Quishing is a blend of “QR” and “phishing.” It is the same social-engineering attack you already know from email, moved onto a printed or on-screen square. The trick works because a QR code shows you a picture, not a link. Your eyes cannot read a URL out of a grid of dots, so the check you would normally do before clicking never happens.
What is quishing?
Quishing is phishing that uses a QR code to deliver the malicious link. Instead of a hyperlink in an email, the attacker gives you a QR code — on a poster, a parking meter, an email attachment, or a fake invoice — that encodes a URL to a credential-harvesting page or a malware download. You scan it, your phone opens the page, and the page asks for a login, a payment, or a permission. The QR code is only the delivery mechanism; the payload is an ordinary phishing page.
Why do QR codes make phishing easier?
QR codes make phishing easier because they hide the destination and move the scan onto a phone. Three things stack up in the attacker’s favor. First, the URL is invisible until after your phone resolves it, so you cannot inspect it the way you would inspect a link in an email. Second, phones show truncated address bars and small screens, which makes a lookalike domain harder to spot. Third, a QR code on a physical object borrows the trust of the place it sits — a code on a restaurant table or a government parking sign feels legitimate before you have checked anything.
Where do quishing attacks show up?
Quishing shows up anywhere a QR code can be placed or sent, and the common vectors are physical surfaces, email, and documents. The pattern repeats across all of them:
| Vector | How the code is delivered | Common lure |
|---|---|---|
| Physical overlay | Sticker placed over a real code | Parking payment, EV charger, menu |
| Email body or image | QR image inside a phishing email | “Reset your MFA,” shared document |
| PDF or invoice | Code embedded in an attachment | Fake supplier invoice, DocuSign |
| Posters and flyers | Fully attacker-controlled print | Fake giveaway, event check-in |
The physical-overlay case is worth calling out because it is the hardest to defend. An attacker prints a sticker with their own QR code and pastes it over a legitimate one. Nothing about the underlying system was hacked; the paper was.
What happens after you scan a quishing code?
After you scan, your phone opens the attacker’s page, and from there it is a normal phishing flow. The page usually imitates a brand you trust and asks you to log in, enter payment details, or approve a multi-factor prompt. Some campaigns chain steps: the first page harvests your password, the second triggers a real MFA push and hopes you approve it out of habit. The QR code did its job the moment the page loaded. Everything after that is standard credential theft.
How do you protect yourself from quishing?
You protect yourself by treating a scanned URL exactly like a link in an email — inspect it before you act on it. Most phone cameras preview the destination URL before opening it; read that preview and check the domain. Be suspicious of any scanned page that immediately asks for a login or payment, especially if it reached you through a code on a public surface or an unexpected email. Do not approve an MFA prompt you did not personally initiate. When a code sits on a physical object, look for a sticker layered over the original — a raised edge or a mismatched finish is a tell.
What can a QR platform actually do about quishing?
A QR platform can check the destination and warn on abuse, but it cannot police the physical world. Here is where honest scoping matters. redireo runs a reputation check on every destination URL when a code is created or edited, and shows a safe interstitial page when a target looks malicious. That defends against two real scenarios: a compromised account quietly repointing a live code to a phishing site, and redireo’s own redirect domain being abused as a phishing vector. It does not, and cannot, stop an attacker who prints their own sticker and pastes it over your code. That overlay routes through the attacker’s own system, never through ours. Anti-quishing protects the destination behind a code you control; it does not protect the printed surface in the world.
Is quishing the same as a hacked QR code?
No — most quishing does not involve hacking anything. The attacker does not break into your account or your QR provider. They either create a fresh malicious code from scratch or physically cover a real one. That distinction matters because it tells you where the defense lives. Software checks help against repointed destinations and abused redirect domains. Against a sticker on a wall or a code in a phishing email, the defense is human: read the URL, distrust urgency, and do not enter credentials on a page a code pushed you to.
Quishing is not a new class of attack. It is old-fashioned phishing wearing a costume that defeats the one habit — reading the link — that used to keep people safe. The fix is to bring that habit back, one scan at a time.