Quishing (QR Code Phishing)
What is Quishing (QR Code Phishing)?
Quishing (QR Code Phishing)A phishing technique that uses a QR code instead of a clickable link to send victims to a credential-harvesting or malware page.
Quishing — short for QR phishing — places a malicious QR code in an email, PDF, poster, parking sign, or restaurant flyer. When the victim scans it with a phone camera, the device opens an attacker-controlled URL outside the controls of corporate email gateways and endpoint browsers. Because QR codes are images, traditional URL filters and DMARC checks frequently miss them, and personal phones are often unmanaged. Quishing surged in 2023 as attackers used it to bypass safe-link rewriting in Microsoft 365 phishing campaigns and to attach fake "MFA enrolment" PDFs. Defences include QR-aware email filtering, mobile MDM with web protection, user training, and verifying every QR URL before entering credentials.
● Examples
- 01
An email PDF asks the recipient to scan a QR code to "re-authenticate Microsoft 365", leading to a fake Entra ID login.
- 02
A fraudulent sticker placed over a city parking-meter QR code redirects payment to an attacker's wallet.
● Frequently asked questions
What is Quishing (QR Code Phishing)?
A phishing technique that uses a QR code instead of a clickable link to send victims to a credential-harvesting or malware page. It belongs to the Attacks & Threats category of cybersecurity.
What does Quishing (QR Code Phishing) mean?
A phishing technique that uses a QR code instead of a clickable link to send victims to a credential-harvesting or malware page.
How does Quishing (QR Code Phishing) work?
Quishing — short for QR phishing — places a malicious QR code in an email, PDF, poster, parking sign, or restaurant flyer. When the victim scans it with a phone camera, the device opens an attacker-controlled URL outside the controls of corporate email gateways and endpoint browsers. Because QR codes are images, traditional URL filters and DMARC checks frequently miss them, and personal phones are often unmanaged. Quishing surged in 2023 as attackers used it to bypass safe-link rewriting in Microsoft 365 phishing campaigns and to attach fake "MFA enrolment" PDFs. Defences include QR-aware email filtering, mobile MDM with web protection, user training, and verifying every QR URL before entering credentials.
How do you defend against Quishing (QR Code Phishing)?
Defences for Quishing (QR Code Phishing) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Quishing (QR Code Phishing)?
Common alternative names include: QR phishing, QRishing.
● Related terms
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- attacks№ 1059
Smishing
Phishing delivered via SMS or other mobile-messaging channels to trick victims into clicking malicious links, calling fraudulent numbers, or revealing data.
- attacks№ 140
Callback Phishing
A two-stage phishing attack in which a benign-looking email persuades the victim to call a phone number, where a human operator then walks them into installing malware.
- identity-access№ 230
Credential Harvesting
The collection of usernames, passwords, tokens, and other authentication secrets at scale, usually for later account takeover or sale.
- attacks№ 1065
Social Engineering
The psychological manipulation of people into performing actions or disclosing confidential information that benefits an attacker.