QR Code Phishing (Quishing) Defense Guide

QR code phishing — quishing — is one of the fastest-growing phishing vectors. Over 4.2 million QR code phishing threats were identified in early 2025, and QR phishing attacks increased fivefold across the year. Cofense documented a 331% year-over-year increase in QR code phishing campaigns, and APWG flagged quishing as a major rising threat. By the end of 2025, 12% of all phishing attacks contained a QR code.

Quishing exploits a fundamental gap in email security: QR codes embed URLs within images, which most email gateways cannot parse. The URL inside a QR code is invisible to traditional link scanning, effectively smuggling malicious links past technical defenses.

Why Quishing Works

Bypasses Email Security

Email security gateways analyze text-based URLs, but QR codes encode URLs as images. Without computer vision capabilities specifically designed to detect QR codes, email filters see only an image — not the malicious URL it contains.

Shifts to Mobile

When a user scans a QR code with their phone, they leave the protected corporate network and open the URL on a mobile device that likely has fewer security controls. Mobile browsers show truncated URLs, and mobile devices may lack corporate web filtering. This is why 68% of quishing attacks specifically target mobile users.

Exploits Physical Trust

QR codes on physical media (parking meters, restaurant menus, conference badges, building posters) inherit the trust of their physical context. An overlay sticker on a legitimate QR code at a parking meter redirects payments to the attacker.

Executive Targeting

C-level executives were 40 times more likely to fall victim to QR code phishing in 2025. Quishing emails targeting executives use pretexts like MFA enrollment, document signing, or expense report submission — actions where QR codes are contextually plausible.

Common Quishing Scenarios

Email-Based Quishing

“Scan to set up MFA”: Fake IT department email with QR code to “enroll in multi-factor authentication”
“View encrypted message”: QR code claiming to link to an encrypted voicemail or document
“Invoice attached”: PDF attachment containing a QR code instead of a clickable link
“Verify your account”: Brand impersonation email with QR code for “quick verification”

Physical Quishing

Parking meters: Sticker with malicious QR code placed over or beside legitimate payment QR
Restaurant menus: Replacement QR codes on menus directing to credential harvesting sites
Conference materials: Fake QR codes on name badges, presentations, or event signage
Mail/packages: Physical mail with QR codes claiming to track deliveries or claim prizes

Document-Based Quishing

QR codes embedded in PDF invoices, shipping documents, or business proposals. These bypass email link scanning because the URL exists only within the attached PDF image.

Detection Techniques

Before Scanning

Inspect the QR code physically — look for stickers placed over original codes
Consider the context — were you expecting a QR code? Is this a normal communication method for this sender?
Apply social engineering red flags — does the message create urgency or fear?
Use a QR scanner that previews URLs — iOS Camera app and most Android camera apps show the URL before opening it. Do not use scanners that open URLs automatically.

After Scanning (Before Acting)

Read the URL carefully — check for typosquatting and suspicious domains
Verify the domain — is it the legitimate domain for the claimed organization?
Check for HTTPS — while not conclusive, HTTP on a login page is a definitive red flag
Do not enter credentials on any page reached via QR code without verification
Navigate directly to the organization’s website instead of using the QR code link

Organizational Defenses

Technical Controls

Control	Function
QR-aware email filtering	Detects and scans QR codes in email bodies and attachments
Mobile device management (MDM)	Enforces web filtering on corporate mobile devices
DNS filtering (corporate and mobile)	Blocks known malicious domains regardless of access method
DMARC/SPF/DKIM	Prevents domain spoofing in quishing emails
Conditional access	Restricts authentication to managed devices

Policy Controls

Ban QR codes in internal communications — if your organization never uses QR codes in email, any QR code in an internal email is suspicious
Require URL previewing — configure mobile devices to preview QR code destinations before opening
Establish QR code verification for physical deployments (parking, payments, events)
Audit physical QR codes regularly at company locations for tampering

Awareness Training

Include quishing scenarios in phishing simulation programs:

Email simulations with embedded QR codes
Training on QR code URL preview before opening
Physical quishing awareness (checking for overlay stickers)
Executive-targeted simulations using MFA enrollment pretexts

Reporting Quishing

Internal: Forward quishing emails to your security team or phishing inbox
Physical: Report tampered QR codes to the location manager and local law enforcement
Federal: Report to FBI IC3 and FTC
APWG: Forward quishing emails to [email protected]
Brand abuse: Notify the impersonated organization

Key Takeaways

Quishing attacks increased fivefold in 2025, with 12% of all phishing containing QR codes
QR codes bypass traditional email link scanning by encoding URLs within images
Always preview QR code URLs before opening — use your phone’s built-in camera app, not a third-party scanner
Physical QR codes can be tampered with — inspect for overlay stickers
Organizations should deploy QR-aware email filtering and mobile DNS filtering
C-suite executives are 40x more likely to be targeted — include quishing in executive security training

For the complete phishing defense framework, see our phishing recognition and reporting guide.

Sources

Security education disclaimer: This article describes QR code phishing techniques for educational purposes only. Understanding quishing methods helps individuals and organizations build effective defenses. Do not use this information to create or distribute malicious QR codes.