Quishing — How QR Code Phishing Works and How to Spot It

"Quishing" — QR-code phishing — barely existed as a category before 2022. By 2024 it appeared in every major email security vendor's top-five threat report. The reason is mostly behavioural: people scan QR codes without thinking, and the standard defences against URL phishing don't work when the URL is hidden inside a square of black-and-white pixels.

Why QR Codes Bypass Anti-Phishing

Email security gateways scan message bodies for suspicious links. They follow URLs, check reputation, render previews. If the link is delivered as a QR code embedded in an image, the gateway sees an image attachment with no text payload. Most filters can't (or until recently couldn't) decode QR codes inline at the speed required for production mail flow.

Meanwhile, the recipient opens the email on their work laptop, sees a QR code that says "Scan to update your Microsoft 365 credentials," and reaches for their phone. The phone is personal, not enrolled in the corporate MDM, and lacks the URL-rewriting protections the laptop has. The phishing page loads on a device that the corporate security team can't see.

The Standard Quishing Playbook

Most campaigns observed in the wild follow a pretty narrow template:

• Email arrives spoofing a service the recipient uses — Microsoft, DocuSign, the company's own HR portal.
• Body is mostly an image with minimal text. The image contains a QR code and a pretext: "Your password expires today," "Sign your benefits enrolment," "Voicemail attached."
• Scanning leads to a credential-harvesting page that closely resembles a real login screen, often hosted on a recently-registered domain or a compromised legitimate site.
• Stolen credentials are tested immediately against M365, Google Workspace, and VPN endpoints.

More targeted variants substitute the QR code into legitimate-looking documents (parking notices stuck on cars, fake parcel-delivery slips, restaurant table cards). Physical-world quishing is now a documented FTC consumer alert.

What the URL Preview Actually Shows You

Modern phone cameras display the destination URL before opening. This is the first line of defence, and it is weaker than people assume. Reasons it fails:

• Long URLs are truncated. The visible part may be login.microsoft.com.update-account... — everything after the dots is the actual domain.
• Homoglyph attacks. microsοft.com uses a Greek omicron. On a 4-inch preview, no human notices.
• URL shorteners. The preview shows bit.ly/xyz123, which tells you nothing.
• Open redirects. The visible domain is legitimate (google.com/url?q=…) but redirects to the attacker.
• Tap-through fatigue. Users are conditioned to tap "Open" without reading.

Checks That Actually Work

Before scanning anything you didn't produce yourself:

• Decode it without scanning. Save the image and run it through a QR decoder on your computer (this site has one). The full URL is then plain text in front of you, with all the indicators a normal phishing analysis would use.
• Read the registered domain right-to-left. The real domain is the rightmost two labels: in login.microsoft.com.scam.ru, the domain is scam.ru. Everything to the left is window dressing.
• Treat printed QR codes with extra suspicion. A QR code stickered onto a parking meter, restaurant table, or charging station can be replaced trivially. If there is a non-QR alternative (typing a URL, calling a number), use it.
• Never authenticate from a QR code. If the destination asks for your password, MFA token, or payment details, treat that as a strong negative signal regardless of how the code arrived.

Defences for Organisations

Mail gateways have caught up — most major vendors now decode QR codes inline and apply the same URL reputation checks they use for hyperlinks. If your organisation hasn't enabled this, do so. Beyond that:

• Phishing-resistant MFA (FIDO2 / WebAuthn) defeats most quishing outcomes even if a user gives up their password.
• Conditional-access policies that require a managed device for sensitive logins remove the "phone bypass" element of the attack.
• User training that specifically covers QR codes — older training material doesn't mention them.

The Short Version

QR codes are URLs in an inconvenient wrapper. Treat every scan the same way you treat clicking a hyperlink in an email from a stranger: decode first, read the real domain, and never enter credentials on a page you arrived at by scanning. The pixel grid is not a separate medium with separate rules. It is a link.