A QR code in an email, on a parking meter, or in a physical letter redirects you to a fake login page that looks exactly like your bank, Microsoft 365, or a government portal. Your credentials go to a criminal. The code bypasses every email spam filter because spam filters cannot read images — making it one of the fastest-growing phishing techniques targeting both businesses and consumers.
QR code phishing — commonly called “quishing” — is a phishing attack that encodes a malicious URL inside a QR code rather than embedding it as a clickable text link. The technical distinction has a critical practical consequence: email security filters that scan link URLs for phishing indicators cannot read URLs encoded inside QR code images, allowing quishing emails to reach inboxes that would reject identical attacks delivered as traditional hyperlinks.
The FBI issued a warning about quishing attacks in 2023, noting a significant increase in reports from both individuals and corporate environments. Security researchers tracked QR phishing growth at over 300% in 2023 compared to the prior year, driven by attackers recognizing the filter-bypass advantage and the increasing consumer comfort with scanning QR codes for legitimate purposes — restaurant menus, contactless payments, and event check-ins have normalized the behavior that quishing exploits.
Quishing attacks operate across two distinct environments. In the digital environment, QR codes appear in emails, PDFs, and messaging platforms — typically impersonating Microsoft, banking institutions, the IRS, or delivery services. In the physical environment, fraudulent QR code stickers are placed over legitimate codes on parking meters, restaurant tables, public bulletin boards, and even mailed as physical letters impersonating banks or government agencies.
The attacker creates a phishing email — impersonating Microsoft, a bank, the IRS, a delivery service, or a company’s IT department — and embeds a QR code image rather than a clickable link. The email’s text creates urgency: verify your account, scan to confirm your identity, scan to track your package. Because the only URL in the email is encoded as an image, security filters pass it to the inbox without flagging it. The QR code may also arrive in a PDF attachment, a physical letter, or printed on a flyer.
Quishing attacks have a secondary advantage beyond filter bypass: they move the attack from a protected corporate computer to a personal mobile device. Many employees receive quishing emails on their work computer but scan the QR code with their personal phone — which lacks the enterprise security tools, VPNs, and browser protections present on the managed work device. The attack pivots to a less-protected surface at the moment of interaction.
The QR code resolves to a convincing fake login page — Microsoft 365, a bank’s online portal, an IRS verification page. In sophisticated attacks, the URL passes through a legitimate redirect chain (a Google or Microsoft URL shortener, a legitimate CDN) before landing on the phishing page, making the intermediate URL that appears in the QR scanner preview appear trustworthy. The victim enters credentials, which are captured in real time by the attacker.
In the physical variant, a fraudulent QR code sticker is placed over a legitimate one — on a parking meter payment kiosk, a restaurant table tent, a real estate sign, or a public bulletin board notice. The sticker is printed to closely match the surrounding materials. Victims scanning what they believe is the legitimate code are redirected to a payment page or login portal that captures their card details or credentials. Cities including Austin, San Antonio, and San Francisco have documented parking meter QR code fraud campaigns.
Before scanning any QR code — in an email, on a physical surface, or anywhere else — use a QR scanner app that shows you the full destination URL before opening it. Your phone’s default camera typically opens URLs automatically without preview. A dedicated scanner app that pauses and shows you the URL allows you to verify the domain matches what you expect before your browser loads anything. If the URL doesn’t clearly correspond to the legitimate organization — or if it contains extra subdomains, unusual characters, or an unfamiliar domain — don’t proceed.
Corporate quishing attacks specifically target Microsoft 365, Okta, and other enterprise single sign-on systems because a single set of corporate credentials provides access to email, files, internal systems, and communication platforms. Enterprise email security tools that have become highly effective at catching traditional phishing links are largely blind to QR-encoded URLs — the image passes through without triggering any of the URL reputation, domain age, or content analysis checks that would catch an identical attack delivered as a hyperlink.
The mobile device pivot compounds the problem. Even organizations with sophisticated endpoint protection on managed devices find that employees scanning email QR codes on personal phones bypass the entire enterprise security stack. The attack deliberately moves to a surface outside corporate IT’s visibility and control at the moment of victim interaction.
Security teams are responding by adding QR code scanning capabilities to email security tools, training employees to never scan QR codes from email on personal devices, and implementing policies requiring that any QR-initiated login be verified through the company’s managed device. Until these defenses are widespread, quishing remains one of the highest-efficacy phishing techniques available to attackers.
Credentials captured through QR phishing attacks are often sold on dark web markets within 24–48 hours of collection. Identity theft protection services with dark web monitoring alert you when your credentials appear — giving you a window to change passwords and lock accounts before full account takeover occurs.
