Warning sign next to QR code representing quishing cyber threat
Cybersecurity

Be Careful Scanning QR Codes: The New Quishing Scam

PN
Peter Nelson
· · 5 min read

QR codes are everywhere, and scammers are taking advantage. Discover how 'quishing' works, the risks of scanning unknown codes, and how to protect your data.

QR codes became ubiquitous during the pandemic — menus, check-ins, payments, and event registration all moved to QR code scanning. Attackers noticed, and “quishing” (QR code phishing) has emerged as a significant and growing threat.

The reason quishing is effective is specific: email security tools are highly sophisticated at scanning URLs embedded in email text, but most cannot scan the URL encoded inside a QR code image. A malicious link inside a QR code image bypasses many email filters that would catch the same link written as text.

How Quishing Works

A quishing attack typically follows this pattern:

  1. Delivery: A QR code is delivered via email, physical flyer, sticker, or document. The email context makes the scan appear legitimate: “Scan to complete your Microsoft account verification,” “Scan to access your invoice,” “Scan to sign the attached document.”

  2. Bypass: Email security tools perform URL scanning on text links but cannot scan the URL encoded in a QR image. The malicious link passes through email filtering undetected.

  3. Device shift: The victim scans the QR code on their phone — moving the attack from a managed, corporate laptop (with endpoint security) to a personal mobile device (often unmanaged, with fewer controls).

  4. Attack: The scanned URL loads a convincing phishing page: a fake Microsoft 365 login page, a fake DocuSign page, or a page that drives a malware download. The victim enters credentials, which are captured by the attacker.

Real-World Quishing Scenarios

The Microsoft MFA Quishing Attack

One of the most common quishing attacks impersonates Microsoft security notifications:

  • Email appears to come from Microsoft Security (spoofed or lookalike domain)
  • Subject: “Your Microsoft account requires verification” or “Unusual sign-in activity detected”
  • Body text instructs the user to scan the included QR code to verify their account
  • QR code resolves to a fake Microsoft login page that harvests credentials and (in AiTM variants) session tokens

The Physical Quishing Attack

Attackers place physical sticker QR codes over legitimate QR codes in public spaces — parking meters, restaurant menus, event check-in posters. The sticker code redirects to a malicious page instead of the intended destination.

A Melbourne business receiving clients or running events with QR code check-in should check stickers have not been placed over their printed QR codes before each use.

The Parcel Delivery Quishing Attack

An email or SMS purportedly from Australia Post, DHL, or FedEx includes a QR code to “track your parcel” or “confirm delivery details.” The QR code leads to a credential harvesting page or a prompt to install a malicious app.

Why Phones Are the Target

When a victim scans a QR code on their phone, they are now on a mobile device that typically:

  • Has fewer corporate security controls than a managed laptop
  • Has a smaller browser bar making full URLs harder to read and verify
  • Is a personal device not enrolled in MDM
  • May have personal accounts (banking, email) as well as business accounts accessible

Shifting the attack to the phone is a deliberate strategy to move outside the corporate security perimeter.

How to Protect Against Quishing

For Individual Users

Verify before scanning. Ask: do I know who sent this? Is there a legitimate reason for a QR code in this context? Would the legitimate sender normally use a QR code for this request?

Preview the URL before visiting. Most modern smartphones show the URL the QR code resolves to before you open it. On iPhone: hold the QR code in the camera viewfinder — the URL appears at the top before you tap to open. On Android: similar behaviour in Google Lens.

If the URL looks wrong (a Microsoft email with a non-microsoft.com domain, a DocuSign notification pointing to a random domain), do not open it.

Do not enter credentials on pages reached via unexpected QR codes. If scanning a QR code takes you to a login page you were not expecting, navigate to the legitimate site directly (type the address in the browser) rather than using the QR code URL.

For IT Administrators

Deploy QR code scanning awareness in security training. Most security awareness programmes focus on email links and attachments; update to include quishing scenarios specifically.

Enable URL preview on corporate mobile devices. Intune MDM policies can configure Microsoft Edge on managed devices to preview QR code URLs before navigation.

Configure email filtering to quarantine emails with embedded QR codes from unknown senders. Some email security tools now support QR code URL extraction and scanning — check whether your Microsoft Defender for Office 365 configuration or third-party email security tool has this capability.

Apply the same critical thinking to QR codes as to email links. If a colleague would not click an unexpected email link, they should apply the same caution to an unexpected QR code scan request.

CX IT Services includes quishing awareness in our cybersecurity training programme for Melbourne businesses. Book a Right Fit Call to discuss your security awareness training approach.

Related Articles

Free Right Fit Call

Want to Talk Through What This Means for Your Business?

Book a free 15-minute Right Fit Call. No obligation - just a straight conversation about your IT situation.

  • No lock-in contracts - ever
  • Valued at $250 - completely free
  • 4.5-star Google rated
  • Answer in 60 seconds or less

Book Your Free Right Fit Call

Takes about 2 minutes. We'll confirm if we're the right fit - or point you in the right direction.

Step 1 of 8 13%

Takes about 2 minutes · No obligation

4.5★ Google Rated
Valued at $250 - Free
No Lock-In Contracts