QR Code Phishing (Quishing): The Attack Vector You're Probably Ignoring
QR codes were everywhere during the pandemic — menus, check-ins, payments. Attackers noticed. "Quishing" (QR code phishing) has grown significantly as a technique to bypass email security gateways that scan URLs but not images.
How Quishing Works
- Attacker creates a phishing page (fake Microsoft login, fake bank portal)
- Generates a QR code pointing to the malicious URL
- Embeds the QR code image in a phishing email
- Email security tools scan the text/HTML but miss the URL inside the image
- Victim scans the QR code on their phone — which may have weaker security controls
Why It's Effective
- Bypasses URL scanners — most email security tools don't decode QR images
- Mobile device shift — victims scan on phones that may not have corporate security controls
- Legitimacy perception — QR codes feel modern and trustworthy to many users
- Short-lived URLs — attackers rotate domains quickly to avoid blocklists
Real-World Example
In a recent campaign targeting financial services firms, attackers sent emails purporting to be from the IT department requesting MFA re-enrolment. The email contained a QR code that redirected to a convincing Microsoft Authenticator phishing page.
Detection and Defence
For Security Teams
- Deploy email security solutions with QR code image analysis
- Add QR code scanning to phishing simulation training
- Monitor for unusual authentication attempts from mobile devices
For Individuals
Before scanning any QR code in an email:
- Use the Cyber121 QR Scanner to decode and analyse the URL first
- Check the destination domain carefully
- Never scan QR codes in unsolicited emails
Conclusion
Quishing is a reminder that attackers continuously adapt to bypass defensive controls. Security awareness training must evolve to include QR code risks.