Quishing, or QR code phishing, is a social engineering attack that uses malicious QR codes to redirect victims to credential harvesting pages, malware downloads, or fraudulent payment portals. The attack exploits the widespread trust in QR codes and the difficulty of inspecting a QR code's destination before scanning..
What is Quishing?
Quishing, or QR code phishing, is a social engineering attack that uses malicious QR codes to redirect victims to credential harvesting pages, malware downloads, or fraudulent payment portals. The attack exploits the widespread trust in QR codes and the difficulty of inspecting a QR code's destination before scanning.
How Quishing Works
Attackers embed malicious QR codes in phishing emails, printed materials, physical locations (replacing legitimate QR codes on posters, menus, or parking meters), or internal documents. When the target scans the code with their phone, they're directed to a fake login page or malware download. Because QR codes are scanned on mobile devices, they bypass corporate email security filters and endpoint protection.
Why Quishing Matters
QR code phishing increased over 400% between 2023 and 2025 according to security researchers. The attack is effective because QR codes are inherently opaque: the user cannot see the URL before scanning. Mobile devices typically have weaker security controls than corporate laptops, and employees are accustomed to scanning QR codes for legitimate purposes.
How to Protect Against Quishing
- Include QR code attack simulations in your testing program
- Train employees to preview URLs before opening QR code destinations
- Deploy mobile security tools that can inspect QR code targets
- Warn against scanning QR codes from untrusted sources
- Monitor for QR code attacks targeting your organization's brand
Frequently Asked Questions
How much did QR code phishing attacks increase?
QR code phishing increased over 400% between 2023 and 2025. The rise correlates with widespread mobile device adoption and decreasing employee familiarity with the attack vector.
Why can't users see a QR code's destination before scanning?
QR codes are encoded binary data that appear as pixel patterns. Mobile devices scan and decode the URL only after the scan is complete, making it impossible to inspect the destination beforehand.
What makes quishing effective against mobile devices?
Mobile devices have weaker security controls than corporate laptops, lack email filtering, and employees are conditioned to scan QR codes for legitimate purposes, creating trust.
Can URL preview tools help prevent quishing attacks?
Some mobile security tools can inspect QR code targets before opening them, but this requires explicit employee action and proper training to use effectively.