There's a phishing technique that's been exploding since 2023, and there's a decent chance your email security doesn't catch it. It's called quishing — QR code phishing — and it exploits a fundamental blind spot in how email security works.
Here's the problem in one sentence: email security tools scan links. QR codes aren't links. They're images.
How quishing actually works
The attack is elegantly simple:
Attacker sends you an email with a QR code embedded as an image
The email tells you to scan the code with your phone (for "security verification," "document access," "payment confirmation," etc.)
You scan it with your phone camera, which opens a URL
That URL leads to a credential harvesting page, malware download, or payment scam
The key insight: when email security tools process your incoming mail, they parse the message body for URLs and check them against threat databases. But a QR code is just a PNG or JPEG. It's pixels. The URL is encoded visually, not as clickable text. Most email scanners don't perform optical analysis on every embedded image — it's computationally expensive and would slow mail delivery to a crawl.
So the malicious URL sails right through, hidden inside what looks like an innocent image.
Why your phone makes this worse
There's a second layer to why quishing is so effective: it moves the attack from your computer to your phone.
When you click a suspicious link on your work laptop, your company's web proxy, endpoint protection, and browser security all have a chance to block it. When you scan a QR code with your personal phone, none of those protections exist. You're on mobile data or your home Wi-Fi, using your personal browser, with no corporate security stack in the way.
Attackers know this. It's not a bug in their strategy — it's the entire point.
Real-world quishing examples
These aren't theoretical. These are actual campaigns that have been documented:
Fake Microsoft 365 MFA setup The most common quishing attack. You receive an email saying your multi-factor authentication needs to be reconfigured. There's a QR code to "scan with your authenticator app." The QR code actually leads to a fake Microsoft login page that captures your credentials and MFA token in real time. The irony of using fake MFA setup to steal MFA credentials is not lost on security researchers.
Parking fine scams Widespread in the UK during 2023-2024. Physical QR code stickers were placed on parking meters, but the same attack migrated to email: a fake council email with a QR code to "pay your outstanding parking charge." The URL leads to a payment form that harvests your card details. Several UK councils issued warnings about these.
Delivery notification phishing "Your package couldn't be delivered. Scan this QR code to reschedule." The QR code leads to a fake Royal Mail, DPD, or Evri page that asks for a small redelivery fee — which captures your payment details. These spike massively around Christmas and Black Friday.
DocuSign and SharePoint lures "Scan to view your shared document." These target corporate environments and have been particularly effective because employees are conditioned to interact with DocuSign QR codes for legitimate contract signing.
Energy bill scams Fake emails from energy providers during the cost-of-living crisis: "Scan this QR code to apply for your government energy rebate." These targeted vulnerable people who were genuinely struggling with bills — particularly effective because the urgency felt real.
The numbers are alarming
Quishing isn't a niche technique — it's rapidly becoming mainstream:
- Hoxhunt reported a 20x surge in QR phishing attacks in the fall of 2023, when they had been negligible just six months before
- Abnormal Security found that 89% of QR code attacks are credential harvesting (not malware delivery)
- ReliaQuest documented that 12% of quishing incidents involved QR codes hidden in PDF or JPEG attachments, a tactic designed to evade email filters
- HP Wolf Security found that the average quishing email evades detection by more email security platforms than any other phishing technique they tested
The growth rate makes sense when you think about it from the attacker's perspective: quishing emails are cheaper to create than traditional phishing (no need to craft convincing hyperlinks), they bypass most automated scanning, and the phone-based attack surface is less protected. It's a rational business decision for criminals.
Why email security tools struggle with QR codes
Traditional email security works by:
Extracting URLs from the email body and HTML
Checking those URLs against known threat databases
Following redirects to find the final destination
Sandboxing suspicious links to check for malware
With QR codes, step 1 fails entirely. There's no URL in the text to extract. The security tool sees an email that says "please scan this QR code" and an attached image. Without performing image recognition — specifically, detecting that an image contains a QR code and then decoding it — the tool has nothing to analyse.
Some advanced security platforms have started adding QR code detection, but it's computationally expensive. You need to:
- Scan every image in every email for QR code patterns
- Decode any QR codes found
- Extract and analyse the embedded URLs
- Do this at scale without adding noticeable delay to email delivery
This is solvable, but it's an arms race. Attackers are already countering QR detection by:
- Splitting QR codes across multiple image fragments
- Using slightly distorted QR codes that phone cameras can read but automated decoders struggle with
- Embedding QR codes within PDFs or other attachments rather than directly in the email body
- Using coloured or branded QR codes that evade pattern matching
How to protect yourself from quishing
Rule 1: Be suspicious of any QR code in an email
There are very few legitimate reasons for a company to put a QR code in an email. Think about it: you're already on a digital device reading the email. Why would they make you scan a code with a different device instead of just including a clickable link? The answer is usually that they wouldn't — unless they're trying to bypass link scanning.
Some legitimate exceptions exist (event tickets, app download links), but if the QR code is asking you to log in, verify your identity, or make a payment — that's a red flag.
Rule 2: Preview the URL before opening
When you scan a QR code with your phone, most modern camera apps show you a preview of the URL before opening it. Read it.
- iPhone: The Camera app shows the URL in a banner at the top — don't tap it until you've read the domain
- Android: Google Lens and most camera apps show the URL before navigation
Check the domain carefully. microsoft.com is fine. microsoft-verify.com is not.
Rule 3: Use a QR scanner app with security features
Your phone's default camera works, but dedicated QR scanner apps like Kaspersky QR Scanner or Trend Micro QR Scanner will check the decoded URL against threat databases before you visit it. This adds a layer of protection that your camera app doesn't provide.
Rule 4: If it asks for credentials after scanning, stop
If scanning a QR code from an email takes you to a login page, close the browser immediately. Go to the service directly by typing the URL yourself. If there's genuinely something requiring your attention, you'll see it when you log in normally.
Rule 5: Report it
If you receive a quishing email, report it to your email provider and forward it to [email protected] (UK) or [email protected]. The more these get reported, the faster security vendors can update their detection.
The bigger picture
Quishing represents a broader trend in phishing: attackers are moving away from techniques that security tools are good at detecting (malicious links, dodgy attachments) and toward techniques that exploit gaps in automated analysis. Images, QR codes, voice calls (vishing), and even physical mail are all on the rise because they're harder for machines to process.
The arms race continues. Security tools will get better at QR detection. Attackers will find the next blind spot. The constant in this equation is human awareness — knowing that QR codes in emails deserve the same suspicion as links.
