to traditional Secure Email Gateways (SEGs) that scan for malicious links. Additionally, the cross-device attack dynamic—where phishing emails arrive on corporate computers but scanning occurs on personal mobile phones lacking enterprise security policies—creates a critical gap in organizational defenses.

How does quishing differ from email phishing and smishing?

Neither approach is universally better; rather, attackers select based on organizational defenses and target context. Email phishing remains volume-effective against users with weak training, smishing exploits mobile-first workforces, and quishing specifically targets organizations with strong email security by pivoting to the cross-device attack surface.

Why has quishing gained traction?

Quishing has become increasingly prevalent due to both technical and behavioral factors that create a favorable attack environment. According to Keepnet Labs, QR code phishing as a percentage of all phishing payloads rose from 0.8% in 2021 to 12.4% in 2023 and sustained 10.8% in 2024, demonstrating sustained attacker interest. More critically, between 2023 and 2025, QR code attacks increased by 400%, with incidents rising 25% year-over-year into 2025. Barracuda detected over 500,000 phishing emails containing QR codes in PDF documents during a three-month period spanning mid-June to mid-September 2024 alone.

The technical advantage of quishing is significant: QR codes appear as simple image files in emails and attachments, which most SEGs cannot decode or analyze for malicious content. Unlike clickable text links that email security tools can scan and cross-reference against threat databases, QR codes hide their destination URL inside a visual pattern. Additionally, Barracuda's 2025 research identified advanced evasion techniques including split QR codes—where a single QR code is fragmented across two separate images in an email, causing security solutions to see only benign-looking image files rather than a complete, scannable code.

Behavioral factors amplify the technique's effectiveness. According to QRCode Tiger's 2025 research, 73% of Americans scan QR codes without verification, reflecting widespread normalization of the technology. This trusting behavior is reinforced by legitimate uses of QR codes in business contexts—restaurant menus, event registrations, payment systems—making it difficult for users to develop healthy skepticism. Microsoft reported that 25% of email phishing attacks in late 2024 used QR codes as the primary lure, indicating attackers are competing to prioritize this technique. However, the success comes with caveats: the technique requires victims to actively scan the code and then navigate to the site, adding friction compared to clicking an embedded link. Physical QR code campaigns risk exposure through CCTV footage or witness observation, limiting scalability for stationary attacks.

What are the limitations of quishing?

Quishing, despite its growing prevalence, faces practical constraints that limit its effectiveness and enable defenses. First, the technique requires user action beyond simply clicking a link—victims must deliberately open their phone camera, locate and point it at the QR code, and wait for the system to decode and navigate to the URL. This friction introduces cognitive space where users may reconsider their actions, particularly if they are security-aware or if the context feels unusual. Second, physical QR code attacks—such as sticker placements on parking meters—create investigative trails; attackers placing physical codes risk capture on CCTV footage or apprehension by witnesses, limiting deployment to locations with minimal surveillance or traffic.

Third, many modern mobile browsers include URL inspection and warning features that alert users to suspicious or unknown destinations after a QR code is scanned, providing a secondary defense mechanism. Fourth, emerging detection tools using computer vision and machine learning are being integrated into email security platforms. Check Point Harmony, Barracuda, and IRONSCALES have all deployed QR code analysis engines that can identify, decode, and assess the risk of embedded QR codes in emails and attachments. Fifth, legitimate organizations can physically remove or cover fraudulent QR code stickers once discovered, though detection may lag significantly. Finally, the FBI IC3 Recovery Asset Team achieved a 66% success rate freezing fraudulent wire transfers in 2024, demonstrating that even if initial attacks succeed, recovery remains possible through rapid intervention.

The primary defense gap is user reporting: only 36% of quishing incidents were accurately identified and reported by recipients according to Keepnet Labs 2025 data, indicating that most victims either do not recognize attacks or do not report them. This underreporting gap enables attackers to maintain campaigns longer than email phishing, where email security tools provide automatic reporting. Additionally, personal mobile devices used for scanning typically lack corporate Mobile Device Management (MDM) policies, creating an unprotected zone outside enterprise defenses.

How can organizations defend against quishing?

Organizations should deploy a layered defense strategy addressing the specific characteristics of QR code phishing. Technically, implement email security solutions with QR code detection capabilities—platforms that use computer vision models to scan emails and attachments for QR codes, decode the embedded URLs, and assess risk against known threat databases. Solutions from Check Point, Barracuda, and IRONSCALES now offer this capability. Simultaneously, enforce DMARC at p=reject to prevent domain spoofing of legitimate brands, and deploy multi-factor authentication (MFA) on all critical systems so that even if credentials are harvested via quishing, unauthorized access is blocked. For organizations with distributed workforces, implement Mobile Device Management policies that detect and block access to known malicious URLs even when accessed via personal phones.

From a process perspective, organizations should mandate out-of-band verification for any wire transfer requests, credential changes, or sensitive data requests—requiring a separate phone call to confirm the request using a contact number retrieved from internal records, not from the suspicious communication. This single control defeats most quishing attacks targeting financial transactions. Additionally, establish a clear incident response procedure for reported QR code phishing, enabling IT teams to rapidly quarantine malicious emails and notify potentially affected recipients.

User education should move beyond generic phishing awareness to include QR code-specific scenarios. Train employees to never scan QR codes from unknown or unexpected sources, and if a QR code comes from a trusted sender via email, to verify the request through a separate channel before scanning. After scanning any QR code, users should examine the URL in the browser address bar before entering any sensitive information, looking for correct domain spelling, HTTPS encryption, and recognition of the destination. Encourage use of QR scanning apps that preview the full URL before navigating, rather than auto-opening the link. For organizations with physical assets, conduct regular visual audits of QR codes on parking meters, menus, signage, and other materials, removing unauthorized sticker overlays promptly.

Finally, establish a reporting mechanism for suspicious QR codes, both for email-based quishing (report to internal IT security teams and email security vendors) and physical QR code scams (report to local authorities and the FTC). The more reports organizations file, the faster threat intelligence networks can identify and block emerging quishing campaigns.