Quishing is QR-code phishing - using a QR code to deliver a malicious URL instead of (or in addition to) a clickable link. The QR code can appear in an email, on a poster, on a business card, on a parking meter or anywhere a real QR code would. Scanning the code with a phone opens the malicious destination on a device that frequently has weaker URL inspection than a desktop browser.

Why do attackers use QR codes for phishing?

Two reasons. First, email security gateways scan text URLs but most do not scan QR codes embedded in images, so the lure passes through filtering that would block a plain link. Second, scanning a QR code shifts the action to a mobile device, where URL preview is harder to read, password managers may not auto-warn and the user is often distracted or on the move.

How can I tell if a QR code is malicious?

You can't tell from the code itself - the visual pattern doesn't reveal the destination. The defense is at the moment of scan: modern phone cameras preview the URL before opening it, and users should be trained to read that preview the same way they would hover-inspect a link on desktop. If the URL doesn't match the brand or context that displayed the QR code, do not open it.

Are physical QR-code phishing attacks happening?

Yes. Public reporting from CISA, the FBI Internet Crime Complaint Center (IC3) and security press including Krebs on Security has documented attackers placing fraudulent QR-code stickers over legitimate ones on parking meters, restaurant menus, public posters and event signage. The practice is sufficiently common that several municipal authorities have issued public warnings.

Can phishing simulation platforms test QR-code phishing?

Yes. Bait & Phish supports QR-coded simulated phishing emails - the QR image is generated dynamically per recipient, points at a tracked simulation URL and produces the same click-and-train pipeline as a standard email simulation. The simulation reflects exactly how the attack now works in production.

QR Code Phishing (Quishing): Detection and Defense

QR codes had a brief reputation, ten years ago, of being the technology nobody used. Then they became the way restaurants showed menus during the pandemic, then the way airlines did boarding passes, then the way half the contactless world grew up. Then attackers noticed. Quishing - phishing through QR codes - is now a standard lure type, and it bypasses a category of defenses that organizations have spent twenty years building around clickable URLs in email.

This post is the operator's view of how quishing works, why traditional defenses miss it and what to do about it in policy, training and simulation.

Why QR-code phishing works

The mechanics matter. A QR code is just an image that encodes a string of text - typically a URL. From an email gateway's point of view, an image is an image; the URL inside it is invisible to the URL-rewriting and URL-categorization scanners that have been the backbone of email security for two decades. Older gateways simply pass it through. Newer gateways are starting to OCR or decode QR codes inline, but coverage is uneven and most enterprise email environments still have at least one mailbox path where the QR slips through unscanned.

Once the user scans the code, two things happen that work in the attacker's favor:

Channel hop to mobile. The user goes from a corporate desktop with full endpoint controls to a personal phone with weaker URL preview, possibly no managed browser and password-autofill behavior that varies by device.
Attention shift. Users scanning a QR code are often standing up, walking, in line at a restaurant or in transit. They're not in the careful-inspection mindset they'd apply to an email link at a desk.

The combination - gateway blind spot plus mobile channel plus distracted user - is why click-through rates on quishing tests run materially higher than on equivalent text-link tests in the same organization.

Where the QR codes show up

Quishing is not just an email problem. The full attack surface in 2026:

Email-embedded QR codes. The classic vector: a "Microsoft 365 password expiry" or "DocuSign envelope" lure that embeds a QR code instead of a clickable link, so a desktop user has to scan with their phone - which lands them on the phishing site on a less-protected device.
Phishing PDFs. The PDF arrives clean (no embedded scripts, no executable payload), opens normally and contains a QR code as the call-to-action. Most attachment scanners pass.
Physical posters and stickers. Public CISA and FBI advisories have documented attackers placing fraudulent QR-code stickers over legitimate ones - on parking meters, on restaurant menus, on event signage. The legitimate QR pointed at the parking-payment site; the sticker on top points at a credential-harvesting clone.
Business cards and printed marketing. A QR on a business card from a "vendor" or "recruiter" met at a conference. No email gateway involved.
Internal signage attacks. A "scan to verify your phone for the new MFA system" poster left in an office break room. Insider access threats use this for lateral credential collection.

Coverage at Krebs on Security has tracked physical-world quishing for several years; the pattern shows no sign of slowing.

How to detect a malicious QR code

The honest answer: you can't tell by looking at the code itself. The visual pattern is opaque - that's the whole point of a QR code - and the difference between a legitimate code and a malicious one is invisible to the human eye. Detection happens at the moment of scan, not before.

What employees should be trained to do:

Read the URL preview before tapping. Modern iOS and Android camera apps show a preview of the destination URL above the "Open" button. That preview is the equivalent of hover-to-inspect on a desktop link. If the URL doesn't match the brand or the context, don't open it.
Trust the channel, not the code. A QR code in an email asking for credentials is suspicious regardless of how good the email looks. Real password expiries, real document-signing requests and real Microsoft 365 communications do not require scanning a QR with a personal phone.
Check physical QR codes for tampering. A sticker over a printed-on QR code, a fresh-looking QR on otherwise weathered signage or an out-of-place QR on a public surface should all raise suspicion. The defense is the lift-the-corner test for stickers.
Use the corporate channel for corporate actions. If a "vendor" sent a QR code to access an invoice or document, log into the actual vendor portal directly through a known URL instead.

Technical defenses that help

At the system level, three layers reduce the attack surface:

Email gateway QR decoding. Several major email security vendors now OCR or decode QR codes embedded in images and PDFs and apply standard URL reputation checks to the decoded link. Verify your provider has this feature enabled.
Mobile management with managed browser. Corporate mobile devices with a managed browser (or MDM URL filtering) can apply the same URL-reputation lookups on phone scans that desktops apply on link clicks.
Strong phishing-resistant MFA. Quishing typically lands on credential-harvest pages. Phishing-resistant MFA - FIDO2 / passkeys - denies the attacker even when the credential is captured. NIST SP 800-63 calls this out as a recommended control.

Simulation: testing quishing in your program

Detection through filtering is necessary but not sufficient. The quishing-specific behavior - read the URL preview before tapping - has to become muscle memory, and the only reliable way to install muscle memory is through simulation.

Bait & Phish supports QR-code simulated phishing campaigns natively. The platform generates a dynamic, per-recipient QR code that points at a tracked simulation URL, embeds it in the email lure (or attachment) and reports on scan-and-click behavior with the same fidelity as a text-link simulation. Auto-assigned remediation training for users who scan and proceed includes the QR-specific recognition cues.

A workable cadence for adding quishing to your program:

One QR-coded campaign per quarter for the full organization, easy to regular difficulty.
One harder QR-coded campaign per year for finance, IT and executive cohorts - using physical-world realism (printed-poster lure scenarios, vendor-business-card scenarios).
Reporting that breaks out QR-coded campaigns separately, so the metric stands on its own and trends are visible.

How quishing compares to a regular phishing email

For organizations weighing whether to add quishing to an existing program rather than treating it as a separate threat, the practical differences:

Click rate is typically higher. Same lure category and same population produces a measurably higher engagement rate when delivered via QR than via clickable link. The mobile channel hop is part of why.
Credential capture page is identical. The phishing site at the destination is the same - same fake Microsoft 365 login, same DocuSign clone - just reached through a different transport. The downstream defense (phishing-resistant MFA, password manager warnings) is identical.
Forensics are harder. A user reporting an email-phishing click is reporting from a managed corporate device with logs; a user who scanned a QR on their personal phone may have left no trace at all in your SIEM. This is part of why simulation matters more for the QR vector - you need the platform to be the source of the data.
Remediation training is the same shape. Click-based and scan-based remediation both teach URL-preview behavior; the QR-specific module adds the channel-hop awareness as a layer on top.

Policy implications

Two policy questions worth answering before quishing becomes an incident:

Are personal phones permitted to scan QR codes for corporate actions? If yes, the policy needs to acknowledge the channel-hop risk and require URL preview. If no, employees need a sanctioned alternative for the legitimate cases.
Who is responsible for inspecting public-facing QR codes on corporate property? If your organization posts QR codes on physical signage, someone needs to verify periodically that the codes haven't been overlaid.

Cyber insurance carriers in 2026 are starting to add QR-code coverage to renewal questionnaires - see our cyber insurer phishing questions guide. As with deepfake vishing, the answer that holds premiums down is "yes, we simulate it; here's the data."

Where Bait & Phish fits

Quishing is built into the Bait & Phish simulated phishing library across all five intent categories and all three difficulty levels. To run your first QR-code simulation, start a 25-user free trial and select QR as the lure variant in any campaign template. For organization-wide rollouts and physical-world scenario design, pricing covers the paid plans, and contact us for help integrating quishing into a broader multi-channel program. About us covers our methodology in more depth, and the security awareness training page covers the auto-assigned remediation that fires when a user scans.

External authoritative references: CISA advisories on quishing, the FBI Internet Crime Complaint Center (IC3) annual report, the Verizon DBIR, the Anti-Phishing Working Group (APWG), and NIST SP 800-63 for the phishing-resistant MFA backstop.

See also: Phishing Trends 2026 - annual roundup covering AiTM commoditization, AI-generated lure quality, collaboration-tool phishing, ransomware dwell-time compression and other patterns that defined the year.

7oct