Quishing: How QR Code Phishing Targets Your Business

Quishing — phishing using QR codes — has become a meaningful attack pattern over the past 18 months. The technique solves a specific problem attackers had: email security filters scan URLs and block known-malicious destinations. By hiding the URL inside a QR code image, attackers route around URL scanning entirely. The victim scans the QR code with their phone, opens the malicious link, and the attack proceeds outside the corporate email security perimeter. Here's how quishing works and what stops it.

How a Quishing Attack Unfolds

A typical quishing attack:

• Attacker sends an email impersonating a legitimate sender (Microsoft, the user's bank, HR, IT support, a vendor)
• Email contains an embedded QR code with a believable pretext ("scan to verify your account," "scan to view the document," "scan to update payment information")
• Email body contains minimal text that doesn't trip phishing detection — the QR code does the work
• Victim scans the QR code with their phone, often using the phone's built-in camera
• Phone opens the destination URL — a credential harvesting site, malware download, or further social engineering
• Attack proceeds on the phone, often without IT's email security visibility

Why It's Effective

Several factors make quishing work well:

• Bypasses URL scanning — most email security scans hyperlink text and known-malicious URL databases; QR codes contain image data that traditional scanners don't process
• Phone shifts attack surface — corporate endpoint protection often doesn't extend to the personal phone scanning the code
• Social proof from QR familiarity — users have been trained that QR codes are normal for menus, parking, contact sharing
• Mobile browsers show URLs differently — the address bar is small or hidden, making lookalike domains easier to miss
• Multi-stage attacks — quishing can be paired with other techniques (MFA fatigue, voice follow-up) to increase success rate

The Defensive Controls That Work

Defense requires layered approach since the QR code itself reaches the user:

• Modern email security with QR detection — Defender for Office 365, Proofpoint, Mimecast, and similar tools have added QR code scanning capability that processes embedded images for malicious URLs
• Phishing-resistant MFA on critical accounts — even if credentials are compromised, MFA blocks the takeover
• Mobile device management with secure browsers — corporate-managed mobile devices can route URL checks through corporate DNS or security gateway
• DNS-layer security applied on mobile when on corporate Wi-Fi
• User education specifically about quishing — most security awareness training doesn't cover it yet
• Reporting workflow for suspicious QR codes — users need an obvious path to flag them
• Conditional access evaluating risk signals on sign-ins originating from mobile devices in unusual contexts

What to Teach Users

Quishing-specific user training should cover:

• QR codes in emails should be treated with suspicion, particularly when there's an urgency or authority pretext
• Legitimate services rarely require scanning QR codes from emails — they provide links or normal authentication flows
• Before scanning any QR code, consider whether the action it's about to initiate makes sense
• After scanning, examine the destination URL carefully before entering credentials
• If a QR code arrives unexpectedly from a sender, verify out-of-band before scanning
• Reporting suspicious QR codes to security is appreciated, not punished

The Specific High-Risk Scenarios

Watch for quishing in specific contexts:

• HR communications — "scan to view your benefits enrollment" type messages
• IT/security messages — "scan to verify your account" or "scan to set up MFA"
• Financial requests — "scan to view the wire transfer details" or vendor payment changes
• Document delivery — "scan to view the document" particularly with brand impersonation (DocuSign, Adobe Sign)
• Physical QR codes — stickers placed over legitimate QR codes in parking lots, restaurants, conference materials

The pattern: any QR code with an urgent pretext or authoritative source that wasn't expected deserves verification before scanning. If you're scoping quishing defenses for your business, a free 30-minute assessment can review your current email security configuration and identify gaps.