Quishing is not an emerging threat anymore. It is here, and it is scaling fast. What started as a fringe attack technique has quietly grown into one of the most effective phishing vectors in use today.
Cybercriminals adopted QR codes for a precise reason. They are unreadable before scanning, invisible to most email security tools, and almost always opened on a personal mobile device outside the corporate security perimeter.
Most organizations have updated their firewalls, tightened their endpoint controls, and trained employees to spot suspicious links. But quishing bypasses all of that. And most security awareness programs have not caught up yet.
What Is Quishing?
Quishing combines two words: QR code and phishing. It uses malicious QR codes to redirect victims to fraudulent websites or trigger malware downloads. The term is simple. The threat is not.
Three structural qualities make QR codes uniquely dangerous as an attack vector:
- Human eyes cannot verify the destination: A hyperlink can be read before clicking. A QR code cannot. The payload is invisible until the damage is done.
- Most email security gateways scan text, not images: A malicious URL typed into an email body gets flagged. The same URL encoded inside a QR code image sails through undetected.
- Mobile devices are the primary scanner, and the weakest link: Corporate endpoints carry endpoint detection, web proxies, and DNS filtering. Personal phones typically carry none of that.
This was not always a headline threat. In 2021, QR codes accounted for just 0.8% of phishing payloads. By 2025, that figure had reached 12%. That is not gradual drift. That is a structural shift in how attackers operate. (Source: Keepnet)
How Quishing Attacks Are Executed
Attackers deploy quishing across four distinct vectors:
- Email-based: A phishing email carries an embedded QR code instead of a clickable link. The code bypasses URL filtering entirely. The victim scans it on their phone, outside the corporate security perimeter.
- Physical sticker attacks: Criminals print fake QR codes and paste them over legitimate ones. Parking meters, restaurant tables, and retail payment points are common targets. In 2025, fake sticker attacks across 200 store locations caused $2.3 million in damage control costs alone. (Source: Keepnet)
- Document-embedded: QR codes appear inside PDFs, invoices, and corporate attachments. The file looks clean to every scanning tool. The threat lives in the decoded destination.
- Corporate impersonation: Attackers build fake HR portals, benefits enrollment pages, and MFA reset screens. Employees receive urgent instructions to scan and verify. The page that loads harvests their credentials.
Once a victim scans, the payload options include credential harvesting, malware delivery, OAuth token theft, and session token replay. That last one is particularly dangerous. Stolen session tokens let attackers bypass MFA entirely, with no failed login alert to trigger a security response.
Why Traditional Security Controls Fail
Security infrastructure was built for a different threat. Most email gateways parse text. They flag malicious URLs in message bodies. They do not decode QR codes embedded in images. That architectural gap is the entire foundation of quishing’s success.
The BYOD problem makes it worse. An employee receives a phishing email on their work laptop. They scan the QR code with their personal phone. At that moment, the attack has moved off the managed corporate network onto a device with no endpoint detection, no web proxy, and no DNS filtering. The credentials they enter never touch a system the security team monitors.
Attackers are also evolving their evasion. Researchers at Barracuda documented campaigns using split and nested QR codes to fragment malicious payloads across multiple image elements. Tools that might flag a single complete QR code miss the fragmented version entirely.
There is also a behavioral dimension that technology cannot fully solve. Scanning a QR code feels routine. It feels safe. That perception is the attack surface.
Real-World Quishing Incidents
The threat is not theoretical. Attack patterns across industries reveal how far quishing has already traveled.
In financial services, attackers build convincing replicas of banking login pages. Victims scan, enter credentials, and hand over account access. Eighteen percent of quishing incidents have specifically targeted online banking pages. (Source: QR Tiger)
In the corporate sector, nation-state actors have adopted quishing for precision targeting. In mid-2025, the FBI documented a campaign where attackers sent fake conference invitations to strategic advisory firms. Each email carried a QR code. Scanning it led to a forged Google login page. These attacks ended with session token theft, MFA bypass, and persistent access to cloud accounts, with no MFA failure alert generated.
In physical environments, parking payment terminals and EV charging stations have become soft targets. The attacker does not need a single line of code to reach the victim. A printed sticker is enough.
One stat puts the executive risk in stark relief. C-suite leaders are 40 times more likely to be targeted by quishing emails than their employees. (Source: Keepnet)
Ready to learn how ECCU’s cybersecurity programs address the full social engineering threat spectrum?
Explore ECCU’s Online cybersecurity degree programs
Defending Against Quishing: A Layered Approach
No single control stops quishing. Defense requires multiple layers working together.
| For security teams | For individuals |
|---|---|
| Deploy email security tools with native QR code and image analysis capability | Preview the destination URL before opening any scanned link |
| Implement MDM policies that restrict QR scanning to approved, monitored apps | Never scan a QR code from an unexpected email, even if it looks internal |
| Update security awareness training to include QR-specific attack scenarios | Inspect physical QR codes for signs of tampering, particularly stickers over originals |
| Build QR-vector procedures into your incident response playbooks | Use official apps for financial transactions rather than scanning payment QR codes |
How ECCU Prepares Security Professionals for Evolving Threats
Quishing is a social engineering attack. Understanding it requires more than knowing the definition. It requires knowing how attackers think, how organizations fail, and how to build defenses that hold when the threat evolves.
ECCU’s cybersecurity curriculum covers this directly. The Ethical Hacking and Countermeasures course addresses the full social engineering attack surface. The incident management and cyber operations program builds the skills to contain and investigate breaches that begin with social engineering, including QR-initiated compromises. Security awareness runs as a thread across the MSCS program and nondegree offerings.
The broader lesson from quishing applies to every emerging threat. Attack vectors follow human behavior. Wherever trust exists, an attack surface forms. Security education must evolve at the same pace.
Conclusion
QR codes are not going away. Neither is quishing. The technology is too useful, the adoption too deep, and the trust too well established for attackers to walk away from this vector.
The organizations that stay ahead will not do it through tools alone. They will do it by training people to pause before they scan, equipping security teams with controls built for image-based threats, and building response capabilities that account for attacks originating outside the corporate perimeter.
Quishing is a reminder that in cybersecurity, the attack surface is not just technical. It is human.
Explore ECCU’s cybersecurity programs and see how the curriculum prepares professionals for the threats that matter today. Learn more here.
Frequently Asked Questions
Quishing is a cyberattack that uses malicious QR codes to redirect victims to fraudulent websites or trigger malware downloads. The name combines “QR code” and “phishing.” What makes it dangerous is invisibility. Unlike a hyperlink, a QR code destination cannot be read before scanning. The attack lands on a personal mobile device, outside the corporate security perimeter, before any security tool has a chance to intervene. Quishing sits within the broader family of social engineering attacks that exploit human trust rather than technical vulnerabilities.
Start with habit. Always preview the destination URL before opening a scanned link. Most modern smartphone cameras show it automatically. Never scan a QR code from an unexpected email, even if it appears to come from a known sender. In physical environments, check for sticker tampering before scanning payment or parking codes. For financial transactions, use the official app instead. If you want a deeper look at safe scanning practices, ECCU’s resource on QR code scams covers best practices in detail.
Not directly. A QR code itself is just encoded data. It cannot carry or execute malware on its own. What it can do is redirect your device to a malicious website that downloads malware, harvests credentials, or steals session tokens. The threat lives in the destination, not the code. Because the attack almost always lands on a mobile device, understanding mobile application security is relevant context for anyone looking to reduce their exposure.
Phishing is the broader attack category. It uses deceptive messages, typically via email, to trick people into handing over credentials or clicking malicious links. Quishing is a specific delivery method within phishing. It replaces the clickable link with a QR code, which bypasses email security filters and shifts the attack to a mobile device. The goal is identical. The delivery mechanism is what changes, and that change is precisely what makes quishing harder to detect and defend against. Both are part of a growing threat landscape in 2026 that security teams need to actively prepare for.
Very common, and growing. In 2025, quishing accounted for 12% of all phishing attacks globally, up from just 0.8% in 2021. Attacks increased fivefold between 2023 and 2025. Mimecast alone detected over 716,000 unique malicious QR codes in a single quarter of 2025. The trajectory is not slowing. As QR code adoption deepens across payments, logistics, and enterprise workflows, the attack surface keeps expanding.
