QR Code Phishing (Quishing)

QR codes are everywhere — restaurant menus, parking meters, corporate emails. You scan one and a webpage opens. But unlike a regular link, you can't hover over a QR code to preview the URL. Attackers know this. That's why QR code phishing bypasses email filters, evades URL previews, and catches people off guard in ways traditional phishing can't.

QR code phishing attacks increased 587% in 2023 compared to the prior year, according to security researchers. Quishing now accounts for a growing share of all phishing campaigns — and most email security gateways still can't scan the URLs embedded inside QR code images.

How Quishing Actually Works

The attack is simple but effective. An attacker encodes a malicious URL into a QR code and places it somewhere a victim will scan it — an email, a flyer, a sticker on a parking meter. Because the URL is hidden inside the image, neither the victim nor their email filter can see where it leads until it's too late.

Attacker creates a malicious QR code

The attacker generates a QR code that encodes a phishing URL — often behind a URL shortener or redirect chain to further obscure the final destination. The QR code is embedded in an email, printed on a sticker, or placed on a poster.

Victim scans with their phone

The victim scans the QR code with their phone camera. The phone shows a URL preview, but most people tap "Open" without reading it — especially when the context feels trustworthy (a work email, a parking meter, a restaurant table). The link opens in the phone's mobile browser.

Lands on a phishing page

The URL loads a convincing phishing page — a fake Microsoft 365 login, a bank verification form, or a payment portal. On mobile, the smaller screen makes it even harder to notice a suspicious domain in the address bar.

Credentials stolen

The victim enters their username, password, or payment details. The data goes straight to the attacker's server. Advanced kits also capture MFA codes in real time, completing the account takeover within seconds.

Why QR Phishing Is So Effective

Quishing works because it hits several blind spots at once — both technical and human:

Bypasses email security filters. Most email gateways scan text and links for malicious URLs. A QR code is just an image — the URL is encoded in the pixel pattern, not in the email's HTML. Traditional filters don't decode QR images, so the phishing link passes right through.
No URL preview. When you hover over a link in an email, your client shows where it goes. QR codes don't have hover states. You can't see the destination until after you've scanned and your phone's browser is already loading it.
Urgency and authority. Quishing emails often impersonate IT departments ("Scan to set up your new MFA"), HR ("Scan to review your benefits enrollment"), or executives. The corporate context creates urgency that overrides caution.
Trust in physical media. People implicitly trust QR codes on physical objects — parking meters, restaurant tables, event posters. An attacker can simply paste a malicious QR sticker over the legitimate one. Nobody thinks to verify a QR code on a parking meter.
Mobile screens hide red flags. After scanning, the phishing page opens on a phone where the address bar is smaller, URL shorteners are common, and users are less likely to scrutinize the domain. Mobile browsers also lack many desktop security extensions.

Real-World Quishing Examples

Fake parking meter QR codes

Attackers place sticker QR codes over legitimate ones on parking meters in major cities. Drivers scan to pay for parking and land on a fake payment page that collects their credit card details. The real parking meter still shows "unpaid," so the victim also gets a ticket. This attack has been documented in Austin, Houston, San Antonio, and multiple European cities.

Corporate email with QR "MFA setup"

An email impersonating the company's IT department tells employees to scan a QR code to "enroll in our new multi-factor authentication system." The QR code leads to a fake Microsoft 365 login page. Because the email references a real security policy and the QR code feels like a legitimate IT onboarding step, employees comply without question. The attacker harvests hundreds of corporate credentials in a single campaign.

Restaurant menu QR code replaced with phishing link

A restaurant uses QR codes on tables for digital menus — standard post-pandemic practice. An attacker visits the restaurant and replaces the table QR stickers with ones pointing to a phishing site that mimics a Wi-Fi login portal. Diners "connect to the restaurant WiFi" by entering their email and creating a password — a password they likely reuse elsewhere. The attacker now has a working email-password pair for credential stuffing.

How to Protect Yourself

Preview the URL before opening. When your phone camera reads a QR code, it shows the URL before you tap. Read it. Look for misspellings, unfamiliar domains, or excessive URL shorteners. If the URL doesn't clearly match the expected service, don't open it.
Be suspicious of URL shorteners and redirects. Legitimate services rarely need to hide their URLs behind bit.ly or similar shorteners. If a QR code resolves to a shortened URL, treat it with extra caution — the shortener is hiding the real destination.
Don't scan random QR codes. Treat QR codes like links in emails — with skepticism. A QR code on a random flyer, unsolicited email, or suspicious sticker should raise the same red flags as a "Click here" link from an unknown sender. Check physical QR codes for signs of tampering, like stickers placed over the original code.
Use PhishClean on Firefox for Android. Firefox for Android supports browser extensions. Install PhishClean and it will analyze every page you land on after scanning a QR code — checking for domain mismatches, suspicious forms, hidden iframes, and other phishing signals. It catches the attack at the landing page, even though it can't intercept the QR code itself.
Navigate directly instead of scanning. If an email or poster asks you to scan a QR code to log into a service, skip the QR code. Open your browser and go to the service's website directly. This one habit neutralizes quishing entirely — the same way not clicking email links blocks traditional phishing.

How PhishClean Helps After the Scan

PhishClean can't scan QR codes — no browser extension can. But that's not where the damage happens. The damage happens when you land on the phishing page and enter your credentials. That's exactly where PhishClean operates.

When you scan a QR code and the phishing page loads, PhishClean checks the page the same way it checks every other page:

Domain mismatch detection — The page looks like Microsoft 365 but the domain is ms365-verify.com. PhishClean flags the discrepancy.
Suspicious form analysis — Login forms that submit to external servers or use obfuscated form actions trigger an alert.
Hidden iframe detection — Invisible iframes used to steal credentials or load malicious content are flagged immediately.
HTTPS downgrade alerts — If the phishing page loads over HTTP or mixes encrypted and unencrypted content, PhishClean warns you.

PhishClean doesn't care how you got to the page — link, QR code, redirect chain. It just checks what the page is doing and warns you if something's wrong. No data leaves your browser.

Related Threats & Resources

Phishing Attacks

The broader category — how phishing works across email, SMS, and now QR codes.

Session Hijacking

What happens after credentials are stolen — how attackers take over active sessions.

Clicked a Phishing Link?

Already scanned a suspicious QR code? Step-by-step damage control guide.

How to Check if a Site Is Safe

Quick checks to verify a website before entering any personal information.

SSL Stripping

Quishing pages may also strip HTTPS — learn how downgrade attacks work.

Frequently Asked Questions

What is quishing?

Quishing is a form of phishing that uses QR codes instead of clickable links to direct victims to malicious websites. The term combines "QR" and "phishing." Because QR codes hide the destination URL, victims can't preview where they're going before scanning — making it easier for attackers to bypass both email security filters and human judgment.

Can my phone get hacked just by scanning a QR code?

Scanning a QR code alone doesn't hack your phone — it simply opens a URL in your browser. The danger comes from what happens next: if the URL leads to a phishing page and you enter your credentials, or if it triggers a malicious download. Always preview the URL your phone's camera shows before tapping to open it.

How does PhishClean protect against QR code phishing?

PhishClean works at the browser level, analyzing every page you land on — regardless of how you got there. After you scan a QR code and open the link, PhishClean checks the page for phishing signals like domain mismatches, suspicious form actions, hidden iframes, and credential harvesting patterns. It catches the phishing page even though it can't intercept the QR code itself.

Protect Yourself After the Scan

QR codes hide the URL, but they can't hide what the landing page does. PhishClean catches phishing at the page level — no matter how you got there.

Install PhishClean