QR Quishing and Phishing Explained

Introduction

QR codes were designed to make life easier. Point your camera, open a page, pay a bill, join Wi-Fi, or pull up a menu. That speed is exactly why attackers love them. QR code phishing, also known as quishing, turns a harmless square into a shortcut to credential theft, payment fraud, and device compromise. You scan because the code looks official. A logo sits nearby. The promise is simple, pay here or track your parcel. In seconds, you are typing a password or card number on a page that looks right but is not.

Quishing succeeds because it moves the moment of decision away from your protected desktop to your phone. Your email gateway may block suspicious links in messages on your laptop. It will not stop you from scanning a printed sticker on a parking meter or an image in a forwarded email that hides its URL inside a QR pattern. On a small mobile screen, domains truncate, brand marks are tiny, and subtle typos are tougher to spot. Attackers design their pages for this reality. They keep the flow fast and the pressure high.

This guide explains how quishing works, why it is rising, and how to stop it with practical controls. We walk through the attacker playbook from code placement to credential capture. You will learn how to recognize red flags in the moment, even on a phone. We map the defenses that matter most, from QR-aware email filtering to phishing resistant MFA. We also include training scenarios you can copy, with normal versus vulnerable examples that make the risk concrete for your team.

If you run security, you will find a prioritized checklist and a buyer’s guide for tools that understand QR threats. If you manage facilities, you will get a physical inspection routine that catches tampered signage before it hurts staff or visitors. If you are a daily user, you will leave with simple habits that keep scans safe. Pause. Preview the domain. Proceed only if it checks out. Prefer official apps for payments and deliveries.

Qhishing

T;DLR

Definition: Quishing is phishing that uses a QR code to lure you to a spoofed website or malicious app. Attackers print or embed a code on emails, posters, invoices, parking meters, delivery notes, or packaging. You scan, land on a fake site, and enter credentials or payment details. Because the scan happens on your phone, outside many enterprise defenses, detection is harder. Microsoft and industry reports have tracked a steady rise in QR code phishing, including large waves delivered by email images that carry QR codes instead of clickable links.

Why quishing is surging now

Scanning feels safe. People assume printed codes are vetted.
Mobile first. You scan on a phone, then authenticate to cloud apps, all away from desktop protections. Microsoft
Easy to plant. A sticker on a poster or parking meter can redirect thousands of people in a day. In 2024 to 2025, UK police and media documented fake “pay here” parking codes that stole card data. Reports more than doubled year over year in parts of the UK. The Guardian
New delivery tricks. The FBI warned in July 2025 about unsolicited packages with QR codes that push victims to “confirm delivery” or “claim a gift,” then harvest credentials or drop malware. Internet Crime Complaint Center+1
Broad adoption. Billions of phones and contactless habits keep QR usage high, which increases attacker payoff.

How a quishing attack actually works

1) Seeding the QR code

Attackers place a code on a surface people trust, or inside an email image that looks like a legitimate notice. Examples include parking meters, restaurant tables, shipping labels, service tickets, gift cards, and corporate posters in lobbies. Recent cases show fake parking codes that led drivers to phishing payment pages. The Guardian

What you see: A clean code, a brand logo, and a short call to action like “Pay here,” “Track your parcel,” or “Verify account.”

What is happening: The code hides a URL that looks close to a real brand. Some codes route through a link shortener or multiple redirects before the final page.

2) The mobile detour

You scan with your camera or a reader. Your phone opens the site in a small browser tab. On mobile, URL bars truncate, and brand cues are smaller, so warning signs are easy to miss. Microsoft researchers have shown attackers intentionally move the decision point to phones to bypass desktop filters. Microsoft

3) Harvest or payload

Credential pages copy login flows, MFA prompts, or SSO portals.
Payment pages mimic parking or courier sites.
Malware pages push APKs on Android or prompt risky profiles on iOS.

Real-world data points: FBI advisories describe QR-led scams tied to delivery and prize themes. UK reporting shows thousands affected by “pay to park” quishing, including large individual losses.

Red flags to spot before and after scanning

Stickers over prints. Look for misaligned or glossy stickers on public signage.
Odd domains. Look for misspellings, extra hyphens, or unrelated TLDs when the page opens.
URL shorteners. Multiple hops or shortened links that hide the destination.
Pressure language. “Verify in 10 minutes,” “Final notice,” “Parking penalty due now.”
App sideload prompts. Pages that try to install non-store apps or profiles.

Tip: If a code is on a meter, poster, or table, verify the URL on the vendor’s official page or app store listing before you pay.

Common quishing scenarios with “safe vs unsafe” walkthroughs

A) Parking payments

Safe flow: Meter signage shows an official app or embedded NFC contactless icon. The URL resolves to the city, operator, or well-known parking brand domain.
Unsafe flow: A small sticker reads “Scan to pay.” The URL opens r1nggo-pay[.]info or a short link that lands on a domain unrelated to the operator. The page asks for full card details and security code, then sets up recurring charges. These patterns have been observed in multiple UK incidents in 2024 and 2025. The Guardian

B) Delivery re-routes

Safe flow: Carrier SMS from a known shortcode with a domain like carrier.com/track.
Unsafe flow: Unsolicited package with a QR tag instructs “Scan to confirm address.” The code lands on a credential harvest form. FBI flagged this pattern in 2025. Internet Crime Complaint Center

C) Corporate posters and invoices

Safe flow: Internal posters link to an intranet domain. Invoices contain the same payment URL your vendor uses every month.
Unsafe flow: A hallway poster with a fresh sticker, or an emailed invoice image with a QR code that lands on an unrelated payments site.

How attackers bypass controls

Email link filters. Many secure email gateways filter URLs in text, not in QR images. Quishing emails put the malicious link inside the image. Microsoft documents this tactic and now flags QR indicators in Defender for Office 365. Microsoft
Mobile session pivot. Victims move from desktop to phone, where corporate controls and password managers may be weaker. Microsoft
Look-alike domains and fast infra. Disposable domains, link chains, and image-only emails reduce the signals defenders rely on.

Prevention that works, prioritized

1) Make QR codes first-class citizens in your defenses

Block or rewrite QR URLs in email. Use a gateway or API that extracts and detonates URLs found inside images. Defender for Office 365 and similar products now include QR-specific training and analytics.

Add a QR check to phishing simulation training. Run quarterly campaigns with physical stickers in hallways and emails that contain QR images. Measure scan rates, not click rates. Hoxhunt and others report rising QR campaigns and provide program templates.

2) Harden identity

Use phishing-resistant MFA. Prefer passkeys, FIDO2 security keys, or platform authenticators. Microsoft recommends passwordless options to reduce credential theft risk across all phishing variants, including quishing. Microsoft
Shorten sessions and alert on unusual mobile logins. Watch for SSO from new mobile devices after a QR-led event.

3) Lock down the physical world

Audit public signage. Parking areas, lobbies, cafeterias, and visitor kiosks are high-risk. Maintain a register of approved stickers and posters.
Use tamper-evident design. If you publish QR codes, print directly on the sign, or use holographic seals that break when removed.

4) Empower users with one screen of guidance

Teach the “pause, preview, proceed” habit.
Always peek at the domain.
Prefer official apps for payments.
Never install apps from a web page after scanning.

5) Prepare the incident path

If credentials may be exposed, rotate and revoke refresh tokens.
If payment data may be exposed, notify the card issuer, then your fraud contact.
Report the code location to facilities or local authorities, and to the FBI IC3 if in the US.

A quick buyer’s guide for QR-aware controls

Email security: Look for OCR or computer vision that extracts and follows QR-embedded URLs. Confirm sandboxing works on mobile-only redirects. Microsoft Defender and similar tools publish guidance specific to QR threats.
Mobile management: Enforce managed browsers, block sideloading, and restrict risky device profiles.
DNS and web filtering: Expand allowlists for payment providers you trust, alert on look-alike domains.
Awareness platform: Include QR scenarios in simulations and micro-lessons.

Examples you can use in training

Scenario 1: Parking

Normal output: https://pay.ringo.co.uk/parking/zone/12345
Vulnerable output: https://r1nggo-pay.co/zone/12345?session=... → card form that asks for CVV.

Scenario 2: Delivery

Normal output: https://www.dhl.com/track?AWB=...
Vulnerable output: https://dhl-track-support.com/verify → asks for email password to “release parcel.”

Scenario 3: Corporate survey

Normal output: https://forms.microsoft.com/r/...
Vulnerable output: https://microsoft-forms.work-survey.net → SSO look-alike.

Use this trio in tabletop drills. Show screenshots of the mobile URL bar and make the team identify the tell.

“If you only do five things” checklist

Enable QR-aware URL extraction in email security.
Move to phishing-resistant MFA, start with admins and finance.
Run a quarterly QR simulation that includes physical stickers.
Publish an employee micro-guide on safe scanning.
Add a facilities sweep for tampered QR stickers in public areas.

Conclusion

Quishing shifts phishing from the inbox to your phone, using the trust of physical spaces and the constraints of small screens. Defenses work best when you treat QR codes as a first-class threat. Add QR-aware email filtering, run realistic QR simulations, move to phishing-resistant MFA, and audit public signage. If you make these steps routine, QR codes become less of a trap and more of a tool.

FAQs

Is scanning any QR code safe?
No. You cannot see the destination without scanning. Treat public codes as untrusted, verify the domain, and prefer official apps for payments.

Can email security stop quishing?
Yes, but only if it extracts URLs from QR images and analyzes the destination. Choose gateways that support this and pair with user training.

What if I already scanned and entered data?
Change the related passwords, revoke sessions, notify your bank if you entered card details, and report the incident. In the US, file at IC3.

Are QR codes themselves malicious?
The code is just a pointer, the risk comes from where it points. Attackers rely on trust in physical spaces and small mobile screens.

Which MFA stops quishing?
Use phishing-resistant MFA like passkeys or security keys. Even if a fake page captures a password, the attacker cannot easily replay a hardware-bound credential.