
Quishing: How QR-Code Phishing Slips Past Your Email Security
QR codes are everywhere now: restaurant menus, car parks, posters, payment terminals and delivery slips. That everyday familiarity is exactly what attackers are exploiting. A fast-growing technique known as quishing (QR-code phishing) hides a malicious web link inside a printed or on-screen square, and it is quietly slipping past the email defences most organisations depend on.
The short version: a quishing email carries its malicious link inside a QR image rather than as clickable text, so the URL-scanning filters at your email gateway have nothing to inspect. When the victim scans the code, the attack jumps to their personal phone, outside corporate filtering, VPN and endpoint protection, and on to a fake login page. Microsoft recorded a 146% rise in QR-code phishing in early 2026. The countermeasures are well understood, but they have to work at both the gateway and the human.
Why quishing is surging right now
This is one of the fastest-moving trends in email crime. In its early-2026 email threat analysis, Microsoft reported examining more than 8.3 billion phishing threats in a single quarter, and found that messages using QR codes climbed from 7.6 million in January to 18.7 million in March, a 146% jump in eight weeks. The reason is simple economics: as filters became better at catching malicious links and attachments, attackers pivoted to a format those filters struggle to read.
It is not only criminal gangs. The FBI and CISA have warned that state-linked actors have embedded malicious QR codes in targeted spear-phishing against government bodies, think tanks and academics. And the scale of the wider problem is stark: the UK’s National Cyber Security Centre reported that its takedown service removed more than 1.2 million phishing campaigns in the past year. Underpinning all of it is the human factor. Verizon’s 2025 Data Breach Investigations Report found that roughly 60% of breaches still hinge on a person being tricked or making a mistake, and a QR code is a remarkably efficient way to prompt exactly that.
Why a QR code is such an effective disguise
Quishing works because it defeats several defences at once, without needing anything technically clever.
It hides the link from your filters
A QR code is just an image. The malicious address is encoded as a pattern of squares, not written as text, so the gateway scanning your email for dodgy links and attachments sees a harmless picture and lets it through.
It moves the victim to a device you do not control
People scan QR codes with the phone in their pocket, which is usually a personal one. In a single scan the attack leaves your managed environment, with no corporate web filtering, no VPN and no endpoint protection, and lands somewhere your security team has no visibility.
It exploits habit
We have been trained to scan QR codes without a second thought. And unlike a suspicious link on a computer, you cannot hover over a printed square to preview where it really goes.
How a quishing attack unfolds
From the victim’s side, nothing feels unusual:
- A believable message arrives. Often a security-flavoured lure, such as “your multi-factor authentication has expired, re-enrol by scanning this code”, or an invoice, payslip or e-signature request.
- The QR code carries the payload. Because the link is inside the image, the email sails past filters and reaches the inbox.
- The victim scans with a phone. The attack jumps to a personal device, beyond corporate controls.
- A look-alike page harvests the details. The phone opens a convincing fake sign-in page that captures the password and, increasingly, relays the MFA code through a live proxy to steal the session outright.

Where you will run into them
Quishing is not confined to the inbox. Watch for it across several channels:
- Emails dressed up as MFA re-enrolment, HR or payroll notices, shared documents and e-signature requests.
- PDF and image attachments with the code embedded inside, adding a layer that basic scanning often misses.
- The physical world, where fraudulent stickers are placed over genuine codes on parking meters, posters and leaflets, so even a legitimate-looking sign leads somewhere hostile.
- Invoices and payment requests, where a scan leads to a fake payment portal rather than a login page.
The warning signs worth sharing with staff
- An unexpected code that asks you to log in. Being pushed to authenticate after scanning, especially for something you did not request, is the clearest red flag.
- Urgency and authority. “Your account will be locked”, expiring MFA and overdue invoices are the recurring lures because they rush people past their judgement.
- A mismatched address after scanning. Most phones preview the URL before opening it; if the domain is not exactly right, stop.
- A physical code that looks tampered with. A sticker over an existing code, or one in an odd place, deserves suspicion.
What actually stops quishing
No single control is enough, but layered together they close the gap at both ends of the attack.
1. Inspect QR codes at the email gateway
Modern email security can render the image, extract the encoded URL and check it against the same reputation and sandboxing you already apply to links. Turning this on removes the core advantage quishing relies on.
2. Move to phishing-resistant MFA
Because the endgame is stolen credentials or a stolen session, FIDO2 security keys and passkeys are the strongest backstop. They are bound to the genuine web address, so a look-alike page reached from a scanned code has nothing worth stealing. Prioritise administrators and other high-value accounts.
3. Bring mobile devices into scope
Since the attack lands on a phone, extend your thinking beyond the desktop: mobile device management and mobile threat defence on corporate handsets, and clear guidance that work-related codes should not be scanned on unmanaged personal devices.
4. Verify before you act
Encourage staff to read the URL preview before opening it, and to reach important services, such as a bank, Microsoft 365 or an e-signature provider, through a saved bookmark or the official app rather than a code someone sent them.
5. Train, simulate and make reporting easy
Awareness is what closes the final gap. Regular, realistic simulations, including QR-code lures, keep the instinct sharp, and a simple one-click way to report a suspicious message turns your staff into an early-warning system.
The bottom line
Quishing is a neat reminder that attackers do not need new technology to get ahead, just a format your defences were not built to read. The good news is that the fix is not exotic: inspect QR codes where email arrives, adopt phishing-resistant authentication so a stolen password is worthless, and help your people treat an unexpected code with the same caution as an unexpected link. Do that, and a scan that would once have started a breach becomes a non-event.
Sources: Microsoft email threat landscape analysis, Q1 2026; FBI and CISA advisories on QR-code spear-phishing; NCSC Annual Review 2025; Verizon 2025 Data Breach Investigations Report.
Phishing Tackle offers the tools businesses need to strengthen their human risk strategies, with multi-platform testing, real-time behavioural insights, and actionable data to keep your organisation ahead of modern cyber threats.
Contact us today to learn how Phishing Tackle can help safeguard your organisation from the growing array of cyber risks.
