.avif)
Traditional enterprise controls such as email filters, endpoint agents, and annual training were built to detect known threats on managed devices. But threat actors no longer follow those boundaries.
Quishing, or QR code phishing, takes advantage of user behaviors that enterprise controls do not cover. Whether embedded in emails, PDFs, or physical signage, malicious QR codes redirect users, often on unmanaged mobile phones, to credential harvesting sites while evading enterprise detection controls.
As with tactics like smishing and social engineering, quishing preys on user trust but moves the attack off network. For CISOs and security teams, it reveals structural blind spots in how most enterprises monitor and respond to human behavior.
What Is Quishing?
Definition: Quishing is a form of phishing that uses malicious QR codes to redirect users to spoofed websites, steal credentials, or deliver malware, often evading enterprise detection controls.
Why Quishing Is Different
Quishing exposes a blind spot in conventional phishing defenses. These attacks succeed because they manipulate how users behave across devices, contexts, and locations where standard tools have no visibility.
Cross Device Execution
Malicious QR codes can appear in emails, PDFs, printed signage, or invoices. When scanned, often on a personal mobile phone, the attack shifts off the corporate network. This breaks visibility for traditional email filters, endpoint agents, and data loss prevention tools.
Enterprise Mimicry
Quishing often impersonates trusted workflows such as MFA prompts, account updates, or vendor billing systems. The messaging is crafted to look familiar, reducing skepticism and prompting quick user action.
Campaign Scale and Growth
Quishing attacks are growing rapidly. Some campaigns are expanding at 270 percent monthly according to Cyber Security News. The FBI has also issued alerts regarding malicious QR codes placed in public spaces.
Quishing campaigns rely on social engineering and bypass security architectures that lack continuous monitoring of off network user behavior. To stop them, organizations must go beyond awareness and adopt detection and response models based on real time user risk.
How Quishing Works
While the goal is similar to other phishing techniques, quishing bypasses enterprise controls by shifting the attack to a different device and exploiting user behavior.
Here is how a typical attack unfolds:
- QR Code Placement
Threat actors embed malicious QR codes into emails, invoices, PDF attachments, or physical surfaces such as parking signs, conference tables, and public kiosks. - Social Engineering Hook
The QR code is paired with urgent or routine instructions like “update your MFA settings,” “view billing statement,” or “download the secure app.” These messages closely mimic legitimate workflows. - Scan and Redirect
Users scan the QR code using a personal mobile device and are redirected to a spoofed website or app download page. Because this redirection happens off network, enterprise detection tools are typically blind to the behavior. - Credential Theft or Payload Delivery
The victim enters credentials or downloads malware, enabling attackers to gain access without alerting traditional tools. - Post-Attack Exploitation
Once credentials or access are obtained, attackers move laterally within systems, escalate privileges, or stage further attacks. Because the initial interaction happens on a personal device, response is delayed or entirely missed.
Real-World Examples of Quishing
Fort Lauderdale Parking Scam (2024)
Attackers placed counterfeit QR codes on parking meters and pay by phone signage throughout downtown Fort Lauderdale. Users scanned the codes and were redirected to fake payment sites where credit card data was stolen. City officials confirmed at least seven locations were affected and clarified that the official meters never used QR codes (NBC 6 South Florida).
Microsoft 365 Quishing Campaign
A major energy provider in the United States received phishing emails containing QR codes that mimicked Microsoft 365 security alerts. The message urged recipients to scan a code within three days to resolve account issues. Scanning the code led users to a spoofed login page that harvested credentials (Bleeping Computer).
These examples show how even well-resourced organizations can be compromised when user workflows extend beyond what enterprise defenses are built to monitor.
Why Quishing Bypasses Enterprise Defenses
How Quishing Compares to Other Phishing Methods
What Enterprises Can Do to Stop Quishing
Security teams are shifting away from perimeter centric models and adopting behavior aware defenses that reflect how work actually happens. The following strategies have proven effective in reducing quishing risk.
Run Realistic Simulations
Use simulations that replicate actual workflows such as MFA prompts, vendor portals, or printed signage. These tests surface how employees respond to mobile first phishing lures and allow teams to prioritize by behavioral risk rather than assumptions.
Move Beyond Static Training
Security awareness training must be continuous, personalized, and scenario driven. Static programs that teach users to spot last year's phishing email cannot address emerging tactics like mobile redirects and physical QR baiting.
Enforce Identity Layer Protections
Adaptive multi factor authentication and conditional access policies should respond to device type, user behavior, and access context. These controls reduce the blast radius even when credentials are compromised.
Automate Response Based on Behavior
Use behavioral risk scoring to trigger real time interventions such as access restrictions, session terminations, or secondary verification prompts. Automated controls reduce exposure and eliminate reliance on manual escalation.
Why Quishing Demands a Behavioral Approach to Phishing Defense
Quishing is difficult to stop because it exploits what legacy tools were never designed to handle: cross device behavior, real time decisions, and trust-based interactions that occur outside traditional monitoring.
Most security architectures rely on static controls that assume users operate within corporate boundaries. But quishing turns those assumptions against the organization - leveraging mobile devices, QR codes, and enterprise mimicry to sidestep email filters, endpoint tools, and awareness programs that are not behavior aware.
Protecting against this threat requires more than perimeter rules or yearly training. It demands a model that continuously adapts to user risk patterns and intervenes when behavior signals exposure.
User Adaptive Risk Management provides that foundation. It equips organizations to detect, prioritize, and respond to human layer threats across environments before they escalate into broader compromise.
{{cta}}
FAQs
.jpeg)
Social Engineering Is About to Be the Only Game in Town
AI is finding and patching zero‑days at machine speed. The traditional attack surface is collapsing. The only place attackers can still win consistently is the user. Learn what that means for CISOs trying to defend the enterprise, and why the operating model that worked for networks, endpoints, and identity has to come to the User Layer next.
The Top User-Driven Cyber Threats Targeting Law Firms
Law firms sit on some of the most sensitive and valuable data in the enterprise, and attackers have built an entire playbook around exploiting the users who handle it. Learn how four dominant threat vectors are targeting legal sector workflows in 2026 and what it takes to stop attacks at the User Layer.
The Workforce Has Expanded: How Attackers Are Targeting Enterprise AI Agents
AI agents are being deployed across the enterprise at scale, and attackers have already started engineering against them. Learn how agentic AI expands the enterprise attack surface in ways legacy security programs were never designed to defend.