Quishing
What is Quishing?
QuishingPhishing that hides a malicious URL inside a QR code, prompting victims to scan it with a phone and visit a credential-harvesting or malware page outside corporate defenses.
Quishing (QR-code phishing) is a social-engineering attack in which a malicious link is encoded as a QR code rather than written as visible text. Because the URL is embedded in an image, it often slips past email link scanners and secure email gateways, and scanning typically shifts the victim onto a personal mobile device with weaker controls. Common lures include fake multi-factor-authentication setup notices, parcel-delivery or parking-payment requests, and stickers placed over legitimate codes on posters or restaurant tables. Defenses include image- and QR-aware email filtering, blocking attacker domains, phishing-resistant FIDO2 authentication, mobile threat defense, and user awareness about scanning unsolicited codes.
● Examples
- 01
An email impersonating IT asks employees to scan a QR code to "re-enable" Microsoft 365 MFA, leading to a fake login page that captures credentials and session tokens.
- 02
Attackers paste fraudulent QR-code stickers over legitimate ones on parking meters so drivers pay a spoofed site instead of the city.
● Frequently asked questions
What is Quishing?
Phishing that hides a malicious URL inside a QR code, prompting victims to scan it with a phone and visit a credential-harvesting or malware page outside corporate defenses. It belongs to the Attacks & Threats category of cybersecurity.
What does Quishing mean?
Phishing that hides a malicious URL inside a QR code, prompting victims to scan it with a phone and visit a credential-harvesting or malware page outside corporate defenses.
How does Quishing work?
Quishing (QR-code phishing) is a social-engineering attack in which a malicious link is encoded as a QR code rather than written as visible text. Because the URL is embedded in an image, it often slips past email link scanners and secure email gateways, and scanning typically shifts the victim onto a personal mobile device with weaker controls. Common lures include fake multi-factor-authentication setup notices, parcel-delivery or parking-payment requests, and stickers placed over legitimate codes on posters or restaurant tables. Defenses include image- and QR-aware email filtering, blocking attacker domains, phishing-resistant FIDO2 authentication, mobile threat defense, and user awareness about scanning unsolicited codes.
How do you defend against Quishing?
Defences for Quishing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Quishing?
Common alternative names include: QR-code phishing, QR phishing.
● Related terms
- attacks№ 917
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- attacks№ 1175
Smishing
Phishing delivered via SMS or other mobile-messaging channels to trick victims into clicking malicious links, calling fraudulent numbers, or revealing data.
- attacks№ 1333
Vishing
Phishing conducted over voice channels — phone calls or VoIP — to manipulate victims into revealing credentials, payments, or remote access.
- attacks№ 1192
Spear Phishing
A targeted phishing attack tailored to a specific individual or organization using personal or professional details collected in advance.
- attacks№ 1183
Social Engineering
The psychological manipulation of people into performing actions or disclosing confidential information that benefits an attacker.
- identity-access№ 253
Credential Harvesting
The collection of usernames, passwords, tokens, and other authentication secrets at scale, usually for later account takeover or sale.