TL;DR:

  • Quishing hides malicious URLs inside QR code images, bypassing email security tools that scan text links but don’t decode QR codes
  • Most attacks impersonate Microsoft, HMRC, parcel delivery services, or your own IT department to create urgency
  • Defence is mostly about staff awareness and simple policies — the same small business that’s good at spotting text phishing can be blindsided by QR code attacks

Email security filters have gotten good at spotting suspicious links. They scan the URLs in your emails, check them against known-bad lists, and either block the message or warn you before you click. Criminals noticed, and they adapted.

The adaptation is called quishing (QR code phishing): instead of putting a malicious URL in the email as clickable text, the attacker puts it inside a QR code image. Most email security tools scan text, not images. The malicious link sails through unchecked. Your staff scan the QR code with their phone, land on a fake login page, and hand over their credentials — on a device that almost certainly doesn’t have your organisation’s security controls on it.

How a Quishing Attack Works

A typical quishing email looks like this:

Subject: Action required: Verify your Microsoft 365 account

Body: Your account requires re-verification due to a security update. Please scan the QR code below to confirm your identity within 24 hours, or your access will be suspended.

[QR code image]

The QR code leads to a convincing Microsoft login page hosted on a compromised website or a lookalike domain. The user enters their email and password, the fake site captures them, and the attacker now has valid credentials to access your Microsoft 365 account.

Because the user scanned with their phone — not their work computer — even organisations with web filtering on corporate devices won’t catch it. The phone connects straight to the malicious site over mobile data or home Wi-Fi.

Why It’s Growing

Quishing attacks increased significantly in 2025 and continue to grow in 2026, for several reasons:

QR code familiarity has increased. Post-pandemic, scanning QR codes became normalised for menus, payments, and check-ins. Employees are less likely to be suspicious of a QR code than they were five years ago.

Mobile devices are less protected. Most organisations have endpoint security and web filters on laptops. Personal phones used to scan QR codes usually have neither.

It’s cheap to run. A quishing campaign requires a phishing kit, a hosting account, and an image of a QR code. The technical barrier is low.

Small businesses are easier targets. Larger organisations are beginning to deploy email security tools that decode QR codes. Many small businesses still rely on basic email filtering that predates the quishing trend.

What They’re After

Most quishing attacks are after one of four things. Microsoft 365 and Google Workspace credentials are the most common target — access to your email gives an attacker your files, your contacts, and a trusted account to send further phishing from. HMRC credentials are targeted to intercept tax refunds or access business tax accounts. Banking credentials come next, usually via emails impersonating your bank’s security team. And some more sophisticated attacks use real-time credential relay to capture MFA codes alongside passwords, bypassing two-factor authentication entirely.

Real Examples to Watch For

“Your parcel couldn’t be delivered” — fake Royal Mail or DPD notification with a QR code to “rearrange delivery.” Enters card details or login to a fake parcel portal.

“HMRC tax refund available” — fake HMRC email claiming a refund is pending, QR code leads to fake HMRC Government Gateway login.

“IT support needs to verify your account” — impersonates your IT team or a known software vendor, creates urgency around account security.

Printed QR codes — increasingly, attackers are sending physical letters or even placing stickers over legitimate QR codes on car park machines, restaurant menus, or event signage. This is the same attack in the physical world.

What to Do

1. Brief your team — include QR codes in phishing training. If your phishing awareness training only shows text link examples, update it. Employees should know that QR codes in emails are just as suspicious as unexpected links, and the same rules apply: don’t scan codes from unsolicited emails.

2. Create a simple rule: never scan a work-related QR code with your personal phone without pausing. The urgency in the email is designed to make you not pause. Encourage staff to ask “did I expect this?” before scanning.

3. Enable multi-factor authentication everywhere you can. Quishing typically targets credential theft. Even if an attacker captures a password via a quishing attack, MFA with an authenticator app (not SMS) means they can’t use it without access to your phone. This doesn’t stop all attacks but raises the bar significantly.

4. Ask your email provider what QR code protection they offer. Microsoft Defender for Office 365 (Plan 2) and Google Workspace Enterprise now include QR code link scanning in email. If you’re on a basic plan, check whether upgrading is available.

5. Check your domain for lookalike registrations. Attackers often register domains like yourcompanyname-login.com or yourbankname-security.co.uk. Tools like NCSC’s Mail Check and free services like DNSTwist can alert you to suspicious registrations.

6. Report suspicious emails using the NCSC’s Suspicious Email Reporting Service (SERS). Forward to report@phishing.gov.uk. It takes ten seconds and contributes to takedowns that protect others.

The Bottom Line

Quishing is effective precisely because it exploits the gap between email security tools (which watch for text links) and human behaviour (which increasingly treats QR codes as routine). The technical fix — email security tools that decode and scan QR codes — is improving but not universally deployed.

In the meantime, awareness is the most reliable control. A team that knows quishing exists, knows what the common lures look like, and knows to pause before scanning will stop most attacks before they start.

This doesn’t require expensive software or an IT department. It requires a five-minute conversation and a follow-up in your next team meeting.