← Back to articles

Quishing Explained: Why QR Code Phishing Doubled in the Last Year

May 15, 2026

Quishing Explained: Why QR Code Phishing Doubled in the Last Year

Quishing is phishing delivered as a QR code instead of a clickable link, and reported cases roughly doubled in the last year because the technique slips past defenses that only read text. If you've ever scanned a sticker on a parking meter, a "missed delivery" SMS with a QR image, or a code printed inside a surprise package, you've already met the surface area attackers are targeting.

What is quishing?

Quishing is a portmanteau of QR and phishing. The QR code encodes a URL. The URL points at a credential-harvesting page or a malware drop. It's the same playbook phishers have used for two decades, with one twist: the lure is a square of black-and-white pixels instead of a blue link. The FTC has tracked this since 2023, and Wikipedia now lists it as a recognized phishing vector.

The trick is mechanical. A QR code is just a visual encoding of text — usually a URL. Most email gateways, secure web proxies, and SMS link-scanners parse text. They don't OCR pixels. So a malicious URL hidden inside a 600-pixel square walks past URL reputation, link rewriting, and most allow-listing controls.

You scan with your phone. Your phone fetches the URL. You land on a page that looks like Microsoft 365, Okta, your bank, or a delivery service. You type your password. The attacker now has it. The most common 2025 and 2026 lures are parking-meter overlays, fake delivery SMS, brushing-scam packages with a "scan to find sender" note, fake court or traffic-violation notices, and Microsoft 365 multi-factor enrollment prompts.

Why quishing took off in the last year

Three structural shifts compounded.

The pixel-versus-text gap. Email security gateways scan link text. They don't scan images. A QR code rendered as a PNG, embedded in a PDF, or pasted into a Word attachment is invisible to URL reputation scoring. Reporting from BleepingComputer shows the same controls that block 95% of text-link phishing let QR-coded URLs through unchanged.

The mobile handoff. When you scan, you stop using the device the company protects. The corporate-managed laptop and its endpoint protection drop out of the chain. Your phone takes over, with a truncated URL bar that hides spoofed subdomains and an app store full of QR scanners that open URLs without previewing them. Whatever filters caught the original email never see the actual click.

State-actor adoption. In June 2025, the FBI warned about the North Korea–linked Kimsuky group using QR codes in spearphishing emails sent to U.S. policy and strategy firms. Once a technique enters APT playbooks, the broader cybercrime ecosystem copies it within months. The polish goes up. Volume goes up. Detection rates fall.

That combination is what produced the headline doubling. More vectors, fewer filters, better lures.

How to spot a quishing attempt

You usually can't tell from the image. Every QR code looks like noise to the human eye. The check happens after the scan, on the URL preview your phone camera shows before opening anything.

A few rules cover most cases. Don't scan QR codes from anything unsolicited — a text from an unknown number, an email you weren't expecting, or a sticker layered over an existing code on a parking meter or restaurant table. When the preview pops up, look at the domain, not the path. If the domain doesn't match the brand the lure claims to be from, stop. Long random strings, link shorteners, and IP addresses are red flags. Treat any page that immediately asks for a password, a payment card, or government ID after a QR scan as suspicious by default — open the company's site directly through your browser instead. For a deeper walkthrough, see our general guide to safe QR scanning.

What to do if you already scanned

Treat it as a confirmed credential breach. Change the password for that account immediately, then for any other account that shares the same one. Turn on phishing-resistant multi-factor authentication — a passkey, hardware key, or authenticator app rather than SMS. Pull a free credit report at AnnualCreditReport.com and review the last month of card and bank statements. If money or identity data was entered, the FTC's recommended response is to file at IdentityTheft.gov and consider freezing your credit.

Frequently Asked Questions

What is quishing in simple terms?

Quishing is phishing that arrives as a QR code instead of a clickable link. The attacker hides a fake-login or malware URL inside a QR image so it gets through email and SMS filters that only scan text. You scan the code on your phone and land on a page that looks like Microsoft, your bank, or a delivery service — and any password you type goes straight to the attacker.

Why did quishing roughly double in the last year?

Three things happened at once. Email gateways still don't read pixels, so a QR image walks past the same defenses that catch a text link. Attackers learned the scan happens on a personal phone, outside whatever protections the workplace runs on a laptop. And the technique started showing up in state-aligned playbooks like Kimsuky's, which pulled it into a much wider set of campaigns.

How can I tell a QR code is malicious before I scan it?

You usually can't tell from the image — every QR code looks like noise to the human eye. The check happens after the scan, on the URL preview. Most modern phone cameras show the destination URL before opening it. If the domain doesn't match the brand the code claims to come from, if it's a long random string, if it routes through a link-shortener, or if the page immediately asks for a password or payment, back out.

What should I do if I already scanned a quishing QR code and entered my password?

Treat it as a confirmed credential breach. Change the password for that account immediately, then for any other account sharing the same password. Turn on two-factor authentication, ideally with a passkey or hardware key rather than SMS. Pull a free credit report at AnnualCreditReport.com and watch your bank and card statements for the next few weeks. If money or identity data is involved, file a report at IdentityTheft.gov.

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [ {"@type": "Question", "name": "What is quishing in simple terms?", "acceptedAnswer": {"@type": "Answer", "text": "Quishing is phishing that arrives as a QR code instead of a clickable link. The attacker hides a fake-login or malware URL inside a QR image so it gets through email and SMS filters that only scan text. You scan the code on your phone and land on a page that looks like Microsoft, your bank, or a delivery service — and any password you type goes straight to the attacker."}}, {"@type": "Question", "name": "Why did quishing roughly double in the last year?", "acceptedAnswer": {"@type": "Answer", "text": "Three things happened at once. Email gateways still don't read pixels, so a QR image walks past the same defenses that catch a text link. Attackers learned the scan happens on a personal phone, outside whatever protections the workplace runs on a laptop. And the technique started showing up in state-aligned playbooks like Kimsuky's, which pulled it into a much wider set of campaigns."}}, {"@type": "Question", "name": "How can I tell a QR code is malicious before I scan it?", "acceptedAnswer": {"@type": "Answer", "text": "You usually can't tell from the image — every QR code looks like noise to the human eye. The check happens after the scan, on the URL preview. Most modern phone cameras show the destination URL before opening it. If the domain doesn't match the brand the code claims to come from, if it's a long random string, if it routes through a link-shortener, or if the page immediately asks for a password or payment, back out."}}, {"@type": "Question", "name": "What should I do if I already scanned a quishing QR code and entered my password?", "acceptedAnswer": {"@type": "Answer", "text": "Treat it as a confirmed credential breach. Change the password for that account immediately, then for any other account sharing the same password. Turn on two-factor authentication, ideally with a passkey or hardware key rather than SMS. Pull a free credit report at AnnualCreditReport.com and watch your bank and card statements for the next few weeks. If money or identity data is involved, file a report at IdentityTheft.gov."}} ] } </script>

Bottom line

Quishing surged because the technique slipped past existing detection layers and got picked up by everyone from opportunistic scammers to state actors. The fix on your side is small and concrete: preview the URL before tapping, never scan something unsolicited, and use phishing-resistant multi-factor authentication on the accounts that matter. QRDock previews every URL before opening it and runs a safety check on the destination — exactly the gap quishing is built to exploit, and the gap a careful scanner closes.