What Is Quishing? How QR Code Phishing Attacks Work in 2026

What Is Quishing? How QR Code Phishing Attacks Work in 2026

By Fanny Engriana Β· Β· 9 min read Β· 8 views

What Is Quishing? How QR Code Phishing Attacks Work in 2026 (And How to Stop Them)

Disclaimer: This article is for educational purposes only. The attack techniques described are presented to help you recognize and defend against them. Never attempt to replicate these methods on systems you do not own or have explicit written permission to test.

When I added QR code payment integration to a client's e-commerce marketplace project two years ago, the implementation looked simple on the surface: generate a code, point it to a payment URL, done. But somewhere in that workflow, I started thinking about what happens when the QR code itself becomes the weapon. That question took on new urgency in January 2026, when the FBI's Internet Crime Complaint Center (IC3) released a formal flash alert warning about North Korean state-sponsored actors using malicious QR codes in targeted spear-phishing campaigns against think tanks, universities, and government entities.

If nation-state hackers are betting on QR codes, it's worth understanding exactly how this attack works β€” and why it bypasses the defenses most people already have in place.

The Attack Has a Name: Quishing

Quishing (a portmanteau of "QR code" and "phishing") is a phishing attack where a malicious URL is encoded inside a QR code image rather than typed out as a clickable link. The target scans the code β€” usually with their phone β€” gets redirected to a fake login page or malware download, and the attacker captures credentials, installs spyware, or initiates a payment fraud.

The mechanic sounds basic. The reason it works so well in 2026 is structural: most corporate email security gateways are built to scan text. They extract URLs from email bodies, check them against blocklists, and flag anything suspicious. A QR code is an image. The malicious URL is hidden inside a pixel matrix that text-based scanners cannot parse. The email looks clean to the gateway and lands in the inbox.

According to Keepnet Labs' 2025 threat analysis, QR phishing attacks increased fivefold over the year, with 12% of all phishing emails now containing a QR code. ZenSec tracked 1.7 million unique malicious QR codes embedded in attachments in 2025 alone. These aren't fringe experiments β€” they're a scaled, production-grade attack class.

How a Quishing Attack Unfolds β€” Step by Step

Understanding the attack chain is the first step to breaking it. Here's how a typical quishing campaign runs:

Step 1: The Lure

The attacker crafts an email that appears to come from a trusted source β€” Microsoft 365, a bank, a delivery service, HR, or even a C-suite executive. The email contains urgency language: "Your account has been locked," "Verify your identity to avoid suspension," "Scan to confirm your delivery address." Instead of a clickable link, there's a QR code image embedded in the email body or attached as a PDF.

Step 2: The Pivot to Mobile

This is the clever part. The target is sitting at a corporate laptop with endpoint protection, a monitored browser, and an enterprise proxy. By asking them to scan a QR code, the attacker shifts the action to the target's personal smartphone β€” a device that almost certainly lacks corporate monitoring, runs outside the enterprise proxy, and has weaker phishing detection in its mobile browser. The attack deliberately jumps networks to escape oversight.

Step 3: Credential Harvest or Malware Install

The QR code redirects to a convincing replica of a login page β€” Microsoft, Google Workspace, a banking portal, or a two-factor authentication confirmation screen. The target enters their credentials. In more sophisticated campaigns, attackers use adversary-in-the-middle (AiTM) proxies that capture not just the password but the live session cookie, bypassing MFA entirely. In other cases, the link triggers a drive-by download of a mobile infostealer.

Step 4: Exploitation

With stolen credentials or a valid session cookie, the attacker logs in, pivots through connected services (email, cloud storage, payroll systems), and either exfiltrates data or plants ransomware through the now-compromised account.

Across the 50+ projects we've shipped at wardigi.com β€” spanning hotel management, digital pawnshop systems, e-commerce, and HR payroll β€” I've noticed a consistent pattern: organizations invest heavily in desktop endpoint security and almost nothing in managing what their staff does on personal phones. Employees check work email on personal devices, scan documents, and interact with business-critical apps outside any corporate security perimeter.

In our SmartExam AI Generator and BizChat Revenue Assistant projects, we integrated QR-based access flows specifically because they're frictionless on mobile. That frictionlessness is exactly what attackers exploit. A user conditioned to scan QR codes for legitimate app features develops a muscle memory that quishing campaigns hijack.

The FBI IC3 January 2026 flash alert made this explicit: sophisticated actors deliberately use QR codes to "force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional email security controls."

Real-World Quishing Scenarios You Need to Know

1. Fake Parking Payment Meters

Attackers place sticker QR codes over legitimate ones at parking meters, restaurant tables, and retail checkout points. The fake code leads to a cloned payment page. In one documented 2025 incident, a chain of 200 stores suffered $2.3 million in damage control costs after fraudulent QR stickers were placed at checkout stations.

2. HR and Payroll Impersonation

Employees receive emails claiming they must scan a QR code to update direct deposit details or confirm benefits enrollment. The landing page captures both credentials and banking information.

3. Package Delivery Scams

An email claiming a DHL, FedEx, or local courier held a delivery includes a QR code to "reschedule." The code leads to a credential page or charges a fake "storage fee."

4. State-Sponsored Spear-Phishing

As documented by the FBI in January 2026, Kimsuky (a North Korean threat actor) sent targeted quishing emails to researchers and government staff, with QR codes delivering credential-harvesting pages tailored to the victim's specific organization. These campaigns used contextual details to appear legitimate to sophisticated targets.

5. Multi-Factor Authentication Bypass

AiTM quishing attacks work in real time: the attacker's server proxies the victim's credentials to the real site, relays the MFA prompt, and captures the resulting session token. The MFA fires and completes β€” but the attacker owns the session. This is why the FBI recommends phishing-resistant MFA (hardware keys, FIDO2) rather than SMS or TOTP codes.

How to Protect Yourself β€” Practical Defenses That Actually Work

From 11+ years evaluating security controls in production environments β€” including systems that handle real financial transactions in our Digital Pawnshop and Smart POS platforms β€” here's what I'd actually recommend, ranked by impact:

1. Always Preview the URL Before Tapping

Every modern smartphone camera shows you the decoded URL before you open it. This is your only window. Read it. Look for typosquatted domains (micros0ft.com, paypa1.com, googIe.com with a capital "I"), URL shorteners (bit.ly, t.co) in contexts where a legitimate business would never use them, and domains that don't match the organization in the email.

If the URL looks right, still ask: did I expect to scan a QR code today? Legitimate banks, payroll systems, and corporate IT departments rarely initiate contact via QR code.

2. Use a QR Scanner That Shows Full URLs

Your default camera app is fine for most cases, but dedicated scanner apps like Kaspersky QR Scanner or Trend Micro QR Scanner run the decoded URL against a threat intelligence feed before opening it. I'd recommend Trend Micro QR Scanner on both iOS and Android β€” it flags known malicious URLs, shortener obfuscation, and suspicious redirect chains.

3. Enable Phishing-Resistant MFA

TOTP codes (Google Authenticator, Authy) and SMS codes can be intercepted by AiTM quishing attacks. A hardware security key (YubiKey, Google Titan) or a passkey bound to your device is cryptographically tied to the legitimate domain. An attacker proxying your credentials through a fake site cannot satisfy the FIDO2 challenge because the origin domain doesn't match. CISA's 2025 phishing guidance explicitly recommends this as the highest-priority MFA upgrade.

4. Physically Inspect QR Codes in Public

At parking meters, restaurant tables, and ATMs: look for stickers placed over the original surface. A legitimate code is usually printed on the machine itself, not added afterward. If you see a sticker, don't scan it β€” use the business's official app or website instead.

5. Report Suspicious QR Codes at Work

If you receive an unexpected email with a QR code from what appears to be your employer, bank, or IT department, call the sender on a number you already have (not one in the email) before scanning. The FBI recommends establishing clear internal reporting protocols specifically for QR code phishing attempts.

6. Keep Mobile OS and Browser Updated

Several quishing campaigns use drive-by download exploits targeting unpatched WebKit (Safari) and Blink (Chrome) vulnerabilities. Staying current on iOS and Android security patches directly cuts the attack surface. This is not optional β€” it is the minimum baseline.

7. For Organizations: Deploy QR-Aware Email Security

Standard Secure Email Gateways (SEGs) are blind to quishing. Look for solutions that extract and analyze QR code content from email bodies and attachments β€” vendors including Microsoft Defender for Office 365 (Safe Links for QR), Proofpoint QR Detection, and Abnormal Security have added specific quishing detection. If your organization runs its own email infrastructure (as several of our clients do using Laravel-based mail systems), consider layering a commercial scanner API that processes inbound attachments before delivery.

A Note on QR Codes in Your Own Projects

When I integrated QR-based login and payment flows into client projects β€” including a hotel management suite and an e-commerce marketplace built on Laravel and Vue.js β€” I added a few safeguards worth mentioning:

  • Short expiry windows: QR codes for authentication expire in 60–120 seconds. An attacker who intercepts or screenshots the code gets a useless token within two minutes.
  • Binding to session context: The backend validates that the QR scan came from the same geographic region and device class as the initiating session. Unusual pivots (desktop session in Jakarta, QR scan from a different country) trigger a re-authentication challenge.
  • Visual branding that's hard to clone: Embedded logos and custom color patterns in QR codes don't affect decodability but raise the bar for convincing fakes. A user who's seen your branded code will notice a plain black-and-white replica.

None of these are foolproof, but they reduce the window of exploitability and add friction that deters opportunistic attackers.

What To Do If You Scanned a Malicious QR Code

If you scanned a suspicious code and entered credentials:

  1. Change your password immediately on the real service using a different, trusted device.
  2. Revoke active sessions β€” most modern services (Google, Microsoft, Facebook) have a "Sign out of all devices" option under security settings.
  3. Check for unauthorized app access β€” review third-party apps with OAuth access to your account and revoke anything unfamiliar.
  4. Enable phishing-resistant MFA on the account if not already active.
  5. Report to the FBI IC3 at ic3.gov if you believe you were targeted by a criminal or state-sponsored actor.
  6. Factory reset your phone if you believe malware was installed during the scan. Back up contacts and photos to cloud first, but do not restore apps from a backup β€” reinstall them fresh from the official app store.

Bottom Line

Quishing works because it turns a familiar, trusted interaction β€” scanning a QR code β€” into an attack vector that bypasses most technical defenses by pivoting to mobile. The fivefold growth in 2025 and the FBI's January 2026 warning about state-sponsored campaigns signal that this is not a passing trend.

The defenses are not complicated: preview URLs before tapping, use phishing-resistant MFA, keep your phone updated, and treat any unexpected QR code in an email with the same skepticism you'd apply to an unsolicited link. The attackers are counting on the habitual scan. Don't give them that habit.

If you're a developer integrating QR codes into production systems, add expiry, session binding, and anomaly detection to your implementation. The UX cost is minimal; the security gain is substantial.

Sources:

  • FBI IC3 Flash Alert AC-000001-MW, January 8, 2026 β€” ic3.gov
  • CISA Phishing Guidance β€” cisa.gov
  • FCC: Juice Jacking and QR Code Safety Tips β€” fcc.gov
  • Keepnet Labs QR Phishing Statistics 2025 β€” keepnetlabs.com
  • Acronis: QR Code Phishing 2026 Battlefield β€” acronis.com
  • Cloud Security Alliance: Rise of QR Code Phishing β€” cloudsecurityalliance.org

This article is intended for educational purposes. The author does not endorse or condone unauthorized testing of security techniques on third-party systems.

Found this helpful?

Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.

Related Articles