Quishing (QR-code phishing) is an increasingly common social-engineering attack where threat actors abuse QR codes to trick users into visiting malicious websites, downloading malware, or divulging sensitive information. As QR codes have become ubiquitous in payments, menus, parking meters, MFA login flows, and enterprise workflows, attackers exploit the implicit trust users place in them.
Unlike traditional phishing links—where users can at least see a suspicious URL—QR codes obscure the destination entirely, shifting the decision-making from visual inspection to blind trust.
1. How Quishing Works (Attack Lifecycle)
1.1 Initial Delivery
Attackers distribute malicious QR codes through multiple channels:
- Physical placement: Stickers on parking meters, ATMs, restaurant tables, EV chargers
- Email attachments: PDFs or images containing QR codes
- Printed mail: Fake invoices, notices, or fines
- Messaging apps: Images sent via SMS, WhatsApp, or Teams
1.2 User Interaction
- User scans the QR code with a mobile device
- The QR code redirects to:
- A credential-harvesting page
- A fake payment portal
- A malware-hosting site
- A fake MFA reauthentication page
1.3 Exploitation
- Credentials (email, VPN, cloud logins) are stolen
- Payment details are harvested
- Mobile malware or malicious configuration profiles are installed
- OAuth consent abuse grants persistent access
1.4 Post-Exploitation
- Lateral movement into corporate systems
- Account takeover (ATO)
- Business Email Compromise (BEC)
- Financial fraud or data exfiltration
2. Why Quishing Is Effective
- URL Obfuscation – Users cannot see the destination before scanning
- Mobile Security Gaps – Mobile devices often lack full EDR coverage
- Email Security Bypass – QR images evade traditional link scanners
- Contextual Trust – Physical QR codes appear legitimate
- Time Pressure – Fake fines, expiring payments, or account warnings
3. Common Quishing Scenarios
3.1 Corporate MFA Reset Attacks
Victims receive an email claiming:
“Your MFA session expired. Scan to reauthenticate.”
The QR code leads to a fake Microsoft 365 or Google Workspace login page.
3.2 Parking & Transportation Fraud
QR stickers placed over legitimate parking meter codes redirect users to fake payment portals.
3.3 Fake Invoices & Documents
PDF invoices include QR codes labeled:
“Scan to view full invoice” or “Pay now”
3.4 Cloud OAuth Consent Abuse
QR codes redirect to malicious OAuth apps requesting permissions like:
- Read mail
- Access files
- Maintain offline access
4. Indicators of Compromise (IOCs)
4.1 Technical IOCs
- QR code URLs using:
- URL shorteners
- Recently registered domains
- Lookalike domains (e.g.,
micr0soft-login[.]com)
- Mobile browser redirects without user interaction
- Unexpected OAuth consent grants
- Unusual login activity from mobile user agents
4.2 Behavioral IOCs
- User reports scanning QR codes from emails or printed notices
- MFA push fatigue followed by successful login
- Payment confirmations users do not recognize
5. Incident Response (IR) for Quishing
5.1 Identification
- Confirm QR code source (email, physical location, document)
- Extract the embedded URL using a QR decoder
- Check domain reputation and registration date
5.2 Containment
- Disable affected user accounts
- Revoke active sessions and refresh tokens
- Remove malicious OAuth applications
- Block domains and URLs at secure web gateways
5.3 Eradication
- Reset credentials and MFA
- Remove malicious mobile profiles or apps
- Clean up email rules or forwarding configurations
- Take down physical QR stickers if applicable
5.4 Recovery
- Restore normal account access
- Monitor for re-compromise
- Validate no persistence mechanisms remain
5.5 Lessons Learned
- Update phishing awareness training to include QR threats
- Improve mobile device security posture
- Enhance QR scanning warnings in enterprise apps
Guidance from organizations like Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation emphasizes QR-code threat awareness as part of modern phishing defense strategies.
6. Detection & Prevention Strategies
6.1 Technical Controls
- QR code inspection in email gateways
- Mobile Threat Defense (MTD) solutions
- Conditional access policies for mobile logins
- OAuth app governance and approval workflows
6.2 User Awareness
- Treat QR codes like shortened links
- Avoid scanning QR codes from unsolicited messages
- Verify physical QR codes for tampering
- Use built-in camera URL previews before opening links
7. Quishing Summary Table (IOCs, IR, Controls)
| Category | Details |
|---|---|
| Attack Vector | Email PDFs, physical stickers, printed mail, chat images |
| Primary Goal | Credential theft, payment fraud, OAuth abuse |
| Common Lures | MFA reset, invoice payment, parking fees, account alerts |
| Key IOCs | New domains, URL shorteners, mobile user agents, unusual OAuth grants |
| Affected Assets | Email accounts, cloud apps, mobile devices, payment cards |
| IR Actions | Account disablement, session revocation, password/MFA reset |
| Prevention | QR scanning controls, MTD, OAuth governance, user training |
| Detection Gaps | Email link scanners, desktop-only EDR solutions |
Quishing represents the evolution of phishing into the physical and mobile world. As attackers continue to exploit convenience-driven behaviors, organizations must adapt detection, response, and education strategies to address threats that are no longer just “click-based,” but scan-based.
