Quishing: Why QR Code Phishing Slips Past Your Filters, and How to Stop It

Here is a threat that has quietly climbed to the top of the phishing charts in 2026, and most small-business owners have never heard its name. It is called "quishing," short for QR code phishing, and reporting this month put it at its highest level yet. The reason it has exploded is not that QR codes are new, you have scanned dozens to see a menu or pay for parking, it is that the humble QR code turns out to be a near-perfect way to sneak a malicious link past the security tools businesses spent years building. Let me explain why it works so well, including the unsettling physical-world version, and the handful of habits that stop it.

What quishing actually is

Strip away the jargon and quishing is just phishing with a costume. Ordinary phishing sends you a link, hoping you will click it and type your password into a fake page. Quishing does the exact same thing, fake page, stolen password, but instead of a link you could see and inspect, it gives you a QR code: a little square of pixels that is really a web address in disguise. You scan it with your phone, a convincing fake login or payment page opens, and whatever you type goes to the attacker. The end goal, your Microsoft password, your card number, is identical to old-school phishing. Only the delivery changed. And that change is the whole point.

Why it slips past your security

This is the part that makes quishing genuinely clever, and worth understanding even if you never touch the technical side of your IT.

• A QR code is an image, not a link. Your email security works largely by reading the text and web addresses in a message and blocking known-bad ones. A QR code is a picture of a link, so the dangerous destination is not there as text for the filter to catch. The malicious address is hidden in plain sight, and the gateway waves it through.
• It jumps to the least-protected device you own. To scan a code you reach for your phone, very often a personal phone, which usually has no corporate email filtering, no managed endpoint protection, and no IT oversight at all. The attack deliberately hops off the protected work computer and onto the device with the fewest defenses.
• The small screen hides the truth. On a phone, the real web address is short, truncated, and easy to ignore, so a lookalike domain that you might catch on a desktop browser slides right by.

Put those together and you see the appeal: quishing sidesteps the email defenses designed for link-based phishing, then lands the victim somewhere nobody is watching. It is the same evasion logic behind the help-desk and impersonation tricks in our Teams impersonation post, applied to a new channel.

What the bait looks like

The emails are designed to make scanning feel routine and urgent at the same time. Common pretexts we see: a "you have a new document to review" notice dressed up as DocuSign or Adobe; a "your Microsoft password expires today, scan to keep your account" warning; a fake voicemail or fax notification; an HR or benefits message. The QR code is presented as the easy way to handle it. Scan it, and you get a pixel-perfect copy of a Microsoft, Adobe, DocuSign, or payment-portal login that exists only to capture what you type.

The unsettling part: quishing has gone physical

The fastest-growing twist does not arrive by email at all. Attackers are printing their own QR-code stickers and placing them over legitimate codes in the real world, on parking meters, retail displays, posters, event signage, even restaurant tables. You scan what looks like the official code to pay for parking or view a menu, and you land on a convincing fake that harvests your card details. Some send fake codes by physical mail, dressed as a bill or a delivery notice. It is cheap, it requires no hacking, and it exploits the one thing we have all been trained to do without thinking: scan the code. You cannot tell a malicious sticker from a real code by looking, which is exactly why it works.

How a small business defends against it

The good news: quishing is beatable with a short list of habits and controls, none of them exotic.

• Treat every QR code like a suspicious link. The core training message is that simple. Do not scan codes that arrive unexpectedly by email, and be wary of any code pushing urgency, "scan now or lose access." When in doubt, ignore the code and go directly to the company's known website or app yourself.
• Preview before you open. Most phones show the web address a code resolves to before loading it. Read it. If it is not the exact official domain you expect, stop. Teach your team to look at that preview every time.
• Turn on phishing-resistant MFA. This is the safety net that matters most. If someone does enter a password on a fake page, multi-factor authentication means the stolen password alone is not enough to get into the account. It is the same identity-first principle in our identity hardening post and MFA fatigue post.
• Use email security that reads QR codes. Modern email protection can analyze the codes inside image attachments rather than only scanning text links, closing the gap older filters leave open. It is part of the stack on the cybersecurity service page.
• Keep work accounts on managed devices where you can, so the attack cannot escape to an unmonitored personal phone, and pair it with the broader controls in the Microsoft 365 settings post.
• For physical codes, prefer the official app, website, or a posted phone number over a sticker whose origin you cannot confirm, and treat any code that looks placed over another as a red flag.

If someone already scanned one

Stay calm and move fast. If they only scanned and previewed the address without entering anything, closing the page is almost certainly the end of it. If they typed a password, change it immediately on the real site and anywhere else it was reused, and tell your IT provider so they can check the account for unauthorized access and confirm MFA is on. If card details went in, call the bank or card issuer to flag the card. Then report it internally so the rest of the team is warned about the specific lure. The danger window is the time between a password being stolen and being changed, so speed is the whole game, the same lesson as in how ransomware gets in.

Where this fits

• The email authentication post, for cutting down the spoofed emails that carry these codes.
• The Teams impersonation post, for the same evasion playbook in another channel.
• The identity hardening and MFA fatigue posts, for the MFA safety net that defeats stolen passwords.
• The 10 essentials and cybersecurity page, for where this sits in a full defense.
• The Microsoft 365 settings post, for the anti-phishing controls to enable.

We help small businesses across Salinas, Monterey, Santa Cruz, Watsonville, and San Jose, and the rest of the Central Coast train their teams and harden their accounts against phishing in every form, including this one.

FAQs about QR code phishing

What is quishing, or QR code phishing?

Quishing is phishing that uses a QR code instead of a clickable link to send a victim to a malicious website. Instead of a suspicious URL you could hover over and inspect, the attacker embeds the link inside a QR code, often in an email that looks like a Microsoft, Adobe, or DocuSign notification, or on a physical sticker in the real world. When you scan the code with your phone's camera, it opens a fake login or payment page designed to steal your password or card details. The trick is purely about delivery: it is the same credential theft as ordinary phishing, but the QR code hides the destination from both your eyes and your security filters until it is too late.

Why do QR codes get past email security?

Because to most email filters, a QR code is just an image, not a link. Traditional email security scans the text and URLs in a message and blocks known-bad web addresses, but a QR code is a picture of a link, so the malicious destination is not visible as text for the filter to catch. On top of that, scanning the code moves the victim onto their phone, frequently a personal device with no corporate filtering, no endpoint protection, and a small screen that hides the real web address. So the attack slips past the gateway and then lands on the least-protected device a person owns. That combination is exactly why quishing has grown so fast: it sidesteps the defenses built for link-based phishing.

How can I tell if a QR code is malicious?

You often cannot tell by looking, which is the whole problem, so judge the context instead of the code. Be suspicious of any QR code that arrives unexpectedly by email, especially one claiming you must scan it to keep an account, view a document, or fix a security issue, that urgency is a classic phishing tell. For physical codes, be wary of stickers that look added-on or placed over another code. When you do scan one, most phones show a preview of the web address before opening it: read it, and if it is not the official domain you expect, do not continue. The safest habit of all is to skip the code and go directly to the company's known website or app yourself.

Are QR codes on parking meters, flyers, and restaurant tables safe to scan?

Treat them with caution, because one of the fastest-growing versions of this attack is criminals placing their own QR-code stickers over legitimate ones in public places, parking meters, retail displays, posters, and restaurant tables. You scan what looks like an official payment or menu code and land on a convincing fake that harvests your card details. It is not that every public QR code is dangerous, but you cannot verify one by sight, and a sticker is trivial to swap. The safer move is to pay or order through the official app or website, or a posted phone number, rather than a code whose origin you cannot confirm. If a code looks like a sticker placed over something else, do not use it.

How do we protect our small business from quishing?

Layer a few defenses. First, train staff to treat a QR code exactly like a suspicious link, do not scan unexpected ones, preview the address, and go direct to the source instead. Second, deploy phishing-resistant multi-factor authentication so that even if someone enters a password on a fake page, the attacker cannot get into the account with it alone. Third, use modern email security that can analyze QR codes inside images rather than only scanning text links. Fourth, keep work accounts on managed devices where possible, so the attack cannot escape to an unmonitored personal phone. None of these is exotic; together they turn a scanned bad code into a near miss instead of a breach.

We scanned a suspicious QR code. What should we do now?

If you only scanned it and previewed the address without entering anything, you are almost certainly fine, just close the page. If you entered a password or payment details on the page it opened, act quickly: change that password immediately on the real site, and on any other account using the same password; if it was a work account, tell your IT provider so they can check for unauthorized access and confirm multi-factor authentication is in place; and if you entered card details, contact your bank or card issuer to flag the card. Then report what happened so others can be warned. Speed limits the damage, an attacker with a fresh stolen password moves fast, so the sooner you rotate it and alert IT, the smaller the window they have.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.