QR codes are everywhere. Restaurants use them for menus. Parking meters use them for payment. Businesses print them on flyers, business cards, and product packaging. They have become so common that most people scan them without a second thought — and that is exactly what cybercriminals are counting on.

TL;DR — Key Takeaways

  • Quishing attacks use fake QR codes to steal credentials and install malware
  • Understand why QR Code Attacks Are Surging
  • Learn about how Quishing Attacks Work

Visual Overview

flowchart LR
    A["Fake QR Code Placed"] --> B["Victim Scans Code"]
    B --> C["Redirected to Fake Site"]
    C --> D["Enters Credentials"]
    D --> E["Account Compromised"]

Quishing — a combination of "QR" and "phishing" — is a rapidly growing attack method that uses QR codes to direct victims to malicious websites, trick them into entering credentials, or even install malware on their devices. It is phishing adapted for a world that has grown comfortable scanning black-and-white squares with their phones.

Why QR Code Attacks Are Surging

QR codes exploded in popularity during the pandemic when contactless interactions became the norm. But their widespread adoption created a massive new attack surface that cybercriminals have been quick to exploit.

Several factors make QR codes uniquely attractive to attackers:

  • You cannot read the URL before scanning — unlike a link in an email where you can hover to preview the destination, a QR code hides the URL entirely until your phone processes it
  • They bypass email security filters — most email security tools scan text links for malicious URLs but cannot read QR codes embedded in images
  • People trust them implicitly — QR codes feel "official" and are associated with legitimate businesses and services
  • They redirect to mobile devices — phones typically have fewer security protections than office computers
  • They are trivially easy to create — anyone can generate a QR code pointing to any URL in seconds, for free
Quishing exploits a fundamental gap in human awareness: we have been trained to be suspicious of links in emails, but most people will scan a QR code without hesitation.

How Quishing Attacks Work

Quishing attacks come in several forms, but they all follow the same basic pattern — present a QR code that appears legitimate, get the victim to scan it, and direct them to a malicious destination.

Email-Based Quishing

The most common method involves sending an email that contains a QR code image instead of (or in addition to) a traditional phishing link. The email might claim to be from Microsoft, your bank, a shipping company, or your company's IT department. It asks you to scan the QR code to verify your identity, update your password, view a document, or complete some other urgent task.

Because the malicious URL is hidden inside an image rather than written as text, it sails past email security filters that would normally flag suspicious links. This makes email-based quishing particularly effective — and it is the technique most commonly targeting businesses. For more on recognizing these threats, see our guide on how to spot phishing emails.

Physical QR Code Tampering

Attackers print malicious QR code stickers and place them over legitimate ones in public spaces. A common example involves parking meters — criminals stick a fake QR code over the real payment code, directing drivers to a look-alike payment page that captures their credit card information. This same technique is used on restaurant table tent cards, public bulletin boards, and transit station signs.

Business Document Quishing

Attackers send physical mail — letters, invoices, or notices — that contain QR codes. Because the document arrived through traditional mail, victims assume it is legitimate. The QR code might direct to a fake payment portal, a credential harvesting page, or a malware download.

Social Media and Messaging Quishing

Fake QR codes are shared through social media posts, direct messages, and messaging platforms. They might promise exclusive deals, event tickets, or contest entries. Similar tactics are used in text message scams (smishing), where the delivery method is the primary difference.

Real-World Quishing Scenarios

These attacks are not hypothetical. They are happening right now, and small businesses are frequently the target.

The fake Microsoft 365 login: An employee receives an email from what appears to be IT support, stating their Microsoft 365 account needs verification. The email contains a QR code "for security purposes." Scanning it opens a convincing replica of the Microsoft login page on the employee's phone. They enter their credentials, which go straight to the attacker. Within hours, the attacker has access to the company's email, SharePoint files, and Teams conversations.

The parking meter scam: A business owner scans a QR code on a parking meter downtown, entering credit card details on what looks like the city's payment page. The card number is harvested and used for fraudulent purchases within the day.

The fake invoice: A company receives a physical letter with a QR code for "convenient online payment." The QR code leads to a fake payment portal. The business pays a fraudulent invoice, and the money disappears.

In 2025, security researchers reported a 400% increase in quishing attacks compared to the previous year. The trend is accelerating because these attacks work — and they are cheap to execute.

Why Your Business Is at Risk

Small businesses face heightened quishing risk for several reasons:

  • Employee personal devices — staff often scan QR codes on personal phones that lack corporate security controls
  • Shared workspaces — co-working spaces, conference venues, and shared lobbies are prime locations for QR code tampering
  • Customer-facing QR codes — if your business uses QR codes for payments, menus, or marketing materials, attackers can target your customers by placing fake codes over yours
  • Limited email security — many SMBs use basic email filtering that cannot analyze QR code images for embedded URLs
  • Low awareness — most cybersecurity training programs have not yet caught up to the quishing threat

How to Protect Your Business from Quishing

Defending against QR code attacks requires a combination of technology, policy, and employee awareness. Here are practical steps you can implement right away:

Train Employees to Treat QR Codes Like Unknown Links

The most important step is shifting how your team thinks about QR codes. Just as employees should not click unknown links in emails, they should not blindly scan QR codes — especially those received via email, found in unexpected physical mail, or placed in public spaces. Train your team to:

  • Preview the URL before opening it (most phone cameras now show the URL before navigating)
  • Check that the domain matches the expected organization
  • Be suspicious of QR codes that create urgency ("Scan immediately to avoid account suspension")
  • Never enter credentials on a page reached via QR code without verifying the URL

Use a QR Code Scanner with Security Features

Some mobile security applications and QR scanners check URLs against databases of known malicious sites before opening them. Recommend or require these tools for employees who need to scan QR codes as part of their work.

Protect Your Own QR Codes

If your business uses QR codes for payments or customer interactions, take steps to prevent tampering:

  • Regularly inspect physical QR codes for stickers placed on top of them
  • Use tamper-evident materials when printing QR codes for public display
  • Consider dynamic QR codes that you can monitor for unusual scanning patterns
  • Print your website URL alongside QR codes so customers can type it manually if they prefer

Upgrade Your Email Security

Look for email security solutions that can analyze images within emails, including QR codes. Advanced solutions can extract URLs from QR code images and check them against threat databases, just as they would with text-based links.

Implement Mobile Device Security

Ensure company phones — and personal phones used for work — have mobile threat defense software installed. These tools can warn employees before they navigate to known malicious websites, even if the URL came from a QR code.

What to Do If Someone Scans a Suspicious QR Code

If an employee thinks they may have scanned a malicious QR code, act quickly:

  1. Do not enter any information — if the page is asking for credentials or payment details, close it immediately
  2. Disconnect from the internet — if the page seemed to download something, put the phone in airplane mode
  3. Change compromised credentials — if any login information was entered, change those passwords immediately from a different device
  4. Scan the device for malware — run a mobile security scan to check for anything that may have been installed
  5. Report the incident — notify your IT support or security team so they can investigate and warn others
  6. Monitor accounts — watch for unauthorized access on any accounts that may have been exposed

Actionable Next Steps

Quishing is one of the fastest-growing cyber threats because it exploits trust that most people do not even think about. Here is how to get ahead of it:

  • Add QR code safety to your next security awareness training session
  • Create a simple policy: never scan QR codes received via email without verifying the sender through another channel
  • Audit your own QR codes — check any physical QR codes your business displays for tampering
  • Evaluate whether your email security can detect malicious QR codes in image attachments
  • Encourage employees to preview URLs before opening them after scanning
  • Consider deploying mobile threat defense on company-managed devices

QR codes are convenient, and they are not going away. But convenience should never come at the cost of security. By teaching your team to approach QR codes with the same healthy skepticism they apply to email links, you can enjoy the benefits while avoiding the traps.