
2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways
The Magic Quadrant™ for Software Supply Chain Security is a 45-minute read. Here's what we feel security leaders need to pull from it.
Quishing is a phishing attack that uses QR codes to deliver malicious URLs instead of embedding links directly in text or HTML. A victim scans a QR code, typically from an email, a physical document, or a posted sign, and is redirected to a credential-harvesting page, a malware download, or a fraudulent login portal. The technique exploits the fact that QR codes are opaque: unlike a hyperlink, a human cannot read a QR code and evaluate its destination before scanning.
Quishing and traditional phishing share the same goal: deceive a user into visiting a malicious destination or surrendering credentials. The mechanism of delivery is where they diverge significantly, and those differences determine which defenses work and which do not.
Traditional phishing | Quishing | |
|---|---|---|
Delivery mechanism | Hyperlink in email body or attachment | QR code image in email, document, or physical medium |
Link visibility | URL visible on hover; can be inspected before clicking | URL hidden inside QR code; not visible before scanning |
Email security scanning | URL filtering and reputation checks apply at gateway | Most email gateways do not decode QR codes; links bypass URL scanning |
Device of execution | Attack resolves on the same device that received the email | Victim typically scans with a mobile phone; mobile device security controls may not match enterprise endpoint controls |
Detection by user | Educated users can inspect link text vs. href | No mechanism exists for a user to read a QR code destination before scanning |
Physical world reach | Limited to digital channels | QR codes can be placed on posters, flyers, parking meters, conference badges |
Email security has matured significantly over the past decade. URL detonation, link rewriting, and domain reputation analysis have made it harder for simple hyperlinks to pass through enterprise gateways undetected. Quishing circumvents most of those controls because the malicious URL is encoded inside an image, not a hyperlink. The email body technically contains no suspicious link to scan.
Mobile devices compound the problem. When a user scans a QR code with their phone, the destination resolves on a device that may have weaker security controls than a corporate laptop, is less likely to run enterprise endpoint detection, and whose browser does not enforce corporate web filtering policies.
The physical vector adds a dimension traditional phishing cannot match. QR code phishing stickers placed over legitimate codes in a parking garage, a hotel lobby, or a conference venue reach targets outside any corporate perimeter. There is no email to filter and no corporate device involved at the point of attack.
Where does the word quishing come from?
Quishing is a portmanteau of QR code and phishing, following the same naming convention as smishing (SMS phishing) and vishing (voice phishing). The term emerged as QR code-based attacks increased in frequency following the widespread adoption of QR codes during the COVID-19 pandemic.
Can a QR code itself contain malware?
A QR code itself is a data encoding format and cannot execute code. The threat in quishing is the URL the QR code encodes. That URL can direct the scanner to a credential-harvesting page, a drive-by download, or a site that exploits mobile browser vulnerabilities. The QR code is the delivery mechanism, not the payload.
Is quishing more dangerous than traditional phishing?
Quishing is more dangerous in specific contexts because it bypasses email URL scanning, is invisible to the human eye before scanning, and shifts execution to mobile devices that may have weaker enterprise security controls. It is not universally more sophisticated, but it exploits a genuine gap in how most email security is configured.
How do I report a suspected quishing attempt?
Report suspected quishing to your organization's security team the same way you would report a suspicious email. If a physical QR code is involved, photograph it without scanning and report its location. Do not scan a code you suspect is malicious simply to gather more information.

The Magic Quadrant™ for Software Supply Chain Security is a 45-minute read. Here's what we feel security leaders need to pull from it.

With a ‘vulnpocalypse’ expected, AppSec leaders are calling for the companies to invest in a Great Refactor Fund to secure open source.

SecOps leaders must tackle cost and risk to deliver autonomous vulnerability operations. But with frontier AI, it's critical.