QR Code Phishing (Quishing)
A phishing technique that embeds malicious URLs in QR codes to bypass email security filters, which typically scan text links but not image content.
Also known as: quishing, QR phishing
Last reviewed: 10 June 2026
Quishing takes advantage of the fact that most email security gateways scan hyperlinks for known malicious destinations but do not decode and analyse QR codes embedded in images. An attacker sends an email with a QR code image; when the recipient scans it with their phone, they are directed to a phishing site that may capture credentials or install malware.
Because the scan happens on the recipient's mobile device — which may have less robust security controls than a corporate laptop — and the URL is not visible in the email body, both email filters and vigilant users are less likely to intercept the attack. Quishing campaigns have targeted corporate login portals, two-factor authentication capture pages, and fake document-signing services.
Consumers and employees should apply the same scepticism to QR codes as to any other link: verify the destination domain before entering credentials, be especially wary of QR codes received unexpectedly in email, and consider previewing QR code content on a desktop browser rather than scanning directly from a phone.