Quishing: The QR Code Phishing Attack Your Email Filter Cannot Stop

What Is Quishing?

Quishing is a portmanteau of "QR code" and "phishing." The attack works exactly the way traditional phishing does — an attacker tricks you into visiting a fake website and handing over your credentials, payment information, or personal data — but instead of embedding a hyperlink in an email, the attacker encodes the malicious URL inside a QR code. You scan the code with your phone, your camera app reads the URL, and your mobile browser opens the fake site before you have had a chance to read the address.

The technique is not new, but it has grown dramatically. QR code phishing attacks increased by 400% between 2023 and 2025, according to Abnormal Security. A separate analysis found that nearly 2% of all QR codes scanned today are malicious — a figure that sounds small until you consider how many codes the average person scans in a month at restaurants, parking meters, trade shows, and in their email inbox.

Why Do QR Codes Work So Well for Attackers?

The effectiveness of quishing comes down to a fundamental mismatch between how people interact with QR codes and how they interact with links. When you hover over a hyperlink in an email, most email clients show you the destination URL in the status bar. That one-second preview has stopped countless phishing attempts. With a QR code, there is no hover state. You point your camera, the code resolves, and you are already in motion toward the destination before you have seen the address.

The mobile context makes this worse. On a desktop browser, a suspicious URL in the address bar is easy to read. On a phone, the address bar is small, often partially hidden, and users are accustomed to dismissing it. Attackers know this. They also know that mobile browsers tend to display fewer security warnings than their desktop counterparts, and that people scanning QR codes are typically in a hurry — at a restaurant, in a parking lot, at a conference — and not in a careful, skeptical mindset.

There is also a technical advantage for the attacker. Email security gateways and spam filters are highly effective at detecting malicious links embedded in message bodies. A QR code embedded in an image or PDF attachment contains no clickable URL for the filter to analyze. The malicious link is hidden inside a graphic, invisible to automated scanning tools. This is why 26% of phishing campaigns now use QR codes to deliver malicious links, and why researchers at Barracuda found over 500,000 emails containing phishing QR codes embedded in PDF attachments in a single analysis period.

Real-World Quishing Examples

Understanding quishing in the abstract is useful. Seeing how it plays out in practice is more useful still. The following examples illustrate the range of environments where these attacks occur.

Parking Meters

This is one of the most widely reported physical quishing attacks. Criminals print fake QR code stickers and place them over the legitimate payment codes on parking meters. A driver in a hurry scans the code, lands on a convincing fake payment page, enters their credit card number, and believes they have paid for parking. They have not — they have handed their card details to an attacker. This specific attack has been documented in cities across the United States, including San Francisco, where the city's transportation agency issued public warnings after multiple meters were compromised.

Restaurant Menus

After the pandemic accelerated the adoption of QR code menus, attackers began targeting restaurants by placing fake QR code stickers over the real ones on tables and entrance signs. The fake code leads to a site that mimics the restaurant's menu but prompts users to enter payment information to "pre-order" or "reserve a table." The restaurant has no idea the attack is happening.

Microsoft 2FA Reset Emails

The most common quishing attack in corporate environments does not involve a physical QR code at all. It arrives in an email that appears to come from Microsoft, warning the recipient that their two-factor authentication is expiring and must be reset immediately. The email contains a QR code. Scanning it leads to a convincing Microsoft login page that harvests the user's credentials. According to ReliaQuest, 56% of all quishing emails involve fake Microsoft 2FA reset notices. This single attack vector accounts for more than half of all QR code phishing incidents in business settings.

DocuSign and Contract Signing

Attackers have also impersonated DocuSign, sending emails that claim a document is waiting for the recipient's signature. The QR code in the email leads to a fake DocuSign portal that captures login credentials. For businesses that regularly use e-signature platforms, this attack is particularly convincing because it fits naturally into an existing workflow.

How Does Quishing Bypass Your Inbox Filters?

Modern email security gateways — Microsoft Defender, Proofpoint, Mimecast, and similar platforms — are excellent at detecting malicious URLs in email bodies. They follow links, check them against threat intelligence databases, and sandbox suspicious destinations. This technology has made traditional link-based phishing significantly harder to execute at scale.

Quishing sidesteps this entirely. When a QR code is embedded in an image or a PDF attachment, the email security gateway sees an image file, not a URL. There is nothing for the link-scanning engine to analyze. The malicious destination is encoded in the visual pattern of the QR code, which the gateway cannot read. This is why quishing has become the preferred delivery mechanism for attackers who need to bypass enterprise email security — and why even organizations with robust email filtering are seeing these attacks succeed.

Only 36% of quishing incidents are accurately identified and reported, according to Keepnet research. The remaining 64% go undetected, often because the victim does not recognize what happened, or because the attack was so convincing that they believed they were interacting with a legitimate service.

Who Is Being Targeted?

Quishing attacks are not random. Research from Abnormal Security found that business executives receive quishing emails 42 times more frequently than non-executive employees. This is not surprising — executives have access to financial systems, sensitive client data, and the authority to approve wire transfers. A single compromised executive account can yield far more value than a dozen compromised employee accounts.

That said, no one is immune. Physical quishing attacks — the parking meter and restaurant menu variety — target anyone who scans a QR code in a public space. Email-based quishing targets anyone with a corporate email address. The energy sector receives 29% of all quishing emails, but retail, healthcare, and financial services are also heavily targeted. For small businesses in Westchester County, the most relevant threat is the email-based attack: a fake Microsoft, DocuSign, or bank notification that arrives in an inbox and asks someone to scan a code.

How Do You Spot a Quishing Attack?

Quishing is harder to spot than traditional phishing, but there are reliable warning signs. The following table summarizes the key indicators to watch for in both email-based and physical quishing scenarios.

The most important habit is the simplest one: preview the URL before you visit it. Most smartphone camera apps display the destination URL for a moment before opening the browser. That one-second window is your opportunity to read the address and decide whether it looks legitimate. If the URL is long, garbled, or uses a domain you do not recognize, do not proceed.

How to Protect Your Business from QR Code Phishing

Defending against quishing requires a combination of technical controls and employee awareness. Neither alone is sufficient.

Use a QR Scanner with Link Preview

The default camera apps on both iOS and Android display a URL preview before opening the browser. Ensure employees know to read this preview before tapping. Third-party QR scanner apps that include built-in URL safety checks — comparing the destination against known threat databases — add an additional layer of protection. These apps are free and take seconds to install.

Train Employees to Pause Before Scanning

The most effective defense against any social engineering attack is a trained, skeptical workforce. Employees should understand that any email containing a QR code — particularly one claiming to be from Microsoft, DocuSign, a bank, or an HR system — should be treated with the same suspicion as an email containing a suspicious link. If the email was not expected, verify it through a separate channel before scanning.

Apply Email Security Policies for QR Code Detection

Enterprise email platforms are beginning to add QR code scanning capabilities to their security gateways. Microsoft Defender for Office 365, for example, now includes QR code URL extraction as part of its Safe Links feature. If your business uses Microsoft 365, verify that this feature is enabled in your security configuration. This is a setting that many small businesses have never reviewed.

Inspect Physical QR Codes Before Scanning

For physical QR codes — at events, on signage, or in public spaces — look for signs of tampering. A sticker placed over an existing code is a red flag. If the code is on a parking meter or a public sign, check whether it looks like it was added after the fact. When in doubt, use the venue's official website or app instead of scanning the code.

What Should You Do Right Now?

The most immediate action any small business can take is to brief their team. Send a short note explaining what quishing is, show them the Microsoft 2FA reset email example, and remind them to preview URLs before visiting. This costs nothing and takes ten minutes. It will stop the majority of quishing attempts your business will encounter.

Beyond awareness training, review your Microsoft 365 or Google Workspace security settings to confirm that QR code link scanning is enabled. If you are unsure whether your current email security configuration provides adequate protection, or if you want a broader review of your cybersecurity posture, a cybersecurity assessment can identify the specific gaps in your setup and prioritize the fixes that matter most for your size and industry.

QR codes are not going away. They are embedded in menus, marketing materials, conference badges, invoices, and email workflows. The answer is not to stop using them — it is to use them with the same healthy skepticism you would apply to any link from an unknown source.