What Is Quishing? How QR Code Phishing Works and How to Stop It
- Updated: April 15, 2026
- Read time: 3 mins
Cybercriminals are getting craftier. Quishing is a growing threat you need to watch out for.
Quishing is QR code phishing. Unlike traditional phishing, quishing uses QR codes to trick you into visiting malicious websites or downloading harmful content—and because QR codes are images, not text, most email security tools can’t detect them.
Quishing attacks are rising fast. QR code phishing has grown from just 0.8% of all cyberattacks in 2021 to nearly 11% now, and attacks increased fivefold last year alone, making it one of the fastest-growing cyber threats today.
What Is Quishing?
Quishing involves attackers creating QR codes that redirect victims to malicious websites. These codes can be embedded in emails, social media posts, printed materials, websites, or physical locations like restaurants, parking meters, or EV charging stations.
The pandemic led many businesses (particularly restaurants) to transition to QR codes for customers to access menus, check in for appointments, or even pay for purchases.
More than one-third of smartphone users scan at least one QR code per week, and almost 90% of all consumers have scanned a QR code at least once in their lives.
QR codes have become a significant part of our lives. Scanning a QR code while shopping or eating at a restaurant wouldn’t be out of the ordinary.
And it wouldn’t be strange to see a QR code in an email. Receiving an email requesting that you scan an embedded QR code to access a document or reset your password is unlikely to raise any red flags—and attackers are taking advantage of this.
How Quishing Works
Creation and Distribution: Attackers create a QR code linked to a malicious website. This QR code looks entirely legitimate. It can be created easily with free online tools, making it a low-cost but highly effective weapon for cybercriminals.
Enticement: The QR code is then shared through various channels. Attackers use social engineering techniques to entice victims. They may promise a free gift, a discount, or urgent action required, such as verifying account details. These QR codes can appear in phishing emails, social media posts, printed flyers, or posters in public places. By appearing in familiar and trusted contexts, they catch victims off guard.
Scan and Redirect: Once the victim scans the QR code, they are redirected to a malicious site. These sites are designed to look trustworthy, often mimicking legitimate websites. Victims might be prompted to enter sensitive information like login credentials, financial details, or personal data. Alternatively, the site could automatically initiate a download of malware onto the victim’s device. This malware can steal data, monitor activity, or give attackers remote access to the victim’s system.
Real-World QR Code Scam Examples
Quishing attacks can appear in various forms, targeting individual citizens and specific organizational roles in a company.
Phishing Emails
Phishing emails with embedded QR codes are particularly dangerous. These emails often masquerade as legitimate communications from trusted sources, such as banks, service providers, or internal departments.
For example, an employee might receive an email that appears to be from the IT department, urging them to scan a QR code to access a secure message or update their login credentials.
Some attackers go a step further, hiding the QR code inside a PDF or image attached to the email. This tactic bypasses many email filters because the message body contains no clickable links, nothing for a standard filter to flag.
Why is this a threat to organizations?
- Increased credibility: When a phishing email appears to come from within the organization or a trusted service provider, employees are more likely to trust and act on it without hesitation.
- Data breach risks: Once the QR code is scanned, the malicious site can prompt employees to enter sensitive information—often login credentials—which can then be used to infiltrate the organization’s network.
- Malware distribution: The malicious site might also initiate the download of malware, compromising the security of the employee’s device and potentially the entire network.
An email might claim there’s an important update regarding the company’s benefits program. Once scanned, the QR code redirects the employee to a fake login page that looks exactly like the company’s HR portal. The employee, thinking it is a legitimate request, enters their credentials, which are then harvested by the attackers.
From an organizational standpoint, every employee is a potential quishing target. However, members of the C-suite are 40 times more likely to receive a QR code phishing attack than a non-executive employee.
Public Places
QR codes are also placed in public locations like restaurants, parking meters, retail stores, and public transportation ads—places where you would typically expect to find them. In one documented case, scammers placed fake QR code stickers over legitimate codes at 200 retail locations. Within 48 hours, the retailer spent $2.3 million on damage control, not counting lost sales or the lasting damage to customer trust.
Fake Promotions
Attackers create QR codes promising free gifts, discounts, or other enticing offers. These codes might be found on posters, flyers, or online advertisements. When scanned, they lead victims to malicious websites designed to steal personal information or install malware.
Why Quishing Is So Dangerous
Quishing poses a unique threat because QR codes are just images. They bypass the traditional security measures that focus on scanning text-based links for malicious activity.
Once a QR code is scanned, the user is exposed to immediate risk without any preliminary warnings from their security software. Unlike conventional email threats that contain detectable text and URLs, quishing attacks use minimal text and no obvious links.
This lack of typical signals makes it difficult for many security tools to identify and block these threats. By embedding malicious links within QR codes, attackers effectively evade standard email security.
The threat is also evolving. In 2025, attackers began pairing quishing with AI-generated follow-up messages, nudging victims to “complete verification” or “resolve an account issue” after the initial scan. These messages are convincing, grammatically polished, and hard to distinguish from legitimate communications, which makes the combined attack significantly more effective.
How to Spot and Avoid a QR Code Scam
Quishing attacks are deceptive and can easily bypass traditional security measures. To protect yourself from these threats, awareness is your first line of defense.
Verify the Source
Always check the legitimacy of the source before scanning a QR code. Be cautious of codes in unsolicited emails. When you see a QR code in a public place, look for signs of tampering, a sticker placed over an existing code is a common attack method. If something feels off, don’t scan it.
Inspect the URL
If possible, verify the URL associated with the QR code before visiting it. Some QR code scanner apps allow you to preview the URL, helping you avoid malicious sites. If the URL looks unfamiliar, shortened, or mismatched with the context, stop.
Make Sure Your Email Security Is Up to the Task
Most standard email security solutions are not capable of decoding and analyzing QR codes. Advanced security tools can detect and neutralize threats hidden in QR codes, providing an essential layer of protection against quishing attacks. It’s vital to use security software that can keep up with cybercriminals’ evolving tactics.
Quash Quishing with Some Help from HBS
Stay vigilant. Quishing is a growing threat that preys on our trust in QR codes. By staying cautious and not mindlessly scanning every code we encounter, we can protect ourselves from becoming victims.
If you’re not confident that your email security can stop quishing attacks, reach out to our security experts at HBS.
If you want help educating your organization about the dangers of quishing, phishing, smishing, or any other cybersecurity threat, HBS is here to help. Contact us today.
Related Content
Don’t Get Hooked by Phishing: Identify Safe Internet Domains
Learn how to evaluate URLs, recognize phishing domains, and stay safe online. This guide breaks down internet domains and offers tips to avoid phishing scams.
Managed Security Awareness Training
Boost cybersecurity with Managed Security Awareness Training from HBS: Empower employees to combat phishing and enhance defense. Transform risk into strength.
How to Train Employees With Simulated Phishing Campaigns
80% of security breaches stem from phishing attacks. Learn how to create an effective phishing campaign for your organization.
