QR Code Phishing (Quishing): Why It Works and How to Spot It

QR code phishing, sometimes called quishing, has emerged as a significant attack vector over the last few years. The mechanism is simple: embed a QR code in an email instead of a clickable link, and rely on the recipient scanning the code with their phone. The scanned URL leads to credential phishing, malware delivery, or other malicious payloads.

This post is the realistic guide to how quishing works, why it succeeds, and how to defend against it.

How Quishing Works

The technical mechanism:

Step one: send an email with a QR code image. The email body contains an image (a QR code) that encodes a URL. The visible text of the email tells the recipient to scan the code with their phone for some routine reason: account verification, document delivery, package tracking, payment authorization.

Step two: rely on the user scanning the code. The user picks up their phone, opens the camera or a QR scanner app, and scans the code. The URL is decoded and the user’s browser navigates to it.

Step three: collect the click or credential. The destination URL is whatever the attacker planned: a credential-phishing page, a malware download, a fraudulent payment page, or a social-engineering follow-up.

The attack is structurally similar to URL-based phishing but uses a different delivery channel for the URL.

Why Quishing Succeeds

Three structural reasons explain why this attack vector has gained traction.

Email security gateways primarily scan textual URLs. Most enterprise gateways (Defender, Proofpoint, Mimecast, Barracuda) scan textual URLs in email bodies and apply URL reputation checks. URLs embedded in images (like QR codes) historically went unscanned because OCR and image-decoding capabilities were not built into the email scanning pipeline. This has improved in recent years; many gateways now scan QR codes in images, but coverage is uneven across products and tiers.

Mobile devices are outside enterprise security perimeters. When the user scans the QR code with their phone, the URL navigation happens on a device that is often outside the enterprise’s network and outside the enterprise’s URL filtering. Even if the desktop email gateway had caught the URL, the phone is operating independently. The scan moves the click to a less-protected surface.

Users trust QR codes. The COVID-19 era normalized QR codes for restaurant menus, payment, and contact tracing. Users now scan QR codes routinely without questioning them. The pattern recognition that flags a suspicious link in an email does not always activate for a QR code in the same email.

The combination produces a high-success-rate attack that exploits the gap between desktop email security and mobile device behavior.

What Quishing Looks Like in Practice

Common patterns:

Account verification. “Your Microsoft 365 password expires today. Scan the QR code to re-authenticate.” The QR code leads to a credential phishing page mimicking Microsoft login.

Package delivery. “Your package could not be delivered. Scan the QR code to schedule redelivery.” The QR code leads to a fraudulent payment page asking for shipping fees.

Document delivery. “Your tax document is ready. Scan the QR code to access.” The QR code leads to a credential phishing page or a malware download.

Multi-factor authentication setup. “Your MFA needs to be re-enrolled. Scan this QR code with your authenticator app.” The QR code is a malicious authenticator URI that adds the attacker’s account to the user’s authenticator app.

Payment authorization. “Authorize this transfer by scanning the QR code with your banking app.” The QR code initiates an unauthorized transaction.

The pattern is consistent: a plausible-sounding business reason for QR code use, followed by a malicious destination.

What Standard Defenses Do and Do Not Do

Native filtering. Catches obvious mass-volume mechanical quishing campaigns. Does not catch targeted quishing where the email is well-crafted.

Defender, Proofpoint, Mimecast, Barracuda (modern versions). Increasingly include QR code scanning as part of their image-content analysis. The URL extracted from the QR code is scored against URL reputation databases. Coverage has improved meaningfully since 2023 but is not universal.

Mobile QR scanner apps. Some QR scanner apps (notably Apple’s Camera app in newer iOS versions) display the URL before navigating. This gives the user a chance to inspect the URL. Other QR scanners navigate directly without showing the URL.

Mobile browsers and OS. Some mobile platforms apply URL reputation checks at navigation time. Coverage varies by browser and platform. Newly registered domains often pass the checks during a window of hours to days.

Awareness training. Trained users learn to be skeptical of QR codes in unsolicited emails. The training is genuinely useful but produces partial results.

The honest summary: standard defenses catch some quishing but not all. Targeted versions engineered around specific organizational workflows often pass.

Practical Defenses

Concrete steps that meaningfully reduce risk:

Inspect URLs before scanning. Use a QR scanner app or phone camera that displays the URL before opening. iPhone’s Camera app, most modern Android cameras, and dedicated apps like NeoReader, QR Code Reader by TWMobile, or Trend Micro QR Scanner all support this.

Verify with the apparent sender. A QR code claiming to be from your IT department, your bank, or a vendor warrants verification through a non-email channel. A two-minute phone call to confirm the QR code is legitimate prevents most attacks.

Disable automatic URL navigation. Some QR scanners can be configured not to auto-navigate to scanned URLs. The setting prompts the user before opening the URL.

Use enterprise-managed devices for sensitive actions. When possible, scan QR codes related to credential or payment workflows on enterprise-managed devices that have URL filtering, not on personal phones.

Train staff specifically on quishing. Generic phishing training rarely covers QR codes adequately. A specific module on quishing is high-value.

Configure URL filtering on managed mobile devices. For organizations with MDM, enable URL filtering on managed phones. Coverage of QR-decoded URLs depends on the product but is improving.

Where an Inbox-Layer Filter Fits

Quishing arrives as email messages. The inbox-layer filtering applies:

Mass quishing campaigns. A 1,000-recipient blast becomes uneconomical when each recipient costs four cents. The mass version of quishing does not run.

Unknown-sender quishing. A QR-code email from a sender not on the user’s guest list goes through the cover-charge gate or the held-for-review folder. The user is more likely to inspect a held message before scanning the code than to inspect a message that auto-arrived in the inbox.

Targeted quishing. A precision attack from a sender willing to pay the cover charge or impersonating a sender on the guest list still arrives. The cover-charge gate does not solve the targeted case. When the impersonator pays, the email arrives with a PAID label attached, which is itself a useful signal: anyone the user already knows would be on the guest list and would not pay a cover charge. Procedural defenses (verifying before scanning) are still required.

A Specific Honest Note

Quishing is a real attack vector that exploits a structural gap between desktop email security and mobile device behavior. The defenses are improving but not yet uniform.

The most impactful single defense is using a QR scanner that shows the URL before navigating, combined with awareness of why an email is asking for a QR scan. Verification with the sender through a non-email channel handles the targeted cases.

Rythm’s role is to reduce the volume of mass-volume quishing reaching users by making the campaign math uneconomical. The targeted version still requires user awareness and procedural defenses.

For the related guides, see the anatomy of a modern phishing email, calendar invite phishing: the vector nobody saw coming, the lookalike domain problem, and phishing awareness training: what it catches and what it misses. For the broader frame, see why phishing emails are getting harder to spot in 2026 and what is BEC. Rythm is $1.65 per month, cancel anytime.