How attackers use malicious QR codes to bypass email security filters and steal credentials.
QR Code Phishing (Quishing)
QR code phishing — known as quishing — is a rapidly growing attack technique that bypasses traditional email security tools by hiding a malicious URL inside a QR code image.
The Quishing Attack Chain
Why Quishing Is Effective
- Bypasses email URL filters — security tools scan text links, not images
- Moves the attack to mobile — phones often lack the endpoint protection of managed work computers
- Feels familiar — QR codes are now routine for menus, parking, healthcare
- Creates urgency — common lures: “your account needs verification” or “parcel undeliverable”
Common Quishing Lures
| Lure | Impersonates | Goal |
|---|---|---|
| “Verify your M365 account” | Microsoft | Steal work credentials |
| “Your parcel needs a fee” | Australia Post / DHL | Credit card theft |
| “Complete your MFA setup” | IT department | Account takeover |
| “Your payslip is ready — scan to view” | HR/payroll | Credentials or financial info |
| Parking payment station | Council / operator | Credit card theft |
⛔ Important
Never scan a QR code in an unexpected email. Microsoft, Australia Post, your bank, and your IT team will never ask you to scan a QR code to verify your account. If you receive such an email, report it to IT without scanning.
Physical Quishing: Sticker Attacks
✓ Key Point
Before scanning any physical QR code, look for stickers placed over existing codes. A slightly raised or peeling edge suggests a sticker has been applied on top. Also preview the destination URL before tapping — your phone shows it before opening. If the domain looks wrong, don’t proceed.
If You Scanned a Suspicious Code
- Do not enter credentials — close the browser immediately
- Report to IT with the email or location of the QR code
- If you entered credentials — change your password immediately and report to IT so they can check for suspicious account activity
- Enable MFA if not already done — limits damage from stolen credentials
Would your staff scan that QR code?
Quishing slips past email filters and lands on personal phones your business doesn’t control. Mobile Techs IT Service helps Gold Coast businesses close the gap — advanced email security that inspects QR codes, mobile device management, MFA that limits stolen-credential damage, and phishing-awareness training that covers the newest tricks. Home users welcome too — on-site or remote, anywhere in Australia.
Boost your phishing defences → or call 1300 644 588

