Quishing: phishing hidden in QR codes
A QR code slips past email filters and leads to a fake page straight from your phone. We explain how quishing works and how to defend against it.
QR codes are back in favour — we pay with them, log in, confirm our identity. Criminals have noticed. Quishing (QR + phishing) is an attack in which the malicious link is hidden in a QR code instead of a classic hyperlink. A simple change of medium — and it defuses several defence mechanisms at once.
Why a QR code suits the attacker
- It bypasses email filters. Many security systems scan links in the body of an email. A QR code is an image — the link “inside” is often invisible to the filter.
- It moves the attack to a phone. You scan the code from a work email but open it on a personal phone — often less protected and outside company control.
- It hides the real address. You can’t see where the link leads until you open it. Judging the domain “by eye” is harder.
Common scenarios
- A fake email with a QR code “to confirm your account”, “unblock your mailbox” or “re-authorise MFA”.
- Stickers in public spaces — a swapped code on a parking meter, charging station or poster, leading to a fake payment page.
- Documents and invoices with a QR code for “quick payment”.
It’s the same social engineering as in phishing and smishing — only the delivery channel has changed.
How to defend
- Check the domain after scanning. Most phones show the address before opening — read it and verify it’s the real domain before you tap.
- Don’t scan codes from unexpected emails and stickers. For logging in or paying, use the app or a manually typed address.
- Beware “MFA-authorising” codes — legitimate processes rarely ask you to scan a code from an email to “confirm” an account.
- In the company: include quishing in training and controlled campaigns, and in your rules for personal devices (BYOD).
Quishing is a good reminder that a defence based solely on content filtering will always be a step behind the attacker. What matters is the habit: verify the domain before you trust — whether the link arrived as text or as an image. If you’d like to test your employees’ resilience, ask about a controlled campaign.
Sources and further reading: CERT Polska, Sekurak.