Skip to content
Breachroad
Back to the blog
Phishing

Quishing: phishing hidden in QR codes

A QR code slips past email filters and leads to a fake page straight from your phone. We explain how quishing works and how to defend against it.

KR
Karol Rapacz
20 June 2026 · 5 min read
Quishing: phishing hidden in QR codes

QR codes are back in favour — we pay with them, log in, confirm our identity. Criminals have noticed. Quishing (QR + phishing) is an attack in which the malicious link is hidden in a QR code instead of a classic hyperlink. A simple change of medium — and it defuses several defence mechanisms at once.

Why a QR code suits the attacker

  • It bypasses email filters. Many security systems scan links in the body of an email. A QR code is an image — the link “inside” is often invisible to the filter.
  • It moves the attack to a phone. You scan the code from a work email but open it on a personal phone — often less protected and outside company control.
  • It hides the real address. You can’t see where the link leads until you open it. Judging the domain “by eye” is harder.

Common scenarios

  • A fake email with a QR code “to confirm your account”, “unblock your mailbox” or “re-authorise MFA”.
  • Stickers in public spaces — a swapped code on a parking meter, charging station or poster, leading to a fake payment page.
  • Documents and invoices with a QR code for “quick payment”.

It’s the same social engineering as in phishing and smishing — only the delivery channel has changed.

How to defend

  • Check the domain after scanning. Most phones show the address before opening — read it and verify it’s the real domain before you tap.
  • Don’t scan codes from unexpected emails and stickers. For logging in or paying, use the app or a manually typed address.
  • Beware “MFA-authorising” codes — legitimate processes rarely ask you to scan a code from an email to “confirm” an account.
  • In the company: include quishing in training and controlled campaigns, and in your rules for personal devices (BYOD).

Quishing is a good reminder that a defence based solely on content filtering will always be a step behind the attacker. What matters is the habit: verify the domain before you trust — whether the link arrived as text or as an image. If you’d like to test your employees’ resilience, ask about a controlled campaign.


Sources and further reading: CERT Polska, Sekurak.

Share this article

Services Book a consultation