QRsafer LogoQRsafer
What Is Quishing?
← Back to blog

What Is Quishing?

Quishing is QR code phishing — a scam that tricks you into scanning a fake code and handing over passwords, payment details, or personal data. Here's what it looks like, where it hides, and how to stay safe.

2026-05-04 · QRsafer Team

Quishing is QR code phishing. That's the whole definition. It's a scam where an attacker encodes a malicious URL inside a QR code, gets you to scan it, and collects whatever you hand over — a password, payment info, or personal data — on the fake page that loads.

The name is a mashup of "QR" and "phishing," and it's been growing steadily. Most email security tools scan links for malicious content — but a QR code is just an image. No scanner flags it. That's the entire reason attackers switched.

Why quishing works

Traditional phishing emails include a link. Email providers and security tools have spent years learning to inspect those links and quarantine suspicious ones. QR codes sidestep that entirely.

When you scan a QR code, the URL only becomes visible on your phone — after your camera has already read it. By the time any protection could intercept it, you're already looking at the fake login page.

According to Check Point Research, quishing attacks increased by over 587% in Q3 2023 compared to the prior quarter. Proofpoint data shows QR code phishing now represents roughly 3% of all phishing attempts — a small share but a fast-growing one because the attack surface is relatively undefended.

There's a second reason quishing works: familiarity. We associate QR codes with menus, receipts, event tickets, and boarding passes. That familiarity lowers our guard exactly when we should raise it.

What quishing looks like in real life

Quishing in email. You receive an email that looks like it's from your bank, Microsoft, or your company's IT department. It contains a QR code instead of a link. The message says to scan it to verify your account, reset your password, or review a security alert. Scanning opens a cloned login page. You type your password. The attacker has it within seconds.

Quishing in the physical world. A scammer tapes a QR code over an existing one — on a parking meter, a restaurant table card, a poster, or a package. The replacement code points to a phishing page built to look like a payment portal or a package-tracking site. You enter your card number or login credentials without realizing the page is fake.

Quishing in fake invoices and documents. A PDF or printed document arrives claiming to be an invoice, a tax form, or a contract. It includes a QR code labeled "scan to pay" or "scan to access." That code points to a spoofed payment page or a credential-harvest form.

These aren't edge cases. The FBI issued a public advisory on malicious QR codes in January 2022. The FTC received over 22,000 reports of QR code fraud in 2023 alone — up from near zero in 2020. In Q1 2026, Microsoft's security team flagged QR code phishing as one of the top three email threat vectors, appearing in millions of messages per month.

A person holding a smartphone to scan a QR code

The move attackers count on you not making

Attackers rely on one thing: that you scan first and look second.

The URL preview your camera shows before you tap is a useful first filter — but it's not enough on its own. Attackers register domains that look legitimate at a glance: paypa1-verify.com, microsoft-account-security.net, secure-bank-login.app. A quick read can miss a substituted character or an extra subdomain.

The second filter — actually checking the destination before your browser loads it — is the step most people skip.

How QRsafer stops quishing

QRsafer runs the destination URL through security threat databases before your phone opens the page. Scan a QR code with QRsafer and it returns a verdict:

  • Safe — no known threats detected
  • Risky — suspicious signals worth reviewing before proceeding
  • Dangerous — known phishing, malware, or scam infrastructure

The free tier checks against Google Web Risk, which covers the large majority of known threats. Premium runs every scan through five intelligence engines simultaneously — useful when an attack campaign uses fresh infrastructure that one source hasn't indexed yet.

If the code in that email, on that parking meter, or on that printed document points somewhere malicious, QRsafer catches it before your browser ever loads the page. That's the gap it closes.

For a broader look at what happens when a malicious scan goes through, read what happens if you scan a fake QR code. If you already scanned something suspicious, here are the immediate steps to take.

The short version

Quishing = QR + phishing. The code looks innocent. The destination isn't. The defense is checking the URL before your browser opens it — and that's exactly what QRsafer is built to do.

Download QRsafer for iOS or Android and check every QR code before it opens.

Frequently asked questions

Is quishing the same as phishing?

Quishing is a type of phishing. Traditional phishing uses deceptive links in emails or texts. Quishing uses QR codes to deliver the same deceptive link — it just bypasses your email's link scanner because there is no URL to scan until after you point your camera.

How do I know if a QR code is a quishing attempt?

You usually can't tell by looking at the code itself — all QR codes look alike. Your best signals are context (an unexpected QR code in an email, a sticker placed over an existing code, a document you didn't request) and the destination URL. Always preview the URL before tapping and use QRsafer to check it against threat databases before your browser opens the page.

Can quishing attacks steal my password even if I don't type it?

Yes. Some quishing attacks use OAuth phishing pages that capture a credential token without a visible password field — you click "Sign in with Google" on a fake page and hand over access. Others load keyloggers or malicious scripts through the landing page itself. Not entering your password is not full protection; not opening the page at all is.

Does QRsafer protect against quishing?

Yes. QRsafer checks the destination URL before your browser loads it. If the QR code points to a known phishing domain, a suspicious redirect chain, or a freshly registered lookalike site, QRsafer flags it as Risky or Dangerous before you tap through. The free tier covers the majority of known threats; Premium adds four more intelligence engines for broader coverage.

See also

Download QRsafer for iOS or Android — check any QR destination before your browser opens it.

FAQ

Is quishing the same as phishing?

Quishing is a type of phishing. Traditional phishing uses deceptive links in emails or texts. Quishing uses QR codes to deliver the same deceptive link — it just bypasses your email's link scanner because there is no URL to scan until after you point your camera.

How do I know if a QR code is a quishing attempt?

You usually can't tell by looking at the code itself — all QR codes look alike. Your best signals are context (unexpected QR code in an email, a sticker placed over an existing code) and the destination URL. Always preview the URL before tapping and use QRsafer to check it against threat databases before your browser opens the page.

Can quishing attacks steal my password even if I don't type it?

Yes. Some quishing attacks use OAuth phishing pages that capture a credential token without a visible password field — you click 'Sign in with Google' on a fake page and hand over access. Others use keyloggers loaded by malicious sites. Not entering your password is not full protection; not opening the page at all is.

Does QRsafer protect against quishing?

Yes. QRsafer checks the destination URL before your browser loads it. If the QR code points to a known phishing domain, a suspicious redirect chain, or a freshly registered lookalike site, QRsafer flags it as Risky or Dangerous before you tap through.