Quishing (QR-code phishing) is a fast-rising scam for one clever reason: a QR code is just an image, so the malicious web address is hidden inside it. Traditional email security scans the text of a message for bad links — but a QR code has no link text to scan, so it often sails straight through. [1]
The volumes are climbing sharply. APWG’s Q3 2025 reporting, drawing on Mimecast data, noted 716,306 unique malicious QR codes detected in a single quarter — up 13% on the quarter before. [2]
How a quishing attack works
- The lure. You get an email or letter — a “document to review,” a “missed delivery,” a “payroll update” — containing a QR code instead of a link.
- The switch to your phone. You scan the code with your phone’s camera. This is deliberate: phones show less of the URL and have weaker protection than a work laptop, so signs of a fake are harder to spot. [3]
- The fake page. The code opens a convincing login page — often a fake Microsoft 365 or SharePoint sign-in. You enter your credentials, and they go to the attacker.
- The MFA trap. Some campaigns then text you to “confirm” a one-time code — handing the attacker your second factor too. [4]
Why QR codes slip past defences
Three things make quishing effective: the URL is hidden in an image that text scanners ignore; the attack jumps to a mobile device that’s usually less protected; and on a small screen, a truncated address looks normal. Physical QR codes add another twist — scammers stick fake codes over real ones on parking meters, menus and posters.
How to stay safe
- Treat an unexpected QR code like an unexpected link. If you didn’t ask for it, be suspicious — especially in email, on letters, or stuck up in public.
- Preview the URL before opening. Most phone cameras show the destination address first — read it, and check the real domain before tapping.
- Go direct instead. If a code claims to be from a company you use, open their app or type their address yourself rather than scanning.
- Be alert to the MFA ask. No legitimate service needs you to text someone your one-time code.
Catching the QR codes filters miss
Because QR codes defeat text-based scanning, the fix is email security that actually reads the code — decoding it, following where it leads, and analysing that destination like any other link. SafeToOpen Email Security scans QR codes and attachments inside a message, not just the visible text, so a hidden malicious link is caught before you ever reach for your phone.
Email security that reads the QR code
SafeToOpen decodes QR codes and attachments in your mail and checks where they really lead — catching quishing that text filters miss.
How Email Security works →The takeaway
Quishing works by hiding the link inside an image and bouncing you to a less-protected phone. Preview every code’s destination, never scan unexpected codes, and use email security that decodes and checks QR codes rather than only scanning text.