What is Quishing (QR Phishing)?
In 2025, quishing rose 25 % YoY and now accounting for 1 in every 8 credential-harvest campaigns. Learn what quishing is, how it works, and how to prevent your organization from these threats
2024-01-29
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Quishing—QR-code phishing—tricks people into scanning a malicious code that steals logins or drops malware. In 2025, it accounts for 1 in 8 credential-harvest campaigns.
This guide shows you what quishing is, how QR phishing works, and how to stop it:
Quishing Explained: How QR-Code Phishing Bypasses Email Filters
Defining quishing helps recognize the dangers of QR code phishing. Quishing, a combination of “QR code” and “phishing,” refers to a deceptive cyberattack tactic where malicious actors exploit QR codes to redirect users to fraudulent websites, harvest sensitive data, or install malware.
Unlike traditional phishing tactics that rely on suspicious links or attachments in emails—which can be detected and blocked by email filters—quishing uses QR codes embedded within seemingly harmless images or PDF attachments. Email filters typically scan for known malicious URLs or executable files, but they cannot analyze the content behind a QR code image, making it easier for these threats to slip through undetected.
Quishing is different from normal phishing tactics, which usually use fake emails or text messages. Instead, quishing uses QR codes that look safe but are actually dangerous. These generated QR codes are often found on restaurant menus, ads, or payment screens.
What are Quishing Attacks?
In quishing attacks, a cybercriminal creates a fake QR code that looks safe. When someone scans it using their phone’s camera app, it takes them to a dangerous website. This website might ask them to log in, download something, or give away personal information—like passwords or bank details.
Watch our YouTube video to see a real-life quishing incident unfold and learn all the key details behind it:
How Does Quishing Work in 2025?
In 2025, attackers have become even more sophisticated by leveraging AI technologies to generate realistic quishing lures at scale. Cybercriminals now use AI to create branded QR codes, craft personalized phishing pages, and even deploy deepfake overlays on printed materials like event posters and restaurant menus.
These AI-enhanced attacks are harder to detect with traditional methods, requiring organizations to adopt smarter defenses. Solutions like Keepnet’s AI-driven Quishing Simulator is essential, test and train employees from scanning QR codes for hidden threats and proactively identifying phishing attempts before employees fall victim.
A typical quishing attack follows these steps:
- A QR code is placed in an email, website, or on a poster.
- The user scans it, thinking it's legitimate.
- It directs them to a phishing site disguised as a real login page.
- Attackers then collect credentials, banking details, or sensitive data.
ATT&CK Techniques Quishing Uses
Here is the table showing the list the ATT&CK techniques quishing uses, helping CISOs align with frameworks.
| MITRE Technique ID | Technique Name | Relevance to Quishing |
|---|---|---|
| T1566.002 | Phishing: Spearphishing Link | Used to deliver malicious URLs via QR codes. |
| T1204.001 | User Execution: Malicious Link | Users scan the code and unknowingly activate the attack. |
| T1555.003 | Credentials from Web Browsers | Phishing sites harvest saved credentials via fake login prompts. |
| T1059.003 | Command and Scripting Interpreter: Windows Shell | Malware may execute commands post-scan (if exploit is successful). |
| T1082 | System Information Discovery | Payloads may gather data from the victim’s device post-compromise. |
Table 2: MITRE ATT&CK Mapping for Quishing Attacks
Quishing attacks thrive on social engineering, capitalizing on the convenience of QR codes to bypass user caution. For example, a scammer might replace a legitimate restaurant menu’s QR code with one leading to a phishing site mimicking a payment portal.
These attacks often bypass email security filters, making QR phishing a growing concern in 2025.
How Quishing Differs from Traditional Phishing?
At its core, quishing is still phishing—but with a twist. Traditional phishing attacks rely on clickable links in emails or messages, which many email security gateways can now detect. With quishing, the malicious URL is encoded inside the QR code itself, bypassing these protections. The victim still interacts with a fake website, but the QR code adds an extra layer of deception.
Here are the key differences between quishing and traditional phishing:
- Hidden Links: In quishing, the malicious link is hidden in the QR code, making it impossible for users to preview or verify before scanning.
- Bypassing Secure Email Gateways: Traditional phishing relies on detectable URLs. Quishing evades many email security filters because the harmful link is embedded within the QR code. Learn more about how email security threats bypass defenses.
- Trust Factor: Many users have built trust with QR codes, especially post-pandemic, making them less cautious about scanning.
2025 Regulatory & Industry Warnings
As QR code phishing (quishing) attacks escalate in 2025, global regulatory bodies and cybersecurity authorities have issued critical warnings to help individuals and organizations recognize and mitigate these threats.
FTC: Malicious QR Codes in Unsolicited Packages
In January 2025, the U.S. Federal Trade Commission (FTC) alerted consumers to a new scam involving unexpected packages containing QR codes. These codes, when scanned, direct recipients to phishing websites designed to steal personal information or install malware on their devices. The FTC advises caution when receiving unsolicited packages and recommends verifying the source before scanning any QR codes (Source).
FBI: Rise in QR Code Scams
The FBI has observed a significant increase in QR code-related scams. Cybercriminals are tampering with legitimate QR codes or creating fraudulent ones to redirect users to malicious sites, steal credentials, or install malware. The FBI recommends inspecting QR codes for signs of tampering and using security software that can scan QR codes for potential threats (Source).
NCSC (UK): Growing Threat of 'Quishing'
The UK's National Cyber Security Centre (NCSC) has highlighted the growing threat of 'quishing'—phishing attacks that utilize QR codes. Criminals embed malicious links within QR codes, often bypassing traditional security filters. The NCSC advises caution when scanning QR codes, especially those received via email or found in public places, and recommends using built-in phone scanners that preview URLs before opening (Source).
Financial Institutions and Regulators: Surge in 'Quishing' Attacks
Major banks and regulatory bodies, including Santander, HSBC, TSB, the UK's NCSC, and the U.S. FTC, have raised concerns over the surge in 'quishing' attacks. These scams often involve QR codes embedded in emails or physical locations, leading unsuspecting users to phishing sites. The institutions emphasize the importance of public awareness and caution when interacting with QR codes, especially those from unknown sources (Source).
These warnings underscore the importance of vigilance and proactive measures in combating the evolving threat landscape of QR code phishing in 2025.
What Attack Types Are Executed With a Malicious QR Code?
Malicious QR codes can execute a variety of cyberattacks beyond just phishing:
Redirect to Phishing Sites
Scanning the code sends users to a fraudulent website, where they may be tricked into entering login credentials or personal information.
Malware Downloads
Some QR codes can trigger automatic downloads, planting malware or ransomware on the device. Explore how ransomware attacks affect businesses.
Device Data Extraction
Advanced quishing attacks may use QR codes to extract sensitive data directly from a device, such as location information or other private data.
Static vs. Dynamic Codes
Not all QR codes are created equal. Understanding the difference between static and dynamic QR codes is critical for recognizing quishing risks.
Static QR Codes are fixed — once generated, their embedded information (such as a URL) cannot be changed. They are often printed on physical materials like flyers, restaurant menus, or product packaging. While static codes are less flexible for legitimate use, they are generally safer because any tampering requires replacing the entire code.
Dynamic QR Codes, on the other hand, are much more versatile — they store a short URL that redirects users to a destination controlled by the code creator. This means the final URL can be changed at any time without altering the QR code image itself. Although this flexibility is valuable for businesses (for marketing, payments, and event check-ins), it also presents a serious security risk. Cybercriminals can compromise the backend system hosting a dynamic QR code, silently redirecting users to malicious websites without needing to replace or alter the code on public-facing materials.
Why It Matters:
- Tampering Risks: Static codes must be physically altered to change the destination, making unauthorized changes easier to spot. Dynamic codes can be compromised invisibly.
- Attack Surface: Dynamic codes expand the attack surface because they rely on web infrastructure that could be hacked.
- Mitigation Strategies: Organizations should cryptographically sign critical QR codes, prefer static codes for sensitive transactions, and regularly monitor dynamic link endpoints for suspicious changes.
In short, while dynamic QR codes offer convenience and tracking capabilities, they also introduce an invisible layer of risk that attackers are increasingly exploiting in 2025.
How Do Scammers Use QR Codes?
Scammers use QR codes in several simple but sneaky ways. One common tactic is sending emails that look like they’re from trusted brands, asking you to scan a QR code for urgent updates or special deals. When you scan the code, it takes you to a fake website to steal your login details.
Scammers also put harmful QR codes on posters or flyers in public places. People scan them, thinking they’re getting something useful, but end up on a phishing site instead. Sometimes, scammers even change real ads by adding their own fake QR codes, tricking people into visiting dangerous websites.
Red-Team Corner: How Attackers Tamper with QR Codes in the Wild
Penetration testers and real-world attackers often use physical tampering techniques to exploit QR code trust. One common tactic involves printing fake QR code stickers and carefully placing them over legitimate QR codes in public spaces—such as restaurant menus, event posters, parking meters, and hotel lobbies.
Because the appearance of the original material remains intact, users rarely notice anything unusual. Advanced attackers even mimic branding (like company logos) to maintain credibility.
For businesses, this highlights the need for regular inspections of physical QR code placements, tamper-proof designs (like holographic labels), and staff training to spot suspicious modifications before customers fall victim.
How to Detect a Quishing Attack?
Detecting quishing attacks can be difficult, but there are some red flags to watch for:
- Unfamiliar sources: Be cautious of scanning QR codes from unverified sources or in unsolicited emails.
- Urgency: Just like in traditional phishing, quishing often uses language that creates a sense of urgency, such as “scan this code to verify your account” or “act within 24 hours.”
- Lack of context: If a QR code appears out of place or unnecessary, avoid scanning it. Always question why you’re being asked to scan a code.
- Preview the URL: Some QR scanners provide an option to preview the URL before navigating to the site. Always check the URL and ensure it’s legitimate.
How to Prevent a Successful Quishing Attack?
Stopping quishing attacks requires more than just employee caution — it demands layered defenses combining smart controls, proven techniques, and powerful tools. Below is a practical guide to strengthening your organization’s protection against QR code phishing:
| Control | Technique | Tooling Example |
|---|---|---|
| QR Code Source Verification | Only use trusted, verified QR codes. Physically inspect for tampering. | Security training using Keepnet's Quishing Simulator to educate employees on real-world detection. |
| URL Preview Before Navigation | Use QR scanners that display the destination URL before opening. | Deploy mobile security apps or recommend built-in QR scanning with URL preview features (iOS, Android). |
| Dynamic Link Monitoring | Continuously monitor dynamic QR codes for changes or malicious redirects. | Integrate Keepnet’s Phishing Threat Protection or other real-time link analysis services. |
| Endpoint Protection | Detect and block malware from compromised QR links. | Enable Mobile Device Management (MDM) with endpoint protection suites such as CrowdStrike, Microsoft Defender. |
| Zero-Trust Browsing for QR Scans | Enforce isolated, inspected browser sessions for external links. | Implement Secure Web Gateways (SWG) or SASE platforms like Zscaler. |
| Cryptographic Signing of Critical QR Codes | Sign QR codes digitally to ensure authenticity and prevent tampering. | Follow NIST Digital Signature Guidelines and use trusted PKI solutions for QR code generation. |
| Human Risk Scoring and Targeted Training | Continuously assess employee risk and customize security awareness. | Track performance with Keepnet's Human Risk Management Platform and personalize retraining campaigns. |
Table 1: How to Prevent a Successful Quishing Attack
Please watch this video from YouTube and learn more about quishing and how to protect yourself.
3 Reasons QR Code Phishing Attacks Are Growing in Popularity
The rapid rise of QR code phishing attacks can be attributed to several factors that make them attractive to cybercriminals. Here are three key reasons why these attacks are becoming more common:
- Widespread QR Code Adoption: The global pandemic fueled a surge in contactless transactions, making QR codes a go-to tool for everything from restaurant menus to payments. Phishing scams have taken advantage of this growing trend.
- Bypassing Security Measures: Unlike URLs, QR codes are not easily checked or previewed, allowing them to slip past email security filters and other detection systems.
- Ease of Creation: Crafting a malicious QR code requires little technical skill, enabling attackers to quickly set up phishing campaigns with minimal effort.
Real-Life Examples of Quishing Attacks
Here are some real life examples of QR code phishing attacks:
Energy-sector Case Study
In May 2023, a major QR code phishing attack targeted a U.S. energy company. Attackers sent fake Microsoft emails with QR codes, urging users to update security or enable multi-factor authentication (MFA). Scanning the code led victims to a fake Microsoft login page, compromising over 100 accounts.
FedEx Quishing Case Study
Similarly, a FedEx quishing attack was discovered by Keepnet, where scammers tricked users into scanning a QR code, redirecting them to fake websites designed to steal personal and financial information.
Both attacks highlight how widespread industries and trusted brands are being exploited.
Stay Safe from QR Code Scams with Keepnet Extended Human Risk Management
To stay ahead of the growing threat of QR phishing, businesses must implement proactive security measures. Keepnet offers advanced tools like the Quishing Simulator, allowing organizations to simulate real-world quishing attacks and educate employees on identifying malicious QR codes. Keepnet phishing simulators further enhances your team’s ability to recognize and stop phishing threats before they escalate.
Train your employees to increase awareness by up to 90% with Keepnet’s Quishing Simulator. Empower your team to detect and avoid phishing attacks before they lead to costly breaches.
Explore Keepnet Extended Human Risk Management Platform and discover how our defense solutions can safeguard your business from phishing attacks.
Editor's note: This article was updated on May 17, 2025.
SHARE ON