# Email Quishing: How QR Code Phishing Bypasses Inbox Security > Email quishing embeds a QR code in your inbox so security filters miss the threat entirely. Here's what the attack looks like and how to stop it before you scan. URL: https://www.qrsafer.com/blog/qr-code-phishing-email-quishing Published: 2026-04-10 --- Email security filters are good at catching suspicious links. Attackers know this. So some of them stopped using links. Instead, they embed a QR code in the email and tell you to scan it with your phone. Your company's email filter sees an image — not a URL — and flags nothing. Your phone's camera opens the link. The phishing site loads. That's quishing. ## Why Email Quishing Bypasses Corporate Security Filters Most corporate email security tools work by analyzing URLs in the message body. They follow links, check reputations, and block anything suspicious. QR codes contain a URL, but they're delivered as images. The scanner sees pixels, not text. It can't follow the link. It moves on. That's the attacker's advantage in a single sentence: your email security scans text, not images. Quishing attacks surged 587% in Q3 2023, according to [Abnormal Security](https://abnormalsecurity.com) — a direct result of attackers discovering how reliably this gap works. Attackers pair this with social engineering. The email might look like: - A two-factor authentication prompt from Microsoft or Google - An HR document requiring your "digital signature" - A FedEx tracking link (see [how package QR scams work](/package-tracking-qr-code-scam)) - An invoice from a vendor you recognize - A password expiration warning from IT Each of these creates urgency. You scan, you enter your credentials, and the attacker has them. ## What a quishing email actually looks like The format varies, but common elements show up consistently. **Urgency language.** "Your account will be locked in 24 hours." "Action required before Friday." This pushes you to act before thinking. **A QR code image.** It might be centered in the email or placed alongside a company logo. Some attacks include a fake "scan this with your phone for better security" explanation — framing the attack as a feature. **No clickable link.** This is intentional. The attacker wants the QR code scanned from your phone, where your company's endpoint protection isn't watching. **A spoofed sender.** The From field might display your IT department, Microsoft, or your HR platform. Always check the actual sending domain, not just the display name. ## Why your phone is the target When you scan a QR code from a work email, you almost always use your personal phone. Your company's mobile device management probably doesn't cover it. Its browser has no corporate security extensions. The phishing page loads without a warning. That's the asymmetry attackers exploit: your email arrives on a managed device, but the QR code routes you to an unmanaged one. ![A person scanning a QR code with a smartphone](https://images.unsplash.com/photo-1611532736597-de2d4265fba3?w=800&q=80) ## How to respond when a quishing email lands in your inbox **Don't scan QR codes in emails.** Any email that asks you to scan instead of click deserves immediate suspicion. Legitimate services don't route authentication through your phone's camera. **Look at the actual sender domain.** "Microsoft Support" as a display name means nothing. `support@microsoft-verify-account.net` means fraud. Expand the sender info before acting on anything. **Check the URL before you open it.** If you do scan, use an app like QRsafer that shows you the destination URL and checks it for threats before anything loads. You get a Safe, Risky, or Dangerous verdict before the page ever opens — checked against five independent security APIs on the premium tier. **Report it immediately.** Forward the email to your IT or security team. Quishing campaigns usually target entire organizations at once — your colleagues may be receiving the same message right now. **Never enter credentials on a page you reached by scanning an email QR code.** Even if the page looks exactly right, navigate to the service directly in your browser instead. ## If your organization is being targeted Quishing campaigns often blanket entire companies at once. If you received one, others did too. Security teams responding to quishing should: - Alert employees company-wide with a screenshot of what the attack looks like - Add an external-email banner reminding staff not to scan QR codes in messages - Review email filter settings — some enterprise tools now offer QR-in-image URL extraction - Run a phishing simulation with a QR code variant to measure exposure before the next wave hits Individual employees can't control the filter. They can control the moment before they scan. ## The one habit that stops quishing cold Pause before you scan any QR code — in an email, on a flyer, anywhere. Ask: does this request make sense? Do I know where this goes? If you scan anyway, let an app check the destination first. That two-second window between scan and page load is exactly where quishing attacks live. A security check in that gap stops the attack before it starts. For more on recognizing threats, read [how to spot a malicious QR code before you scan](/blog/how-to-spot-a-malicious-qr-code-before-you-scan). If you already scanned something suspicious, follow the [recovery steps here](/blog/what-to-do-if-you-scanned-a-suspicious-qr-code). ## See also - [What Is Quishing?](/blog/what-is-quishing) - [What to Do If You Scanned a Suspicious QR Code](/blog/what-to-do-if-you-scanned-a-suspicious-qr-code) - [How to Spot a Malicious QR Code Before You Scan](/blog/how-to-spot-a-malicious-qr-code-before-you-scan) - [QRsafer vs. iPhone Camera](/qrsafer-vs-iphone-camera) - [QR Code Threat Map](/threat-map) --- **Check every QR code before you open the link.** [Download QRsafer for iOS](https://apps.apple.com/app/qrsafer/id6743708403) · [Download for Android](https://play.google.com/store/apps/details?id=com.bedrockdigitalsolutions20.qrsafer) Free, anonymous, no account required.