Quishing: Phishing Through QR Codes

What Quishing is and Why it Puts Companies and Users at Risk

QR codes have become part of everyday life. We scan them to access services, order at restaurants, redeem promotions. This familiarity has turned the technology into an ideal target for cybercriminals. That’s where quishing comes from: QR + phishing. Attackers exploit QR codes to trick users into entering sensitive information or opening links that hide malicious code.

The consequences can be severe. Quishing can lead to credential theft, identity fraud, or the spread of malware, ransomware, and spyware capable of compromising entire corporate networks. For businesses, the risk goes beyond data loss, threatening business continuity and reputation, with direct financial repercussions.

Quishing vs Phishing: the Difference

The distinction is straightforward. Classic phishing usually arrives through email or SMS, while quishing uses a QR code as its delivery mechanism.

A QR code is a two-dimensional image that typically contains a URL. When scanned with a smartphone or dedicated reader, the user is redirected to the stored link. In a quishing attack, that link points to a fraudulent site designed to mimic a legitimate page and steal login credentials, banking details, or other information. In some cases, the fake site prompts the user to download malicious files or apps, or to trigger actions that compromise the device.

How a Quishing Attack Works

A QR code that looks harmless can hide a fraudulent link. A single scan can redirect to a clone of a banking portal or corporate webmail login page, with the sole purpose of stealing usernames, passwords, credit card numbers, or sensitive data.

Because QR codes are now everywhere, people often perceive them as inherently safe. Cybercriminals take advantage of that misplaced trust, embedding malicious links in codes sent by email or printed on paper. In many cases, users scan these codes with their smartphones while working on their laptops, and that switch between devices makes them less cautious. They open the link automatically, which lowers the barrier for a successful attack.

The situation becomes even more dangerous when mobile devices lack advanced protection such as endpoint security, DNS filtering, or content gateways. Without these layers of defense, a malicious QR code has a much higher chance of hitting its target.

Real World Examples

Fraudulent Emails

Attackers send fake emails that replicate the style of official communications from banks, couriers, or social networks. The message includes a QR code with an alarming pretext, like “immediate password reset” or “pending payment”.

Caught off guard, the recipient scans the code without hesitation. They are redirected to a cloned site that looks identical to the real one and are prompted to enter credentials, banking details, or other personal information. Once collected, the data is used for identity theft or financial fraud.

The Postal Scum

Some fraudsters have taken phishing offline. They send physical letters designed to look like official notices from public institutions or well-known organizations. Inside, they include a QR code that leads to a fraudulent website when scanned.

The fake site mimics the real one, and victims end up providing sensitive or financial data, which criminals then exploit to steal money or commit identity theft.

How to Defend Against Quishing

When QR codes bypass security filters, the responsibility falls on the user. The same rules that apply to traditional phishing are valid here: check the sender’s credibility, ask yourself if you expected that communication, and be wary of urgency or pressure tactics.

One of the most effective defenses is two-factor authentication (2FA). Even if attackers manage to steal credentials through a cloned site, without the second factor they cannot access the account. Enabling 2FA is simple and highly effective, which is why Qboxmail integrates it natively to provide an extra layer of protection.

Other useful practices include:

• using QR scanning apps that display the full URL before opening it,
• training employees and contractors through regular awareness sessions and clear internal policies,
• keeping devices and security software up to date.

Quishing is just the latest evolution of phishing techniques. Defending against it requires a mix of technology, awareness, and good practices.
With solutions like Qboxmail’s built-in 2FA and a secure approach to business email management, reducing the risk is not only possible but well within reach.