What Is Quishing? How QR Code Phishing Works and How to Stay Safe

April 8, 2026

You see a QR code on a parking meter, a restaurant table, or an email from your bank. You scan it without thinking. That reflex is exactly what attackers count on. Quishing -- QR code phishing -- is a growing attack vector that uses QR codes to redirect victims to fake login pages, trigger malware downloads, or steal credentials.

The name combines "QR" and "phishing." The technique bypasses email filters that scan text and URLs but cannot read images of QR codes. That gap has made quishing one of the fastest-growing phishing methods since 2023.

How Quishing Attacks Work

A quishing attack follows the same logic as traditional phishing, but replaces a clickable link with a QR code. The typical flow:

The attacker creates a QR code that points to a malicious URL -- usually a convincing replica of a login page for Microsoft 365, Google Workspace, a bank, or a payment service.
The QR code is delivered via email, printed flyer, sticker placed over a legitimate QR code, or even a physical letter.
The victim scans the code with their phone, which opens the URL in a mobile browser -- often with less visible security indicators than a desktop browser.
The victim enters credentials on the fake page. The attacker captures them in real time, sometimes even proxying the session to bypass two-factor authentication.

The key advantage for attackers: most email security gateways do not decode QR codes embedded in images or PDF attachments. The malicious URL never appears as text in the email, so it passes through filters.

Real-World Quishing Examples

These are not hypothetical. Quishing attacks have appeared in every sector:

Parking meter stickers. Attackers place sticker QR codes over legitimate payment codes on parking meters and EV charging stations. Victims scan the sticker and enter payment details on a fake payment portal. Cities including Austin, Houston, and San Antonio have issued public warnings about this attack.
Corporate email campaigns. An employee receives an email that appears to be from IT, asking them to "re-authenticate" by scanning a QR code. The code leads to a fake Microsoft 365 login page. HP Wolf Security reported a 587% increase in QR-based email attacks in late 2023.
Fake delivery notifications. A letter or SMS claims a package could not be delivered and includes a QR code to "reschedule." The code leads to a credential harvesting page or a page that installs malware.
Restaurant and venue overlays. An attacker prints a sticker with a malicious QR code and places it directly over the restaurant's legitimate menu QR code. Diners scan it and land on a phishing page instead of the menu.

Why QR Codes Are Effective Phishing Tools

Several properties of QR codes make them unusually well-suited for social engineering:

Property	Why It Helps Attackers
Opaque by design	You cannot read the URL by looking at a QR code. There is no way to inspect where it leads before scanning.
Trusted by habit	People scan QR codes reflexively, especially on printed materials where physical presence implies legitimacy.
Bypass email filters	Most security tools scan text and URLs, not images. A QR code in a PNG attachment is invisible to URL analysis.
Force mobile context	Scanning moves the interaction to a phone, where browser URL bars are small and security extensions are rare.
Easy to replace	A printed sticker over a legitimate QR code is nearly invisible. The replacement looks identical to the original.

How to Spot a Quishing Attempt

No QR code reveals its destination visually, but the context around it often does. Watch for these signals:

Urgency language. "Scan immediately to avoid account suspension" or "verify your identity within 24 hours." Legitimate services rarely use QR codes for urgent security actions.
Unexpected QR codes in email. If your IT department or bank has never sent you a QR code before, question why they would start now. Most legitimate password resets use text links, not QR codes.
Stickers over existing codes. If a QR code on a parking meter, restaurant table, or public sign looks like a sticker placed on top of the original surface, it probably is. Look for edges, different paper quality, or misalignment.
Mismatched URLs. After scanning (but before entering any information), check the URL in your browser. Does it match the expected domain? A Microsoft login page at microsoft-verify-login.com instead of login.microsoftonline.com is a clear fake.
Requests for credentials on scan. A QR code that immediately asks for a password, payment card, or personal information without any prior context is almost certainly malicious.

How to Protect Yourself

For Individuals

Preview before you tap. Both iOS and Android show a URL preview when you point your camera at a QR code. Read the domain before opening the link. If it looks unfamiliar or uses a URL shortener, do not tap.
Never enter credentials after scanning. If a QR code leads to a login page, close it. Navigate to the service directly by typing the URL or using a bookmark instead.
Check physical codes for tampering. Before scanning a QR code on a poster, meter, or table tent, look for sticker overlays. Peel test if you are uncertain.
Use a QR scanner that shows the URL. The default camera app on most phones shows a URL preview. Some third-party QR scanner apps open links immediately without showing the URL first -- avoid those.
Keep your phone updated. Mobile browsers and operating systems regularly patch vulnerabilities that malicious pages might exploit.

For Businesses

Use direct URLs on printed materials. When possible, print the actual URL alongside the QR code so people can verify the destination. This also helps people who prefer to type the URL.
Audit your physical QR codes. Regularly check that QR codes on your signage, menus, and public displays have not been covered with sticker overlays.
Train employees on quishing. Add QR code phishing to your security awareness training. Include examples of fake emails with QR codes.
Use branded landing pages. When your QR code leads to your site, make sure the landing page clearly shows your branding and uses your primary domain, not a redirect service.
Generate codes from trusted tools. Use a QR generator that encodes exactly the URL you provide, with no tracking redirects or intermediary domains. qrmake.dev generates static QR codes that point directly to your URL -- no middleman, no redirect, no data collection.

Static QR Codes Are Safer Than Dynamic Ones

There are two types of QR codes: static and dynamic. Understanding the difference matters for security:

Static QR codes encode the destination URL directly in the code itself. The URL cannot be changed after the code is generated. What you encode is what the scanner gets.
Dynamic QR codes encode a redirect URL owned by the QR service provider. The provider can change where the redirect points at any time. This means the QR code's destination can be altered after printing -- a feature, but also a risk.

If a dynamic QR service is compromised or an attacker gains access to the redirect dashboard, they can change the destination of every dynamic QR code that service has ever generated. This has happened: in January 2024, security researchers demonstrated that several major dynamic QR platforms had vulnerabilities that would allow destination hijacking.

For security-sensitive use cases (payments, authentication, official documents), static QR codes are the safer choice because the URL is immutable once encoded.

What to Do If You Scanned a Suspicious QR Code

Do not enter any information. Close the browser tab immediately.
If you already entered credentials, change the password for that account immediately from a different device. Enable two-factor authentication if you have not already.
Check for unauthorized access. Review recent login activity on the affected account. Most services (Google, Microsoft, banks) have a "recent activity" or "active sessions" page.
Report it. If the QR code was on a public sign or meter, report it to the business or municipality. If it came via email, report it to your IT team or forward it to your email provider's phishing report address.
Scan your phone. If you suspect the page may have triggered a download, run a security scan on your device.

The Bottom Line

QR codes are convenient, and that convenience is exactly what makes them useful for attackers. You cannot read a QR code's destination by looking at it, so you have to rely on context clues and URL inspection after scanning. Treat every QR code the way you would treat a link in an email from an unknown sender: verify before you trust.

When you need to create QR codes for your own use, choose a generator that creates static codes with no tracking redirects. qrmake.dev generates clean, direct QR codes -- your URL goes straight into the code with nothing in between.

Create a safe QR code -- free, static, no tracking redirects.