In the age of contactless world, QR codes have become our digital shortcuts: scanning them gets us restaurant menus, payment gateways, event check-ins, and more, all with a quick flick of the phone. But as we embrace their convenience, a new cyber threat is emerging: Quishing, a blend of QR and phishing.  

Phishing is a type of cybercrime where attackers try to fool you into giving up sensitive data, like your passwords, credit card numbers, or login credentials, by pretending to be someone you trust. These scams often come disguised as emails, texts, or phone calls that look legitimate. You might receive a message claiming your account has been compromised or urging you to verify personal details. The urgency creates panic, making you more likely to click on a malicious link or provide sensitive information without thinking twice.

Once you fall for it, the attacker may gain access to your accounts, steal your identity, or even use your information to scam others. Phishing relies on social engineering, playing with human emotions like fear, urgency, or curiosity, to trick its victims.

A QR code (Quick Response Code) is a modern barcode, a square-shaped pattern of black and white pixels that can store a lot of data. Unlike traditional barcodes that store information in one direction, QR codes held data both horizontally and vertically, which allows them to pack in much more information.  

They were invented in the 1990s by a Japanese company to track car parts but have since found their way into daily life. Scan one with your smartphone, and it can take you to a website, download an app, show contact details, or even connect you to Wi-Fi, all in seconds. Their convenience, versatility and speed have made them almost invisible in our day-to-day routines. And that's exactly where the danger lies.

‍Why is QR Code Phishing on the rise?

QR Code Phishing or "Quishing" has rapidly become a favored tactic among cybercriminals. But what makes this method so appealing and effective? Let's found out:  

• QR Codes stay under the radar of traditional email security
  Unlike suspicious links or keywords, QR codes appear as harmless images to most legacy email security systems. This allows them to bypass spam filters with ease.  Since there's no visible URL or flagged language, these messages often go undetected and unchallenged.  

• People trust them
  From scanning restaurant menus and checking into events to making payments or viewing ads, QR codes have become an everyday convenience. Their ubiquity creates a sense of trust and familiarity. So, when users see one in an email, they’re less likely to question it, and more likely to scan without thinking twice, even if it’s a trap.

• Protection is weaker  
  One of the most strategic aspects of QR-based phishing is that it moves the attack off the secure email environment and onto the user's mobile device.  Smartphones typically lack the layered security, monitoring, and threat detection tools that are standard in enterprise cloud systems. Once the user scans the code, they're often taken to a malicious site or prompted to download malware, all outside the reach of traditional workplace protections.

Behind the Scan: How Quishing really works

In a typical quishing attack, a cybercriminal generates a QR code that links to a malicious website. Instead of sending a suspicious-looking URL directly (which might raise red flags), the attacker hides the link inside a QR code. The trick: Making the victim scan it.  That's where social engineering comes in. You might see this QR code printed on a flyer offering free Wi-Fi, shared in a social media post promising exclusive discounts, or even in an email claiming to give you access to an encrypted voice message, or the chance to win a prize.  

Once the QR code is scanned using smartphone camera, the user is redirected to the attacker's website. This site may look completely legitimate, mimicking a login page, or a trusted service. Here, the user might be asked to enter personal data: full name, email, login credentials, financial information, or even their date of birth. Some sites prompt users to download an app, except this app is malware in disguise. It could be anything from a key logger (to steal everything typed on the phone) to a backdoor that gives hackers remote access.  

And it doesn't stop there. Some Quishing schemes even aim to recruit devices into a botnet- a network of infected devices used to launch cyber-attacks on other systems, like DDos attacks.    

Latest Scammer Tactics: Quishing Methods You Need to Know

Crank up the pressure

One of the most common tactics is to inject a sense of urgency into the message. Victims receive an email that appears to come from a credible source - like their IT department, bank, or favorite service, urging them to scan a QR code immediately. The message might hint at account suspensions, expiring passwords, or missed security alerts. Under pressure users are far more likely to act without pausing to question the authenticity.  

Disguise as someone you trust

In another approach, attackers mimic well-known brands or institutions with impressive precision. Logos, email signatures, and layout designs are cloned to perfection to make the email look legitimate. In more dangerous scenarios, attackers don't need to fake anything- they simply hijack a real company email account. Once inside, they send QR-based phishing messages directly from the official domain, bypassing the usual red flags.  

Hide the trap in plain sight

Some cybercriminals avoid placing the QR code in the body of the email altogether. Instead, they embed it within image attachments like PDFs or JPEGs. These attachments may come with minimal or completely blank message bodies, reducing the chance of being flagged by spam filters. Since many email scanners don't yet analyze the content of image files, this method helps attackers sneak their malicious codes right into your inbox.  

Use redirection to evade detection

Modern QR-scanning apps often display the destination URL before opening it. But attackers have found ways around this. By using redirect chains, they can initially point the scan to a trusted domain, only to reroute the user to a fake site, or a cleverly misspelled version of a legitimate one (a technique known as typo squatting). This helps attackers dodge suspicion and trick even cautious users into trusting the destination.  

Exploiting Cryptocurrency Hype Through Malicious QR Codes

Attackers are increasingly weaponizing QR code in cryptocurrency scams. One such tactic involves luring users to scan QR codes that promise free tokens or reduced mining fees, which instead lead to counterfeit crypto wallet apps. These fake apps are designed to harvest sensitive information or steal funds once installed, exploiting user's trust and eagerness to gain crypto rewards.  

Another dangerous variant uses QR codes to trick users into unknowingly approving malicious token transactions. By disguising the intent behind the QR code, attackers can gain authorization to move assets from a victim's wallet without further interaction. This method has been cited in numerous incident reports as a leading cause of major crypto thefts, underscoring how QR code-based phishing is evolving alongside digital finance.

‍Quishing in the Wild: Real attacks that have already happened

Quishing isn't a distant threat, it's happening here and now. Security researchers and organizations have reported numerous cases where QR codes were successfully used in real phishing campaigns. Below are a few verified examples of how attackers are actively exploiting QR codes in the real world.  

Fake Microsoft MFA setup request

In one observed campaign, attackers impersonated Microsoft and sent out emails asking users to complete their multi-factor authentication (MFA) setup. The message included a QR code that, when scanned redirected the user to a fake login page. The goal? Steal corporate credentials under the guise of boosting account security.  

Fraudulent DocuSign contract

Another real attack mimicked DocuSign the popular digital document signing platform. The victim received what looked like a genuine contract notification via email, including a QR code to "review and sign" the document. Instead of opening a secure file, the scan led to a phishing site designed to collect login credentials.  

HR Scam: Salary and Benefits Update

In this instance, attackers targeted employees with a convincing email about updated salary details and benefits packages. The message instructed them to scan a QR code using their smartphone for more information. Once scanned, the QR code led to a counterfeit HR portal aimed at stealing sensitive employee data.  

Exploiting QR Code Infrastructure in Bike-Sharing Systems

In a notable incident involving bike-sharing services in China, attackers exploited the payment infrastructure by tampering with the QR codes affixed to the bikes. These malicious actors replaced the legitimate payment codes with fraudulent ones, redirecting user's payments to attacker-controlled accounts. As a result, unsuspecting users unknowingly paid the scammers but were unable to unlock the bikes, effectively falling victim to a seamless and low-effort phishing scheme rooted in physical QR code manipulation.  

Weaponizing QR Scanner Apps for Malware Delivery

In mid-2021, a series of seemingly harmless QR code and barcode scanner apps were discovered in Google play, later found to be linked to Anatsa banking malware. Although these apps have since been removed, they exemplify how attackers have evolved Quishing tactics by leveraging trusted platforms and user behavior.  

The infection chain began immediately after installation, with the app coercing users into downloading a fake "mandatory update" under the pretense of continued functionality. Once the update was initiated, the app prompted users to enable the installation of apps from unknown sources. Relying on user trust and urgency, the malware tricked users into granting these permissions. Following installation, the app requested access to Android's Accessibility Services: a powerful set of controls often abused in mobile malware. Once granted, the malware had unrestricted control over the device, allowing threat actors to intercept sensitive data, perform unauthorized actions, and steal login credentials in real-time.

The Risks and Consequences of Quishing Attacks

For Individuals: Personal and Financial Harm

• Identity Theft: Stolen personal information like passwords and SSNs.
• Financial Loss: Fraudulent charges or unauthorized bank access.
• Device Control: Malware that allows attackers to monitor or steal private data.

For Organizations: A Financial Burden  

• Loss of Customer Trust: Breached companies struggle to regain consumer confidence.
• Reputation Damage: Negative publicity can significantly harm brand perception.
• Legal Consequences: Organizations may face regulatory fines for insufficient data protection

‍Spotting the Scam: How to detect a quishing attack

Detecting a QR code phishing (quishing) attack can be tricky, but being aware of the common signs and using the right tools can help prevent falling victim. Here are some key indicators and detection methods:  

• Watch for phishing red flags like spelling errors, grammatical mistakes, and suspicious or lookalike email addresses.
• Be cautious of urgent or emotional language in emails urging immediate action, such as completing a payment or verifying an account via a QR code.  
• Never trust QR codes in unexpected emails, especially if they come from unfamiliar senders or seem to appear out of nowhere.
• Avoid scanning QR codes from unknown sources like random flyers, posters, or unsolicited emails. Legitimate organizations rarely ask for QR scans without context.
• Be skeptical of unbelievable offers, anything prompting a cash prize, salary increase, or exclusive reward through a QR code is likely bait.
• Look out for blank or vague emails that only contain an image.
• Use secure tools that scan QR codes and reveal the URLs behind them before opening any links. This helps you verify if a QR code is leading to a legitimate website.
• Advanced AI-based security systems can analyze the email's language, sender behavior, and decode embedded QR codes to check for malicious URLs.  
• Behavioral detection tools can recognize unusual communication patterns and flag emails that deviate from the organization's normal activity.  
• Training employees to recognize suspicious QR codes is still one of the most effective first lines of defense against these attacks.

Mapping Quishing to MITRE ATT&CK Tactics and Techniques

Mapping Quishing to the MITRE ATT&CK framework helps security teams identify and classify the specific tactics and techniques used in QR code phishing attacks. By aligning Quishing behaviors with ATT&CK, organizations can enhance threat detection, improve incident response, and apply targeted mitigations. This structured mapping supports better visibility into attack paths and strengthens defense strategies against evolving phishing threats.

‍

Scan Smart, Stay Safe: Closing Thoughts

Phishing and social engineering continue to evolve, and attackers are becoming alarmingly creative, weaponizing even the most convenient tools we rely on daily, like QR codes. Our research reveals that malicious actors are leveraging QR codes not just to mask harmful URLs, but to complicate detection through open redirects, fake verification steps, and increasingly convincing disguises. These deceptive techniques blur the line between trust and trickery, making it harder for both users and security systems to differentiate between legitimate and malicious content. The surge in QR code phishing, especially in campaigns that exploit urgency or impersonate official communications, serves as a stark reminder of the sophistication today’s cybercriminals possess. To stay ahead, users need stronger awareness, and organizations must adopt smarter security controls to detect and block these modern phishing attempts. In today’s landscape, it’s not just about clicking with caution, it’s about scanning wisely.

‍External References:

1. ‍https://blog.barracuda.com/2024/10/22/threat-spotlight-evolving-qr-codes-phishing-attacks
2. ‍https://unit42.paloaltonetworks.com/qr-code-phishing/
3. ‍https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-phishing/what-is-quishing-qr-phishing/  
4. ‍https://hoxhunt.com/blog/quishing
5. ‍https://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing
6. ‍https://www.tripwire.com/state-of-security/qr-code-phishing-what-it
7. ‍https://abnormalsecurity.com/glossary/qr-code-phishing-attacks
8. ‍https://blog.talosintelligence.com/how-are-attackers-using-qr-codes-in-phishing-emails-and-lure-documents/
9. ‍https://cyble.com/blog/rising-wave-of-qr-code-phishing-attacks-chinese-citizens-targeted-using-fake-official-documents/
10. ‍https://cofense.com/blog/top-10-qr-code-phishing-questions/
11. ‍https://www.cloudflare.com/learning/security/what-is-quishing/
12. ‍https://www.authentic8.com/blog/quishing-qr-code-phishing
13. ‍https://reliaquest.com/blog/qr-code-phishing/