Quishing is the portmanteau of QR code and phishing — a social engineering attack that uses fraudulent QR codes to route victims to malicious destinations designed to steal credentials, payment information, or personal data. The FBI, FTC, and cybersecurity agencies worldwide issued warnings about quishing starting in 2023 as the attack vector grew alongside mainstream QR code adoption.
How Quishing Works
Quishing exploits the opacity of QR codes — you cannot read the destination before scanning the way you can read a URL before clicking. This opacity makes QR codes an effective phishing vector in contexts where the victim trusts the placement.
Physical quishing: A fraudulent QR code sticker is placed over a legitimate code on a parking meter, restaurant table, or public fixture. The victim scans expecting to pay for parking or view a menu. The code routes to a fake payment page that captures credit card data.
Email quishing: A phishing email replaces text links — which email security filters detect and flag — with a QR code image that routes to the same malicious destination. Security filters scan text and URLs but often cannot read QR code images, allowing the malicious destination to bypass email security scanning.
Document quishing: Fraudulent QR codes embedded in fake invoices, delivery notifications, tax documents, and government- lookalike communications route victims to credential- harvesting pages when scanned.
Why Email Quishing Bypasses Security Filters
Traditional email phishing embeds malicious URLs as clickable text. Email security systems scan URLs in text and flag known malicious domains. A QR code in an email is an image — and most email security systems cannot read QR code images to extract and scan the encoded URL. Quishing exploits this gap deliberately.
Protection Against Quishing
Legitimate Talking QR Codes and Quishing
Legitimate talking QR codes