Quishing: the QR code scam.
QR codes skip every anti-phishing filter because they're just images. A second of skepticism with your phone camera is worth millions in prevention.
QR codes have a superpower that attackers love: they sail through every email security filter because technically they're just images. No URL to scan, no link to analyze. You aim your phone at a picture, it opens a browser, and now you're on a website your company's security stack never got a chance to block.
Why phones are the soft target
Your corporate laptop is protected — EDR, DNS filtering, URL rewriting, phishing training. Your personal phone, which is what most people use to scan QR codes, has none of that. Attackers figured out that getting you to scan a QR code moves you from the armored vehicle to the bicycle in about two seconds.
Real examples we've blocked
“An email claiming to be a MFA reset from Microsoft with a QR code to "re-enroll your authenticator."”
Red flag: Real Microsoft MFA enrollment happens inside your Microsoft account portal, not through a QR code in an email.
“A sticker on a parking meter showing a QR code labeled "Pay here — contactless."”
Red flag: Fake sticker placed over the real code. Took payments straight to an attacker's fake portal and captured card details.
“A restaurant menu QR code replaced by an overlay directing diners to "verify your credit card."”
Red flag: Real menus don't ask for card verification. The fake page harvested cards from dinner guests all weekend.
The two-second habit
Most phones show a preview of the URL before opening it. Look at it. If it doesn't match what you'd expect — microsoft.com, your city's parking site, the restaurant you're at — don't tap. That simple pause catches 99% of quishing attempts.
Train your team on this one.
Quishing is the fastest-growing phishing variant. A 15-minute team huddle covers it. We can run one for you.
- 1Turn on URL previews in your phone's camera app — both iPhone and Android support it.
- 2Never scan a QR code for logins, MFA, or payments unless you know the exact destination.
- 3At parking meters and restaurants, check the physical sticker for tampering — corners peeling off are a red flag.
- 4Treat QR codes in emails the same as unknown links. Go to the service directly instead.
- 5Add quishing to your annual security training.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Stop clicking links in emails.
Most cyberattacks start with a simple click. Here's why the click matters more than the email, and the one habit that stops most of them.
ReadTip #3 · PhishingSpot the urgency trick in phishing emails.
If an email is pressuring you to act right now, slow down. Urgency is the most common phishing tactic because it bypasses the part of your brain that thinks critically.
Read