QR codes have become widely used for everyday activities such as accessing menus, connecting to Wi-Fi networks, and making digital payments. However, cybersecurity researchers have increasingly warned that attackers are now exploiting this convenience through a type of phishing attack known as “quishing,” or QR-code phishing.
In a quishing attack, a malicious link is embedded within a QR code rather than directly included in an email or message. When a victim scans the code using a smartphone, the device automatically redirects them to a website controlled by the attacker. These websites often imitate legitimate login pages for services such as Microsoft 365, Google, or banking platforms in order to capture user credentials or other sensitive information.
Security researchers note that quishing has become attractive to attackers because QR codes can bypass traditional security tools. Most email filtering systems are designed to analyze text and detect suspicious links, but QR codes appear as images, which makes it more difficult for automated systems to identify the hidden destination URL (Microsoft Security Blog, 2024). As a result, phishing emails containing QR codes may evade detection and reach victims more easily.
Recent threat intelligence reports have documented several real-world campaigns using this technique. Researchers from Proofpoint found phishing emails that included QR codes claiming to provide access to payroll documents or secure files. When scanned, the codes redirected victims to fraudulent login pages designed to steal credentials (Proofpoint Threat Research, 2023). Similar campaigns have been observed targeting corporate email users and cloud services such as Microsoft SharePoint.
Other cybersecurity firms have also reported a significant rise in QR-based phishing. Analysts at Barracuda Networks identified large phishing campaigns where QR codes were embedded inside PDF attachments sent through email. In some cases, hundreds of thousands of phishing emails used this tactic to trick users into scanning the code and entering login information on fake websites (Barracuda Threat Spotlight, 2024).
Security researchers at Palo Alto Networks have also noted that attackers are making these campaigns more sophisticated. Some phishing operations hide their malicious destinations behind redirect chains hosted on legitimate websites, making detection even more difficult. Others incorporate bot-detection mechanisms to prevent automated security scanners from identifying the malicious content (Unit 42 Threat Research, 2024).
The increasing prevalence of QR codes in everyday life has contributed to the effectiveness of these attacks. Since the COVID-19 pandemic, QR codes have become widely accepted for tasks such as contactless menus, event check-ins, and digital payments. Because people are accustomed to scanning QR codes, attackers can exploit this familiarity to make phishing attempts appear legitimate.
These attacks also pose particular risks for organizations where employees frequently use mobile devices to access work systems. Smartphones may not have the same security protections as corporate computers, and users may be more likely to trust a QR code when scanning it with their personal device.
To mitigate these risks, cybersecurity experts recommend that users treat QR codes with the same caution as suspicious links. If an email requests scanning a QR code to log in, verify an account, or access sensitive information, users should instead navigate directly to the official website. Organizations should also consider implementing security awareness training that includes guidance on QR-code phishing threats. You can also protect yourself by:
- Use the “Sticker Test” for QR code that are in public places by verifying that the QR has not been replaced by a sticker that maybe bad
- Validate that the QR code leads to a valid URL and not some shorten or strange looking URL
- Make sure that MultiFactor Authentication (MFA) is enabled on devices so that the QR code does not lead to a page that you need to login
- Use the Zero Trust model – Verify the vendor before you provide any financial data
As QR codes continue to be integrated into digital services and everyday interactions, awareness of quishing attacks will become increasingly important. Understanding how these attacks work can help organizations and individuals avoid falling victim to a rapidly growing form of phishing.
Sources
Barracuda Networks. (2024). Threat Spotlight: Evolving QR Code Phishing Attacks. Barracuda Threat Intelligence.
Microsoft Security Blog. (2024). How Microsoft Defender for Office 365 Addresses QR Code Phishing Attacks.
Palo Alto Networks Unit 42. (2024). QR Code Phishing Campaigns and Emerging Threat Techniques.
Proofpoint Threat Research. (2023). Cybersecurity Stop of the Month: QR Code Phishing.
Academic Research:
Krombholz et al. (2024). Hooked: A Real-World Study on QR Code Phishing.
Additional cybersecurity reporting on QR code scams has also been covered by news outlets including The Guardian and regional cybersecurity alerts.