+1 (877) 634-6847
Customer Support
Cybersecurity Glossary

What Is Quishing?

Quishing, or QR code phishing, uses QR codes to direct people to phishing pages, fake login prompts, malicious downloads, or fraudulent payment flows. The QR code can hide the destination and move the interaction to a mobile device where users may have less context.

Learn More
Glossary Index Phishing & Social Engineering
Short definition

Quishing is a phishing technique that uses QR codes as the delivery path. Instead of clicking a visible link, the target scans a code and is taken to a site or prompt controlled by the attacker.

At a glance: The square code is not the threat by itself. The risk is the destination and the action it asks the user to take after scanning.

Quishing Meaning

QR codes are common in workplaces, restaurants, events, invoices, parking systems, product packaging, and account workflows. That familiarity makes quishing effective. A user may scan without thinking because QR codes often feel like normal shortcuts.

Attackers use that shortcut to hide links that might otherwise look suspicious. In an email, a URL can sometimes be inspected before clicking. In a QR code, the destination is hidden until the camera or scanning app reveals it. Some users then continue quickly because they are already on the path.

Quishing can also move the target away from a managed desktop environment. If an employee scans a QR code with a personal phone, the organization may have less visibility into the browser, security controls, and reporting path. The user may enter credentials or payment information from a device that is harder for security teams to monitor.

For business users, the safest habit is to treat unexpected QR codes like unexpected links. A code printed on a poster, embedded in an email, or shown on a screen should be verified before it leads to credentials, payments, downloads, or approvals.

How Quishing Works

Quishing works by replacing a visible link with a QR code that points to an attacker-controlled destination.

  1. The attacker places the code. The QR code may appear in an email, PDF, poster, sticker, invoice, sign, or message.
  2. The target scans it. A phone camera or scanning app opens a link that may not be reviewed carefully.
  3. A fake destination appears. The site may imitate a login page, payment portal, document viewer, Wi-Fi page, or support flow.
  4. The user is asked to act. The attacker may request credentials, MFA codes, payment, app installation, or personal information.
  5. The stolen data is used. Credentials, payment details, or device access can lead to account takeover or follow-up phishing.

Common Quishing Examples

Quishing can cross from digital messages into physical spaces.

  • Email QR login: An email says the user must scan a code to review a document, update security settings, or access voicemail.
  • Fake parking notice: A QR code on a flyer or windshield notice sends the user to a fraudulent payment page.
  • Conference badge or poster: A code at an event leads to a fake registration, survey, or prize page that collects credentials.
  • Invoice payment code: A PDF invoice includes a QR code that routes payment to an attacker-controlled page.
  • Wi-Fi access prompt: A sign tells visitors to scan a code for network access but sends them to a fake captive portal.

Why Quishing Matters

A QR code can make a link feel like a harmless shortcut instead of a security decision. The destination is harder to inspect, and the user may be scanning from a mobile device where URLs are shortened, hidden, or easy to miss.

It also complicates security monitoring. A suspicious email with a normal link may be rewritten, scanned, or blocked. A QR code image can be harder to analyze, and the final interaction may happen outside the corporate device.

The business impact can include credential theft, fraudulent payments, malicious app installation, customer data exposure, or account takeover. A small code can become the first step in a larger compromise.

How to Reduce Quishing Risk

Safer scanning starts with treating an unexpected QR code like an unexpected link.

  • Preview the destination. Most phones show a URL before opening it. Check the domain and do not continue if it looks unexpected.
  • Use official paths. For payments, logins, documents, and account updates, go to the known website or app directly.
  • Treat printed codes carefully. Stickers, posters, and flyers can be swapped or placed by attackers in public areas.
  • Report suspicious QR codes. Employees should report QR codes in emails, documents, or physical spaces when the destination seems wrong.
  • Train mobile decision-making. Awareness programs should show QR examples because scanning often happens away from the desktop inbox.

What to Do After Scanning a Suspicious QR Code

If someone scanned a code and entered information or installed something, treat it like a phishing interaction rather than a simple mistake.

  1. Close the destination. Stop using the page or app reached from the QR code and do not enter more information.
  2. Report the code and URL. Send a screenshot of the QR code, the destination URL, and where the code appeared.
  3. Reset exposed credentials. If login details or MFA codes were entered, reset the account through an official path.
  4. Review payments and device changes. Check for fraudulent charges, profile installs, downloads, or browser prompts that followed the scan.

Related Quishing Terms

Quishing is one way phishing moves beyond visible links.

  • Tech Support Scams covers fake support prompts that can appear after users scan a code or visit a copied portal.
  • Smishing explains mobile phishing behavior that often shares the same quick-scan decision risk.

Quishing Takeaway

Quishing works because scanning feels quick and ordinary. The user may not think of the QR code as a link, even though that is exactly what it becomes.

A safe rule is to treat every unexpected QR code as an untrusted shortcut. If it leads to login, payment, download, or account action, use a known path instead.

Navigation
Back to Glossary View Category

Share This Page

Send this glossary page to a teammate, client, or employee who needs a quick explanation.

Email Facebook LinkedIn
FAQ

Questions Teams Ask About Quishing

Quick answers about QR code phishing, mobile risk, and safer scanning habits.

What is quishing?

Quishing is QR code phishing. Attackers use QR codes to send users to phishing pages, fake login portals, malicious downloads, payment scams, or other unsafe destinations.

Why do attackers use QR codes for phishing?

QR codes can hide the destination until the user scans them, and they often move the interaction from a monitored computer to a personal phone.

Where does quishing appear?

Quishing can appear in emails, posters, flyers, parking notices, invoices, business cards, delivery notices, conference materials, and fake login prompts.

How can users reduce quishing risk?

Users should preview the destination, avoid scanning unexpected codes, use official websites or apps directly, and report suspicious QR codes in email or physical spaces.