What is quishing?
Quishing is phishing delivered through a QR code. Victims scan a malicious QR code that redirects them to a fake website designed to steal login credentials, financial details, or install malware on their device.
Last reviewed: 10 June 2026
Explanation
Traditional email security filters scan URLs in the body of an email, but a QR code is just an image — the embedded link is invisible to most automated scanners. Criminals exploit this gap by embedding malicious URLs in QR codes attached to phishing emails, fake parking notices, restaurant table stickers placed over legitimate ones, or even printed flyers left in public spaces.
When the victim scans the code with their phone, they are taken to a convincing replica of a bank, parcel delivery service, government portal, or corporate login page. Because the deceptive URL is in the phone's browser rather than a desktop email client, users may be less alert to it.
Some quishing campaigns specifically target employees to harvest corporate credentials. Attackers send emails purportedly from IT departments instructing staff to scan a QR code to re-authenticate or enrol in multi-factor authentication. The irony of using a fake security step to bypass security is intentional.
Before scanning any QR code in an unexpected context, consider whether you requested or expected that code, and preview the URL your device shows before visiting it.
Common red flags
- An unsolicited email, text, or letter containing a QR code asking you to log in or verify details
- A QR code sticker placed over or next to an existing legitimate one in a public place
- The destination URL looks similar but not identical to the legitimate service (e.g. extra characters or different domain)
- A sense of urgency — 'scan within 24 hours to avoid account suspension'
- Corporate emails asking you to scan a QR code to complete a security or IT action
What to do now
- Preview the URL before tapping — most phone cameras and QR apps show the destination link first
- If you have already scanned and entered details, change your password and enable MFA immediately
- Report the suspicious message to your IT security team if it arrived at work
- Forward phishing emails with QR codes to your national anti-phishing reporting address
- Alert your bank if you entered any financial credentials
Frequently asked questions
Is it safe to scan QR codes in restaurants or shops?
Usually yes, but check whether a sticker has been placed over the original. Legitimate venue QR codes take you to a menu or ordering page — they should never ask for login credentials or payment details through an unfamiliar site.
Why do security filters miss quishing attacks?
Email security tools primarily scan text-based URLs. A QR code is treated as an image attachment, so the embedded malicious link is not inspected. Some advanced tools now decode QR images in emails, but adoption is not yet universal.