QR Code Scams (Quishing): How Attackers Hide Phishing Links in Plain Sight

There’s something almost poetic about QR codes becoming a security threat. We spent years training people not to click unfamiliar links – then handed attackers a method that bypasses that instinct entirely, wrapped up in a harmless-looking black-and-white square.

QR code scams, more precisely known as quishing (a blend of “QR code” and “phishing”), have grown from a niche curiosity into a mainstream attack vector in the space of just a few years. According to Zensec, QR code phishing attacks increased by 400% between 2023 and 2025 – a number that reflects not just how effective the technique is, but how quickly attackers converge on anything that works. The underlying logic is the same as any phishing campaign: get the target to a malicious URL. The difference is how that URL is delivered – and how effectively the delivery method sidesteps the defenses people have built up against traditional phishing.

This article breaks down what quishing is, how these attacks are structured, who gets targeted, and what you can realistically do to reduce your exposure.

What Is Quishing, Exactly?

Quishing is not a complicated new technique – it’s a familiar attack in a new wrapper. But the wrapper changes a lot.

Quishing is phishing that uses a QR code as the delivery mechanism instead of a clickable hyperlink. The end goal remains consistent with any phishing attack: direct the target to a malicious URL that harvests credentials, installs malware, or tricks them into handing over sensitive information. The difference is entirely in how the link reaches the victim – and how that changes what defenders can do about it.

With a traditional phishing link, there are multiple intervention points. Email security gateways scan URLs in message bodies. Browser-based tools flag known malicious domains. Users can hover over a link to preview the destination before clicking. None of that applies to a QR code. The URL is encoded in an image. It travels through email systems invisibly. It bypasses link-scanning tools that don’t perform image analysis. And it gets processed by a device – usually a smartphone – that typically lacks the security infrastructure of a managed laptop.

That combination of invisibility and mobile targeting is precisely what has made quishing attractive enough to move from rare to routine.

Why QR Code Scams Work So Well

The effectiveness of quishing has less to do with technical sophistication and more to do with exploiting context – and the specific way humans have learned to interact with QR codes.

The visual trust problem

A suspicious URL carries visible signals. Slight misspellings, unusual top-level domains, strings of random characters – trained eyes can catch these. QR codes offer no equivalent signal. Two codes printed side by side are visually indistinguishable regardless of where they lead. One might link to your bank’s real login page; the other to a pixel-perfect replica designed to capture your credentials. Without scanning and reading the destination URL, there’s no way to tell the difference.

This is where social engineering and technical design intersect effectively. Attackers don’t just generate malicious QR codes – they place them in contexts that carry institutional authority. Printed on what appears to be a legitimate parking notice. Overlaid on the QR code at a restaurant table. Embedded in an HR email about benefits enrollment. The medium borrows legitimacy from the context, and users extend trust they would never give to an unsolicited link.

Mobile devices as the weak link

When a QR code gets scanned, it’s almost always on a phone. And phones, for most people, sit outside the security perimeter that organizations build around their managed devices. Corporate laptops typically have endpoint protection, DNS filtering, web proxies, and controlled browser configurations. Personal smartphones usually have none of those things.

Attackers build quishing campaigns with this in mind. The fake login pages served after a scan are optimized for mobile rendering – they look exactly right on a small screen, load quickly on mobile connections, and are designed to feel like a natural continuation of whatever the QR code promised. Mobile browsers also display truncated URLs, making it harder to spot domain impersonation before the page loads.

The result is an attack that specifically benefits from the security gap between how we manage desktop environments and how we treat the phones in our pockets.

Email security blind spots

Modern email security tools have become genuinely effective at detecting malicious links in message bodies. Reputation-based URL filtering, sandboxed link previews, and machine-learning classifiers have raised the cost of delivering phishing links by email considerably. Quishing sidesteps this infrastructure almost entirely.

When a QR code image is embedded in an email, the security gateway sees an image – not a link. Unless the platform specifically performs OCR on embedded images and then evaluates the extracted URLs, the malicious destination travels undetected through the same inbox defenses that would immediately flag a hyperlink to the same page. That gap in coverage is a direct driver of the technique’s growth.

How Quishing Attacks Are Structured

The specific lures vary considerably, but the underlying attack architecture follows a recognizable pattern across most campaigns.

Delivery: how the QR code reaches the target

Email remains the dominant delivery channel. Attackers send messages impersonating banks, employers, government agencies, or package delivery services – any institution with a plausible reason to ask for account verification or information updates. The email explains that the recipient needs to scan a QR code to complete the required action, often with urgency framing: “Your account will be suspended,” “Action required within 24 hours,” “Verify your identity to restore access.”

Physical delivery is increasingly well-documented. Malicious QR codes have been placed as stickers over legitimate codes on parking meters, restaurant tables, and public transit check-in points. This approach requires physical access to the target location but produces a high-trust environment – the code appears where the user expects one to be, doing what they expect it to do.

Targeted campaigns – sometimes called spear-quishing – go further, using information about the target’s employer, role, or recent activity to construct believable pretexts. A finance employee receiving what appears to be an internal approval request, or an executive getting what looks like a board document link, is operating in a context that reduces natural skepticism.

The destination and what happens next

Once the victim scans the code and loads the URL, the attack proceeds like any phishing operation. The landing page typically mimics a trusted service – a Microsoft 365 login screen, a banking portal, a corporate SSO page, or a government authentication system. Credentials entered there go directly to the attacker.

More sophisticated campaigns use multi-step redirect chains. The URL encoded in the QR code points to a legitimate service – a Google Docs page, a SharePoint file, a cloud storage link – which then redirects to the malicious destination. This approach is designed to defeat any security tool that evaluates the QR code’s encoded URL at the point of delivery, since that URL appears entirely benign.

Some campaigns bypass credential theft entirely and focus on device exploitation: serving pages that attempt drive-by downloads, prompt the user to install a malicious configuration profile, or request camera and microphone permissions under a convincing pretext. On mobile, where users encounter permission prompts regularly and often approve them without close reading, these approaches can be more effective than they have any right to be.

Who Gets Targeted

Quishing campaigns range from broad, opportunistic attacks designed to catch anyone who scans, to precise, personalized operations targeting specific individuals within specific organizations.

Corporate employees are a consistent high-value target, particularly in finance, HR, and IT – roles that combine access to sensitive systems with a workflow that involves regular account verification, approval requests, and document review. Executives receive disproportionate targeting because their credentials open disproportionate access.

Consumer-facing quishing is also common and doesn’t require any organizational targeting. Fake toll notices mailed to vehicle owners, fraudulent delivery confirmation texts asking recipients to scan a code, and counterfeit payment terminals at retail locations have all been used in documented campaigns. The scale is different, but the mechanism is identical. Brand impersonation data makes the targeting priorities clear: Mastercard was the most spoofed brand in QR code phishing campaigns with 14,233 malicious codes recorded, followed by Microsoft at 11,796 – a combination that spans both financial credentials and corporate account access.

Red flags worth knowing

No single indicator definitively identifies a malicious QR code, but several patterns should prompt careful scrutiny before scanning. An unexpected QR code in an email – especially one attached to urgency language – deserves a pause. Physical QR codes that look like stickers placed over an existing surface are a particularly reliable warning sign. Any page that loads after scanning and immediately requests login credentials, payment information, or app installation warrants serious skepticism.

What Organizations Can Do

For security teams, quishing is genuinely difficult to address because the attack surface spans email infrastructure, physical spaces, and personal devices that may sit entirely outside organizational control.

Email security platforms that incorporate image analysis – specifically OCR-based URL extraction from embedded images – provide meaningful coverage against QR-code-based delivery in email. These tools are not universally deployed and not fully reliable, but they catch a significant portion of commodity quishing campaigns. The gap between organizations that have this capability and those that don’t is a real difference in exposure.

Security awareness training needs to explicitly address QR code phishing as a distinct threat. Many people who have internalized good instincts about suspicious links have no equivalent mental model for QR codes – the two feel categorically different even though they serve the same function in an attack. Running phishing simulations that use QR code lures, rather than only hyperlinks, helps people develop the right instincts before an actual attack tests them.

Multi-factor authentication remains one of the strongest mitigations for credential-based attacks regardless of delivery mechanism. If an employee scans a malicious code and enters their credentials, MFA significantly raises the cost of exploitation – particularly hardware tokens or authenticator apps rather than SMS-based codes, which carry their own interception risks. Passkeys, where adoption has reached a practical threshold, eliminate the stolen-credential problem at the authentication layer entirely.

The Role of a VPN in Reducing Your Exposure

A VPN doesn’t stop you from scanning a malicious QR code. But it meaningfully changes what happens after you do.

When you use a trusted VPN like ZoogVPN, your traffic is routed through encrypted tunnels, and DNS-level filtering can block connections to known malicious domains before your browser loads anything. This is particularly relevant on mobile – precisely the environment where quishing attacks land. Many consumer phones never reach the security infrastructure that corporate devices benefit from. A VPN with active threat filtering partially compensates for that gap.

There’s also a network-level consideration. Quishing attacks frequently arrive when targets are in public spaces – scanning a code at a restaurant, a transit station, or a parking meter. Those environments often involve unsecured Wi-Fi, where session data and credentials transmitted without proper encryption are exposed to interception. A VPN eliminates that exposure, ensuring that even if an attack gets you to a page and you submit information, the transmission itself isn’t additionally compromised by the network you’re on.

Why This Attack Class Keeps Growing

Quishing sits at a convergence of trends that all favor the attacker. General security awareness around traditional phishing has improved, raising the cost of link-based delivery and pushing attackers toward alternatives. QR codes offer a delivery mechanism that bypasses the defenses built around hyperlinks while benefiting from the trust accumulated through years of legitimate use.

At the same time, the legitimate deployment of QR codes has expanded considerably – digital payments, restaurant menus, event check-ins, enterprise authentication flows. Every new legitimate context creates a new plausible pretext for a malicious one. The tooling to generate and distribute quishing campaigns is accessible and inexpensive. The ROI is favorable. And public awareness of QR code scams, while growing, remains well behind awareness of email phishing. The SMS vector illustrates the point: Chinese phishing operations have been flooding phones with SMS messages using .TOP domains, impersonating US toll road operators like EZPass – a campaign that works precisely because paying a toll feels mundane and low-risk.

That asymmetry between deployment and awareness is unlikely to close quickly. The organizations and individuals most likely to be targeted are often the ones with the most to lose and the least direct exposure to security research on the topic.

Staying Ahead of Quishing

The core discipline is the same one that applies to phishing in any form: slow down before acting, verify the source through a channel independent of the message, and treat urgency framing as a signal of manipulation rather than a reason to comply. QR codes add a layer of visual abstraction and a mobile delivery mechanism, but the underlying attack – getting you to hand over credentials or access – is unchanged.

In practice: read URL previews before loading pages from QR codes. Be skeptical of codes in unexpected contexts, particularly those attached to any kind of verification or payment request. Don’t install apps or enter credentials on pages you arrive at through a scan unless you have a specific, independent reason to trust the destination. And ensure that your mobile browsing – especially on public networks – has some form of active filtering beneath it.

The attacks will keep coming. The defenses are not complicated. The gap between them is mostly attention.

Keywords: QR code scams, quishing, phishing, QR code phishing, quishing attacks, malicious QR codes, phishing links, credential harvesting, mobile phishing, spear-quishing, email phishing, phishing campaign, cybersecurity, online security, VPN protection, DNS filtering, QR code security