Keepnet Labs Logo
Menu
HOME > blog > understanding quishing

What is Quishing (QR Phishing)?

In 2025, quishing rose 25 % YoY and now accounting for 1 in every 8 credential-harvest campaigns.​ Learn what quishing is, how it works, and how to prevent your organization from these threats

What is Quishing (QR Phishing)?

In 2025, QR code phishing attacks, commonly known as quishing, have become one of the fastest-growing cyber threats. According to 2025 statistics—quishing is up 25 % YoY and now accounts for 1 in every 8 credential-harvest campaigns.​

Cybercriminals are now targeting unsuspecting users by embedding malicious links inside QR codes, making them appear harmless and impossible to preview at first glance. With more people using QR codes daily for everything from payments to restaurant menus, the rise of quishing should be on every CISO's radar.

This blog post will first define quishing attacks, then explain how these attacks work and reveal the strategies organizations can employ to prevent quishing.

Definition of QR Code Phishing

Defining quishing helps recognize the dangers of QR code phishing. Quishing, a combination of “QR code” and “phishing,” refers to a deceptive cyberattack tactic where malicious actors exploit QR codes to redirect users to fraudulent websites, harvest sensitive data, or install malware.

Unlike traditional phishing, which relies on email or text links, quishing leverages the perceived trustworthiness of QR codes—commonly used in menus, ads, and payment systems—to trick users into scanning compromised codes. These codes, often embedded in fake promotions, counterfeit packaging, or tampered public posters, direct victims to spoofed login pages or malicious downloads, putting personal information, financial accounts, and device security at risk.

How Quishing Works and How to Combat It

Quishing attacks thrive on social engineering, capitalizing on the convenience of QR codes to bypass user caution. For example, a scammer might replace a legitimate restaurant menu’s QR code with one leading to a phishing site mimicking a payment portal.

To mitigate risks, users should verify QR code sources, avoid scanning codes from untrusted locations, and use QR scanner apps with built-in security checks. Businesses can combat quishing by securing physical QR codes with tamper-proof labels and educating customers about this evolving threat. As QR code adoption grows, awareness and proactive cybersecurity practices are critical to thwarting quishing attempts.

How Does Quishing Work in 2025?

In 2025, attackers have become even more sophisticated by leveraging AI technologies to generate realistic quishing lures at scale. Cybercriminals now use AI to create branded QR codes, craft personalized phishing pages, and even deploy deepfake overlays on printed materials like event posters and restaurant menus.

These AI-enhanced attacks are harder to detect with traditional methods, requiring organizations to adopt smarter defenses. Solutions like Keepnet’s AI-driven Quishing Simulator is essential, test and train employees from scanning QR codes for hidden threats and proactively identifying phishing attempts before employees fall victim.

A typical quishing attack follows these steps:

  1. A QR code is placed in an email, website, or on a poster.
  2. The user scans it, thinking it's legitimate.
  3. It directs them to a phishing site disguised as a real login page.
  4. Attackers then collect credentials, banking details, or sensitive data.
Picture 1: Quishing Attack Chain
Picture 1: Quishing Attack Chain

ATT&CK Techniques Quishing Uses

Here is the table showing the list the ATT&CK techniques quishing uses, helping CISOs align with frameworks.

MITRE Technique IDTechnique NameRelevance to Quishing
T1566.002Phishing: Spearphishing LinkUsed to deliver malicious URLs via QR codes.
T1204.001User Execution: Malicious LinkUsers scan the code and unknowingly activate the attack.
T1555.003Credentials from Web BrowsersPhishing sites harvest saved credentials via fake login prompts.
T1059.003Command and Scripting Interpreter: Windows ShellMalware may execute commands post-scan (if exploit is successful).
T1082System Information DiscoveryPayloads may gather data from the victim’s device post-compromise.

Table 2: MITRE ATT&CK Mapping for Quishing Attacks

Quishing attacks thrive on social engineering, capitalizing on the convenience of QR codes to bypass user caution. For example, a scammer might replace a legitimate restaurant menu’s QR code with one leading to a phishing site mimicking a payment portal.

These attacks often bypass email security filters, making QR phishing a growing concern in 2025.

A sample QR Code Phishing Attack Targeting LinkedIn Users .png
Picture 1: A sample QR Code Phishing Attack Targeting LinkedIn Users

How Quishing Differs from Traditional Phishing?

At its core, quishing is still phishing—but with a twist. Traditional phishing attacks rely on clickable links in emails or messages, which many email security gateways can now detect. With quishing, the malicious URL is encoded inside the QR code itself, bypassing these protections. The victim still interacts with a fake website, but the QR code adds an extra layer of deception.

Here are the key differences between quishing and traditional phishing:

  • Hidden Links: In quishing, the malicious link is hidden in the QR code, making it impossible for users to preview or verify before scanning.
  • Bypassing Secure Email Gateways: Traditional phishing relies on detectable URLs. Quishing evades many email security filters because the harmful link is embedded within the QR code. Learn more about how email security threats bypass defenses.
  • Trust Factor: Many users have built trust with QR codes, especially post-pandemic, making them less cautious about scanning.
 On 15 February 2024, hackers used QR code phishing emails to attack some companies.jpeg
Picture 2: On 15 February 2024, hackers used QR code phishing emails to attack some companies

2025 Regulatory & Industry Warnings

As QR code phishing (quishing) attacks escalate in 2025, global regulatory bodies and cybersecurity authorities have issued critical warnings to help individuals and organizations recognize and mitigate these threats.​

FTC: Malicious QR Codes in Unsolicited Packages

In January 2025, the U.S. Federal Trade Commission (FTC) alerted consumers to a new scam involving unexpected packages containing QR codes. These codes, when scanned, direct recipients to phishing websites designed to steal personal information or install malware on their devices. The FTC advises caution when receiving unsolicited packages and recommends verifying the source before scanning any QR codes (Source). ​

FBI: Rise in QR Code Scams

The FBI has observed a significant increase in QR code-related scams. Cybercriminals are tampering with legitimate QR codes or creating fraudulent ones to redirect users to malicious sites, steal credentials, or install malware. The FBI recommends inspecting QR codes for signs of tampering and using security software that can scan QR codes for potential threats (Source). ​

NCSC (UK): Growing Threat of 'Quishing'

The UK's National Cyber Security Centre (NCSC) has highlighted the growing threat of 'quishing'—phishing attacks that utilize QR codes. Criminals embed malicious links within QR codes, often bypassing traditional security filters. The NCSC advises caution when scanning QR codes, especially those received via email or found in public places, and recommends using built-in phone scanners that preview URLs before opening (Source). ​

Financial Institutions and Regulators: Surge in 'Quishing' Attacks

Major banks and regulatory bodies, including Santander, HSBC, TSB, the UK's NCSC, and the U.S. FTC, have raised concerns over the surge in 'quishing' attacks. These scams often involve QR codes embedded in emails or physical locations, leading unsuspecting users to phishing sites. The institutions emphasize the importance of public awareness and caution when interacting with QR codes, especially those from unknown sources (Source). ​

These warnings underscore the importance of vigilance and proactive measures in combating the evolving threat landscape of QR code phishing in 2025.

What Attack Types Are Executed With a Malicious QR Code?

Malicious QR codes can execute a variety of cyberattacks beyond just phishing:

Redirect to Phishing Sites

Scanning the code sends users to a fraudulent website, where they may be tricked into entering login credentials or personal information.

QR Code Phishing Redirect Users to a Fake LinkedIn Page.png
Picture 3: QR Code Phishing Redirect Users to a Fake LinkedIn Page

Malware Downloads

Some QR codes can trigger automatic downloads, planting malware or ransomware on the device. Explore how ransomware attacks affect businesses.

Device Data Extraction

Advanced quishing attacks may use QR codes to extract sensitive data directly from a device, such as location information or other private data.

Static vs. Dynamic Codes

Not all QR codes are created equal. Understanding the difference between static and dynamic QR codes is critical for recognizing quishing risks.

Static QR Codes are fixed — once generated, their embedded information (such as a URL) cannot be changed. They are often printed on physical materials like flyers, restaurant menus, or product packaging. While static codes are less flexible for legitimate use, they are generally safer because any tampering requires replacing the entire code.

Dynamic QR Codes, on the other hand, are much more versatile — they store a short URL that redirects users to a destination controlled by the code creator. This means the final URL can be changed at any time without altering the QR code image itself. Although this flexibility is valuable for businesses (for marketing, payments, and event check-ins), it also presents a serious security risk. Cybercriminals can compromise the backend system hosting a dynamic QR code, silently redirecting users to malicious websites without needing to replace or alter the code on public-facing materials.

Why It Matters:

  • Tampering Risks: Static codes must be physically altered to change the destination, making unauthorized changes easier to spot. Dynamic codes can be compromised invisibly.
  • Attack Surface: Dynamic codes expand the attack surface because they rely on web infrastructure that could be hacked.
  • Mitigation Strategies: Organizations should cryptographically sign critical QR codes, prefer static codes for sensitive transactions, and regularly monitor dynamic link endpoints for suspicious changes.

In short, while dynamic QR codes offer convenience and tracking capabilities, they also introduce an invisible layer of risk that attackers are increasingly exploiting in 2025.

How Do Scammers Use QR Codes?

Scammers use QR codes in several simple but sneaky ways. One common tactic is sending emails that look like they’re from trusted brands, asking you to scan a QR code for urgent updates or special deals. When you scan the code, it takes you to a fake website to steal your login details.

Scammers also put harmful QR codes on posters or flyers in public places. People scan them, thinking they’re getting something useful, but end up on a phishing site instead. Sometimes, scammers even change real ads by adding their own fake QR codes, tricking people into visiting dangerous websites.

Red-Team Corner: How Attackers Tamper with QR Codes in the Wild

Penetration testers and real-world attackers often use physical tampering techniques to exploit QR code trust. One common tactic involves printing fake QR code stickers and carefully placing them over legitimate QR codes in public spaces—such as restaurant menus, event posters, parking meters, and hotel lobbies.

Because the appearance of the original material remains intact, users rarely notice anything unusual. Advanced attackers even mimic branding (like company logos) to maintain credibility.

For businesses, this highlights the need for regular inspections of physical QR code placements, tamper-proof designs (like holographic labels), and staff training to spot suspicious modifications before customers fall victim.

How to Detect a Quishing Attack?

Detecting quishing attacks can be difficult, but there are some red flags to watch for:

  • Unfamiliar sources: Be cautious of scanning QR codes from unverified sources or in unsolicited emails.
  • Urgency: Just like in traditional phishing, quishing often uses language that creates a sense of urgency, such as “scan this code to verify your account” or “act within 24 hours.”
  • Lack of context: If a QR code appears out of place or unnecessary, avoid scanning it. Always question why you’re being asked to scan a code.
  • Preview the URL: Some QR scanners provide an option to preview the URL before navigating to the site. Always check the URL and ensure it’s legitimate.

How to Prevent a Successful Quishing Attack?

Stopping quishing attacks requires more than just employee caution — it demands layered defenses combining smart controls, proven techniques, and powerful tools. Below is a practical guide to strengthening your organization’s protection against QR code phishing:

ControlTechniqueTooling Example
QR Code Source VerificationOnly use trusted, verified QR codes. Physically inspect for tampering.Security training using Keepnet's Quishing Simulator to educate employees on real-world detection.
URL Preview Before NavigationUse QR scanners that display the destination URL before opening.Deploy mobile security apps or recommend built-in QR scanning with URL preview features (iOS, Android).
Dynamic Link MonitoringContinuously monitor dynamic QR codes for changes or malicious redirects.Integrate Keepnet’s Phishing Threat Protection or other real-time link analysis services.
Endpoint ProtectionDetect and block malware from compromised QR links.Enable Mobile Device Management (MDM) with endpoint protection suites such as CrowdStrike, Microsoft Defender.
Zero-Trust Browsing for QR ScansEnforce isolated, inspected browser sessions for external links.Implement Secure Web Gateways (SWG) or SASE platforms like Zscaler.
Cryptographic Signing of Critical QR CodesSign QR codes digitally to ensure authenticity and prevent tampering.Follow NIST Digital Signature Guidelines and use trusted PKI solutions for QR code generation.
Human Risk Scoring and Targeted TrainingContinuously assess employee risk and customize security awareness.Track performance with Keepnet's Human Risk Management Platform and personalize retraining campaigns.

Table 1: How to Prevent a Successful Quishing Attack

Please watch this video from YouTube and learn more about quishing and how to protect yourself.

3 Reasons QR Code Phishing Attacks Are Growing in Popularity

The rapid rise of QR code phishing attacks can be attributed to several factors that make them attractive to cybercriminals. Here are three key reasons why these attacks are becoming more common:

  1. Widespread QR Code Adoption: The global pandemic fueled a surge in contactless transactions, making QR codes a go-to tool for everything from restaurant menus to payments. Phishing scams have taken advantage of this growing trend.
  2. Bypassing Security Measures: Unlike URLs, QR codes are not easily checked or previewed, allowing them to slip past email security filters and other detection systems.
  3. Ease of Creation: Crafting a malicious QR code requires little technical skill, enabling attackers to quickly set up phishing campaigns with minimal effort.

Real-Life Examples of Quishing Attacks

Here are some real life examples of QR code phishing attacks:

Energy-sector Case Study

In May 2023, a major QR code phishing attack targeted a U.S. energy company. Attackers sent fake Microsoft emails with QR codes, urging users to update security or enable multi-factor authentication (MFA). Scanning the code led victims to a fake Microsoft login page, compromising over 100 accounts.

In May 2023, a significant QR code phishing campaign targeted a major U.S. .jpg
Picture 3: In May 2023, a significant QR code phishing campaign targeted a major U.S.

FedEx Quishing Case Study

Similarly, a FedEx quishing attack was discovered by Keepnet, where scammers tricked users into scanning a QR code, redirecting them to fake websites designed to steal personal and financial information.

 In January 2024, QR Code Phishing Scams Targeted Some of Keepnet’s Customers .jpeg
Picture 4: In January 2024, QR Code Phishing Scams Targeted Some of Keepnet’s Customers

Both attacks highlight how widespread industries and trusted brands are being exploited.

Stay Safe from QR Code Scams with Keepnet Extended Human Risk Management

To stay ahead of the growing threat of QR phishing, businesses must implement proactive security measures. Keepnet offers advanced tools like the Quishing Simulator, allowing organizations to simulate real-world quishing attacks and educate employees on identifying malicious QR codes. Keepnet phishing simulators further enhances your team’s ability to recognize and stop phishing threats before they escalate.

Train your employees to increase awareness by up to 90% with Keepnet’s Quishing Simulator. Empower your team to detect and avoid phishing attacks before they lead to costly breaches.

Explore Keepnet Extended Human Risk Management Platform and discover how our defense solutions can safeguard your business from phishing attacks.

Editor's note: This article was updated on April 29, 2025.

SHARE ON

twitter
linkedin
facebook

Schedule your 30-minute private demo now.

You'll learn how to:
tickSimulate advanced quishing attacks to enhance your employees' ability to recognize and respond to phishing threats.
tickTailor quishing templates to fit your organization’s specific needs, improving awareness and resilience across your team.
tickMonitor user responses to phishing simulations and calculate a human risk score to evaluate and improve your organization's security posture.

Frequently Asked Questions

Can someone steal your info with a QR code?

arrow down

Yes, someone can steal your information using a QR code. Scanning a malicious QR code can redirect you to a phishing site, where attackers trick you into entering sensitive details like login credentials or financial information. It can also trigger malware downloads that compromise your device and data. Always verify the source before scanning a QR code.

Can someone hack my iPhone with a QR code?

arrow down

Yes, someone can potentially hack your iPhone with a malicious QR code. Scanning a harmful QR code could direct you to a website that exploits security vulnerabilities or downloads malware onto your device. Always use caution and verify the source before scanning any QR code.

How Can Businesses Effectively Combat QR Code Phishing Threats?

arrow down

Businesses can combat QR code phishing by educating employees, using advanced security software, conducting regular security audits, and employing tools like Quishing simulators for training.

Why is quishing more dangerous than traditional phishing?

arrow down

Quishing attacks pose a greater risk because QR codes obscure malicious links, making them harder to detect before scanning. Unlike traditional phishing emails, which users can inspect for suspicious URLs, QR phishing bypasses email security filters by embedding harmful links within QR codes. This tactic exploits user trust and familiarity with QR technology, increasing the likelihood of a successful attack.

Can QR code phishing attacks spread malware?

arrow down

Yes, some quishing attacks do more than just steal login credentials—they can also trigger automatic malware downloads. Once a malicious QR code is scanned, it may redirect the user to a compromised website that installs spyware, ransomware, or other forms of malware onto their device. This can result in data theft, system vulnerabilities, or unauthorized access to corporate networks.

How can I verify a QR code before scanning?

arrow down

To stay safe from QR code phishing, use a trusted QR scanner that allows you to preview the destination URL before opening it. Additionally, check for any signs of tampering, such as stickers placed over legitimate QR codes or suspiciously placed codes in public areas. Avoid scanning QR codes from unsolicited emails or messages, as these are common tactics in quishing scams.

What industries are most targeted by quishing?

arrow down

Quishing scams are especially prevalent in industries dealing with sensitive data, such as finance, healthcare, and corporate sectors. Cybercriminals target these fields because they hold valuable customer information, financial records, and proprietary business data. Organizations in these industries should take proactive steps to educate employees and implement strong security measures against QR code phishing threats.

How can businesses train employees to recognize quishing?

arrow down

The best way to protect against quishing attacks is through security awareness training and quishing simulations. Businesses should educate employees on how QR code phishing works, how to verify QR codes before scanning, and what red flags to watch for. Using a Quishing Simulator, companies can test their workforce’s ability to detect and respond to these attacks, reducing the risk of falling victim to malicious QR codes.

Can hackers modify legitimate QR codes to launch quishing attacks?

arrow down

Yes, cybercriminals can tamper with legitimate QR codes by placing fraudulent stickers over them or modifying digital versions in emails and websites. These altered QR codes redirect users to phishing websites or malware-infected downloads. Businesses should regularly check physical QR codes in public areas and verify digital QR codes before interacting with them.

What should I do if I accidentally scan a malicious QR code?

arrow down

If you scan a quishing QR code, immediately exit the website without entering any information. Then, run a security scan on your device to check for malware. If you entered any login credentials, change your passwords immediately and enable multi-factor authentication (MFA) to protect your accounts. Reporting the incident to your IT security team can also help prevent further attacks.