QR code phishing attacks, commonly called quishing, are a form of phishing that uses QR codes to lead people to malicious destinations. As QR codes have become a routine part of everyday life, attackers increasingly use that familiarity to make suspicious requests feel normal.

• QR code phishing attacks use familiar scanning behavior to hide malicious destinations and lower a victim's suspicion.
• These attacks often shift the interaction from a managed corporate device to a personal mobile phone, where security controls may be weaker.
• Quishing appears across email, PDF attachments, physical overlays, and other everyday environments where QR codes are common.
• Reducing risk requires a mix of image-aware email defenses, phishing-resistant authentication, mobile security policies, and QR-specific awareness training.

QR code phishing attacks work by combining familiar phishing lures with a QR code that hides the malicious destination from plain sight.

Most QR code phishing emails impersonate a trusted entity: an IT department, a well-known software provider, a shipping company, or an internal HR team. The message typically manufactures urgency by claiming a password is about to expire, a document needs a signature, or a payment requires confirmation. Embedded in the email body or an attached PDF is a QR code with instructions to scan it.

The lure works because the request feels routine. People regularly use QR codes for restaurant menus, boarding passes, and payment apps, so scanning one in a professional context rarely triggers suspicion. The attacker counts on that familiarity. Once scanned, the code redirects to a page that closely replicates a legitimate login portal, complete with accurate branding. Documented lures include fake Microsoft 365 authentication pages, HR payroll portals, and electronic signature notifications, all matching the visual identity of the impersonated service.

QR code phishing attacks create a distinct risk because they move the interaction from a managed corporate endpoint to a personal mobile device.

An employee reads the email on a company laptop protected by email filtering, endpoint detection, and network monitoring. But scanning the QR code with a personal phone takes the entire attack chain outside that security perimeter.

Personal devices often lack mobile device management enrollment, enterprise web filtering, and endpoint protection, especially when employees use personal phones outside organizational policy scope. The phone's QR scanner also gives users fewer inspection cues than traditional phishing surfaces. Research from NDSS USEC 2024 notes that QR scanning lacks the familiar warning cues users rely on in other channels, such as URL highlighting and phishing warnings.

QR codes can also bypass email security filters because they are image-based and redirect users to environments with fewer protective controls. This device pivot is the core technical advantage of QR codes over standard hyperlinks.

QR code phishing attacks take several forms, including credential theft by email, PDF-delivered lures, physical overlays, session hijacking, and malware delivery.

• Email-Embedded Credential Harvesting: Attackers insert QR codes into email bodies. Scanning leads to replicas of enterprise login portals for services like Microsoft 365 or identity providers.
• QR Codes in PDF Attachments: Rather than embedding the QR code in the email itself, attackers attach a PDF formatted as a routine business document. The email gateway (SEG) sees a clean PDF; only the victim's phone camera decodes the URL.
• Physical QR Code Overlay: Fraudulent QR stickers are placed over legitimate codes on parking meters, restaurant tables, transit posters, and ATMs.
• QRLjacking (Session Hijacking): This variant targets services that use QR codes for authentication, including WhatsApp Web and Telegram desktop.
• Malware Delivery via QR Code: QR codes can encode URLs that direct users to sites that download malicious software onto mobile devices.

Attackers evade detection by hiding malicious destinations inside images, layering QR codes into other file types, and tailoring what different scanners see.

Standard email gateway (SEG) tools scan for text-based URLs, known malicious domains, and suspicious attachments. A QR code sidesteps all of these checks because the URL is encoded within an image file, not exposed as readable text in the email body. The gateway sees an email with an inline image and no malicious link, so it passes through.

Some organizations have adopted optical character recognition and image analysis to detect QR codes in emails. Even when OCR successfully identifies a QR code, determining whether the encoded URL is malicious requires real-time URL analysis at scan time, which adds processing overhead and latency that many gateways cannot sustain at scale. Attackers have responded by encoding QR codes inside PDF attachments, adding a second layer of evasion: the email layer sees a clean PDF, and the PDF contains an image that only a phone camera can decode.

Attackers have moved beyond simply embedding a single QR code image.

Conditional routing adds another dimension. Attacker-controlled redirectors fingerprint incoming connections based on user-agent, operating system, IP address, and locale, then serve different content depending on who is scanning. Intended victims see the phishing page; security researchers and automated crawlers see a benign website.

QR code phishing attacks have moved from a niche curiosity to a documented threat tied to financial losses, law enforcement advisories, and nation-state operations.

In 2025, North Korea's Kimsuky group ran QR code spear-phishing campaigns against think tanks, academic institutions, and U.S. and foreign government entities. In one case, attackers impersonated a foreign adviser and sent a think tank director a QR code linking to a fake questionnaire on Korean Peninsula geopolitics. In another, employees at a strategic advisory firm received an invitation to a fictitious conference, with the QR code linking to a spoofed Google login page designed to harvest credentials.

The FBI classified quishing as an MFA-resilient identity intrusion vector, mapping the chain from QR delivery through device fingerprinting and session token theft to lateral phishing from compromised mailboxes.

Quishing extends well beyond email. In June 2025, NYC's Department of Transportation warned drivers after fraudulent QR stickers were found on ParkNYC meters directing users to a third-party site requesting credit card information. Similar incidents have hit Fort Lauderdale, Redondo Beach, and Toronto, where counterfeit stickers placed next to legitimate ParkMobile or PayByPhone labels rerouted payments to spoofed sites.

Victims face a double penalty: financial fraud from entering card details on a phishing page, and a service failure because no legitimate payment was processed. The FBI has also warned about criminals mailing unsolicited packages containing QR codes, exploiting curiosity about the package's origin to drive scanning behavior.

Preventing QR code phishing attacks requires layered controls that address image-based delivery, mobile-device exposure, and the human habits that make scanning feel routine.

Organizations should consider deploying email security tools with image analysis and OCR capabilities that can detect and decode QR codes embedded in messages and attachments. Because quishing shifts the attack to mobile devices, mobile device management policies that restrict QR scanning to approved applications can limit exposure for corporate-enrolled devices. Enforcing phishing-resistant MFA, such as FIDO2 or hardware security keys, reduces the impact of credential theft from quishing by ensuring that captured passwords alone are not sufficient for account access.

The latest NIST authentication standard now requires that verifiers offer at least one phishing-resistant authentication option at AAL2, making this a compliance obligation for federal systems and a strong benchmark for all organizations. Organizations should also configure smartphones to prevent automatic redirection after scanning, which creates an inspection window between the scan and the browser action.

Security Awareness Training and Incident Response

Security awareness training programs should include quishing-specific modules rather than treating QR code threats as a subset of general phishing education. Simulations that include QR-based lures in both email and physical contexts help employees build recognition patterns. Training should cover both digital and physical vectors, including how to inspect QR codes for sticker overlays and why unexpected QR codes in emails warrant the same suspicion as unexpected links.

Incident response playbooks should also name QR code delivery as a distinct attack vector. If an employee scans a suspicious code and enters credentials, the response steps include immediately changing the compromised password, revoking all active sessions, enabling phishing-resistant MFA, and monitoring for lateral phishing activity from the compromised account. Because attackers frequently use stolen mailbox access to launch secondary campaigns against internal contacts, session revocation and account activity monitoring are as important as the password change itself.

QR code phishing attacks succeed because they exploit a gap between how organizations protect email and how employees use mobile devices. The QR code itself is a delivery mechanism, but it introduces a device pivot, evasion capabilities, and user trust patterns that traditional defenses were not built to address. Closing that gap means combining image-aware email security, phishing-resistant authentication, mobile device policies, and training programs that treat quishing as a distinct threat.

Some variants can. Standard quishing that harvests a username and password will be blocked by MFA at the login stage. Phishing-resistant authentication methods like FIDO2 hardware keys are the strongest defense against credential-harvesting attacks.

QRLjacking targets services that use QR codes as a primary login method, such as WhatsApp Web or Telegram desktop. The attacker clones the service's legitimate QR login code and tricks the victim into scanning it, which authenticates the attacker's session rather than the victim's. Unlike standard quishing, QRLjacking does not require harvesting a password. The attacker gains full account access through the hijacked session.

You cannot determine a QR code's destination by looking at it. Malicious and legitimate codes are visually indistinguishable. After scanning, check the decoded URL carefully before tapping or entering any information. Look for misspellings in the domain name, unexpected redirects, and domains that do not match the organization the code claims to represent. Use your phone's built-in QR scanner rather than a third-party app, and configure your device to preview URLs before opening them in a browser.

No. While email is a common delivery channel, quishing occurs across physical and digital environments. Attackers place fraudulent QR stickers over legitimate codes on parking meters, menus, and transit posters. QR codes also appear in unsolicited physical packages and PDF documents. Any context where a QR code can be presented to a victim is a potential attack surface.