QR Code Phishing (Quishing)

QR Code Phishing (Quishing)
LOGINATTACKERSERVERâš  QUISHINGBypasses emailURL filters

How attackers use malicious QR codes to bypass email security filters and steal credentials.

QR Code Phishing (Quishing)

QR code phishing — known as quishing — is a rapidly growing attack technique that bypasses traditional email security tools by hiding a malicious URL inside a QR code image.

The Quishing Attack Chain

Attacker creates phishing site + QR code image Email with QR image sent to target URL filter: sees image not a link — PASSES Victim scans QR with personal phone Phone has fewer security controls Fake M365 login Victim enters creds Attacker captures username + password STOP IT: Check preview URL before tapping Report to IT Key insight: the attack moves from your work PC (protected) to your mobile phone (less protected)

Why Quishing Is Effective

  • Bypasses email URL filters — security tools scan text links, not images
  • Moves the attack to mobile — phones often lack the endpoint protection of managed work computers
  • Feels familiar — QR codes are now routine for menus, parking, healthcare
  • Creates urgency — common lures: “your account needs verification” or “parcel undeliverable”

Common Quishing Lures

Lure Impersonates Goal
“Verify your M365 account” Microsoft Steal work credentials
“Your parcel needs a fee” Australia Post / DHL Credit card theft
“Complete your MFA setup” IT department Account takeover
“Your payslip is ready — scan to view” HR/payroll Credentials or financial info
Parking payment station Council / operator Credit card theft
⛔ Important
Never scan a QR code in an unexpected email. Microsoft, Australia Post, your bank, and your IT team will never ask you to scan a QR code to verify your account. If you receive such an email, report it to IT without scanning.

Physical Quishing: Sticker Attacks

PHYSICAL QUISHING — stickers placed over legitimate QR codes Parking Meter Legit QR FAKE sticker Scans to attacker-controlled payment site Card details captured — money charged to real account Check for stickers! Peeling edge = suspicious
✓ Key Point
Before scanning any physical QR code, look for stickers placed over existing codes. A slightly raised or peeling edge suggests a sticker has been applied on top. Also preview the destination URL before tapping — your phone shows it before opening. If the domain looks wrong, don’t proceed.

If You Scanned a Suspicious Code

  1. Do not enter credentials — close the browser immediately
  2. Report to IT with the email or location of the QR code
  3. If you entered credentials — change your password immediately and report to IT so they can check for suspicious account activity
  4. Enable MFA if not already done — limits damage from stolen credentials
Would your staff scan that QR code?
Quishing slips past email filters and lands on personal phones your business doesn’t control. Mobile Techs IT Service helps Gold Coast businesses close the gap — advanced email security that inspects QR codes, mobile device management, MFA that limits stolen-credential damage, and phishing-awareness training that covers the newest tricks. Home users welcome too — on-site or remote, anywhere in Australia.