Cybersecurity Glossary
Ready to get started?Contact us for a personalized demo
Schedule a Demo

Table of Contents

What is quishing?Quishing vs. traditional phishing: What is the same — and what is differentWhy quishing is growingHow organizations defend against quishingFrequently Asked Questions (FAQ)

Quishing (QR code phishing)

What is quishing?

Quishing is a phishing attack that uses QR codes to deliver malicious URLs instead of embedding links directly in text or HTML. A victim scans a QR code, typically from an email, a physical document, or a posted sign, and is redirected to a credential-harvesting page, a malware download, or a fraudulent login portal. The technique exploits the fact that QR codes are opaque: unlike a hyperlink, a human cannot read a QR code and evaluate its destination before scanning.

Quishing vs. traditional phishing: What is the same — and what is different

Quishing and traditional phishing share the same goal: deceive a user into visiting a malicious destination or surrendering credentials. The mechanism of delivery is where they diverge significantly, and those differences determine which defenses work and which do not.

Traditional phishing

Quishing

Delivery mechanism

Hyperlink in email body or attachment

QR code image in email, document, or physical medium

Link visibility

URL visible on hover; can be inspected before clicking

URL hidden inside QR code; not visible before scanning

Email security scanning

URL filtering and reputation checks apply at gateway

Most email gateways do not decode QR codes; links bypass URL scanning

Device of execution

Attack resolves on the same device that received the email

Victim typically scans with a mobile phone; mobile device security controls may not match enterprise endpoint controls

Detection by user

Educated users can inspect link text vs. href

No mechanism exists for a user to read a QR code destination before scanning

Physical world reach

Limited to digital channels

QR codes can be placed on posters, flyers, parking meters, conference badges

Why quishing is growing

Email security has matured significantly over the past decade. URL detonation, link rewriting, and domain reputation analysis have made it harder for simple hyperlinks to pass through enterprise gateways undetected. Quishing circumvents most of those controls because the malicious URL is encoded inside an image, not a hyperlink. The email body technically contains no suspicious link to scan.

Mobile devices compound the problem. When a user scans a QR code with their phone, the destination resolves on a device that may have weaker security controls than a corporate laptop, is less likely to run enterprise endpoint detection, and whose browser does not enforce corporate web filtering policies.

The physical vector adds a dimension traditional phishing cannot match. QR code phishing stickers placed over legitimate codes in a parking garage, a hotel lobby, or a conference venue reach targets outside any corporate perimeter. There is no email to filter and no corporate device involved at the point of attack.

How organizations defend against quishing

  1. Deploy email security that decodes QR codes. Next-generation email gateways and security platforms that extract and analyze URLs from QR code images in email attachments and bodies can apply the same URL reputation and detonation logic that applies to traditional links.
  2. Train users to treat QR codes as untrusted links. Users should be conditioned to treat any QR code, whether received by email or encountered physically, with the same skepticism as an unexpected hyperlink. Scanning a QR code and visiting the result is a two-step action; the pause between them is the intervention point.
  3. Extend mobile device management policies. Enterprise mobile device management (MDM) should enforce web filtering on mobile devices so that a QR code scanned on a corporate phone routes through the same controls as a link clicked on a corporate laptop.
  4. Verify physical QR codes before scanning. In physical environments, look for signs that a QR code sticker has been placed over a legitimate code: raised edges, misalignment, or different print quality. When in doubt, navigate to the destination manually.

Frequently Asked Questions (FAQ)

Where does the word quishing come from?

Quishing is a portmanteau of QR code and phishing, following the same naming convention as smishing (SMS phishing) and vishing (voice phishing). The term emerged as QR code-based attacks increased in frequency following the widespread adoption of QR codes during the COVID-19 pandemic.

Can a QR code itself contain malware?

A QR code itself is a data encoding format and cannot execute code. The threat in quishing is the URL the QR code encodes. That URL can direct the scanner to a credential-harvesting page, a drive-by download, or a site that exploits mobile browser vulnerabilities. The QR code is the delivery mechanism, not the payload.

Is quishing more dangerous than traditional phishing?

Quishing is more dangerous in specific contexts because it bypasses email URL scanning, is invisible to the human eye before scanning, and shifts execution to mobile devices that may have weaker enterprise security controls. It is not universally more sophisticated, but it exploits a genuine gap in how most email security is configured.

How do I report a suspected quishing attempt?

Report suspected quishing to your organization's security team the same way you would report a suspicious email. If a physical QR code is involved, photograph it without scanning and report its location. Do not scan a code you suspect is malicious simply to gather more information.

Featured Articles

5 takeaways
June 30, 2026

2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways

The Magic Quadrant™ for Software Supply Chain Security is a 45-minute read. Here's what we feel security leaders need to pull from it.

Learn More about 2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways
2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways
OSS security
June 24, 2026

Should frontier AI firms fund OSS ecosystem security?

With a ‘vulnpocalypse’ expected, AppSec leaders are calling for the companies to invest in a Great Refactor Fund to secure open source.

Learn More about Should frontier AI firms fund OSS ecosystem security?
Should frontier AI firms fund OSS ecosystem security?
AI vs AI robots
June 23, 2026

Can AI beat AI? 3 challenges with VulnOps adoption

SecOps leaders must tackle cost and risk to deliver autonomous vulnerability operations. But with frontier AI, it's critical.

Learn More about Can AI beat AI? 3 challenges with VulnOps adoption
Can AI beat AI? 3 challenges with VulnOps adoption

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top
The inaugural Gartner® Magic Quadrant™ for Software Supply Chain Security is outGET THE REPORT
Skip to main content
Contact UsSupportBlogCommunity
reversinglabs
ReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
Events
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu