What is Quishing (QR Phishing)?
In 2024, quishing attacks rose by over 40%, exploiting QR codes to bypass security. Defining quishing is important as they are still growing in 2025. Learn what quishing is, how it works, and how to prevent your organization from these threats
2024-01-29
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
In 2025, QR code phishing attacks, commonly known as quishing, have become one of the fastest-growing cyber threats. Cybercriminals are now targeting unsuspecting users by embedding malicious links inside QR codes, making them appear harmless and impossible to preview at first glance.
With more people using QR codes daily for everything from payments to restaurant menus, the rise of quishing should be on every CISO's radar.
This blog post will first define quishing attacks, then explain how these attacks work and reveal the strategies organizations can employ to prevent quishing.
Definition of QR Code Phishing
Defining quishing helps recognize the dangers of QR code phishing. Quishing, a combination of “QR code” and “phishing,” refers to a deceptive cyberattack tactic where malicious actors exploit QR codes to redirect users to fraudulent websites, harvest sensitive data, or install malware.
Unlike traditional phishing, which relies on email or text links, quishing leverages the perceived trustworthiness of QR codes—commonly used in menus, ads, and payment systems—to trick users into scanning compromised codes. These codes, often embedded in fake promotions, counterfeit packaging, or tampered public posters, direct victims to spoofed login pages or malicious downloads, putting personal information, financial accounts, and device security at risk.
How Quishing Works and How to Combat It
Quishing attacks thrive on social engineering, capitalizing on the convenience of QR codes to bypass user caution. For example, a scammer might replace a legitimate restaurant menu’s QR code with one leading to a phishing site mimicking a payment portal.
To mitigate risks, users should verify QR code sources, avoid scanning codes from untrusted locations, and use QR scanner apps with built-in security checks. Businesses can combat quishing by securing physical QR codes with tamper-proof labels and educating customers about this evolving threat. As QR code adoption grows, awareness and proactive cybersecurity practices are critical to thwarting quishing attempts.
How Does Quishing Work in 2025?
Quishing uses QR codes to deliver phishing attacks. Attackers embed malicious URLs in a QR code, which users scan with their smartphones. Unlike traditional phishing, QR phishing hides the link within the code, making it harder to spot. Once scanned, users are unknowingly directed to phishing sites or malicious downloads.
A typical quishing attack follows these steps:
- A QR code is placed in an email, website, or on a poster.
- The user scans it, thinking it's legitimate.
- It directs them to a phishing site disguised as a real login page.
- Attackers then collect credentials, banking details, or sensitive data.
Quishing attacks thrive on social engineering, capitalizing on the convenience of QR codes to bypass user caution. For example, a scammer might replace a legitimate restaurant menu’s QR code with one leading to a phishing site mimicking a payment portal.
These attacks often bypass email security filters, making QR phishing a growing concern in 2025.
How Quishing Differs from Traditional Phishing?
At its core, quishing is still phishing—but with a twist. Traditional phishing attacks rely on clickable links in emails or messages, which many email security gateways can now detect. With quishing, the malicious URL is encoded inside the QR code itself, bypassing these protections. The victim still interacts with a fake website, but the QR code adds an extra layer of deception.
Here are the key differences between quishing and traditional phishing:
- Hidden Links: In quishing, the malicious link is hidden in the QR code, making it impossible for users to preview or verify before scanning.
- Bypassing Secure Email Gateways: Traditional phishing relies on detectable URLs. Quishing evades many email security filters because the harmful link is embedded within the QR code. Learn more about how email security threats bypass defenses.
- Trust Factor: Many users have built trust with QR codes, especially post-pandemic, making them less cautious about scanning.
What Attack Types Are Executed With a Malicious QR Code?
Malicious QR codes can execute a variety of cyberattacks beyond just phishing:
- Redirect to phishing sites: Scanning the code sends users to a fraudulent website, where they may be tricked into entering login credentials or personal information.
- Malware downloads: Some QR codes can trigger automatic downloads, planting malware or ransomware on the device. Explore how ransomware attacks affect businesses.
- Device data extraction: Advanced quishing attacks may use QR codes to extract sensitive data directly from a device, such as location information or other private data.
How Do Scammers Use QR Codes?
Scammers use QR codes in several simple but sneaky ways. One common tactic is sending emails that look like they’re from trusted brands, asking you to scan a QR code for urgent updates or special deals. When you scan the code, it takes you to a fake website to steal your login details.
Scammers also put harmful QR codes on posters or flyers in public places. People scan them, thinking they’re getting something useful, but end up on a phishing site instead. Sometimes, scammers even change real ads by adding their own fake QR codes, tricking people into visiting dangerous websites.
How to Detect a Quishing Attack?
Detecting quishing attacks can be difficult, but there are some red flags to watch for:
- Unfamiliar sources: Be cautious of scanning QR codes from unverified sources or in unsolicited emails.
- Urgency: Just like in traditional phishing, quishing often uses language that creates a sense of urgency, such as “scan this code to verify your account” or “act within 24 hours.”
- Lack of context: If a QR code appears out of place or unnecessary, avoid scanning it. Always question why you’re being asked to scan a code.
- Preview the URL: Some QR scanners provide an option to preview the URL before navigating to the site. Always check the URL and ensure it’s legitimate.
How to Prevent a Successful Quishing Attack?
Preventing quishing attacks requires both individual awareness and organizational measures. Always verify the source of any QR code, especially if it comes through email or messaging platforms. If you're unsure, contact the sender directly to confirm its legitimacy.
Using trusted QR code scanners that preview the URL before opening the site is also important, as it helps identify phishing websites before you engage. Regular employee training is crucial to minimize risks. Tools like Keepnet’s Quishing Simulator can teach teams how to spot and avoid malicious QR codes, making security awareness training an essential defense.
Finally, implementing Multi-Factor Authentication (MFA) adds a protective layer, ensuring that even if login details are compromised, attackers cannot easily gain access. This approach reinforces your defenses against quishing and other phishing techniques.
Please watch this video from YouTube and learn more about quishing and how to protect yourself.
3 Reasons QR Code Phishing Attacks Are Growing in Popularity
The rapid rise of QR code phishing attacks can be attributed to several factors that make them attractive to cybercriminals. Here are three key reasons why these attacks are becoming more common:
- Widespread QR Code Adoption: The global pandemic fueled a surge in contactless transactions, making QR codes a go-to tool for everything from restaurant menus to payments. Phishing scams have taken advantage of this growing trend.
- Bypassing Security Measures: Unlike URLs, QR codes are not easily checked or previewed, allowing them to slip past email security filters and other detection systems.
- Ease of Creation: Crafting a malicious QR code requires little technical skill, enabling attackers to quickly set up phishing campaigns with minimal effort.
Real-life Examples of Quishing Attacks
In May 2023, a major QR code phishing attack targeted a U.S. energy company. Attackers sent fake Microsoft emails with QR codes, urging users to update security or enable multi-factor authentication (MFA). Scanning the code led victims to a fake Microsoft login page, compromising over 100 accounts.
Similarly, a FedEx quishing attack was discovered by Keepnet, where scammers tricked users into scanning a QR code, redirecting them to fake websites designed to steal personal and financial information.
Both attacks highlight how widespread industries and trusted brands are being exploited.
Stay Safe from QR Code Scams with Keepnet Extended Human Risk Management
To stay ahead of the growing threat of QR phishing, businesses must implement proactive security measures. Keepnet offers advanced tools like the Quishing Simulator, allowing organizations to simulate real-world quishing attacks and educate employees on identifying malicious QR codes. Keepnet phishing simulators further enhances your team’s ability to recognize and stop phishing threats before they escalate.
Train your employees to increase awareness by up to 90% with Keepnet’s Quishing Simulator. Empower your team to detect and avoid phishing attacks before they lead to costly breaches.
Explore Keepnet Extended Human Risk Management Platform and discover how our defense solutions can safeguard your business from phishing attacks.
Editor's note: This article was updated on February 13, 2025.
SHARE ON