What is Quishing or QR Code Phishing?

Assume you receive a cold email or instant message informing you of some payments made to your account, and you are about to scan a QR code attached to it. In just a split second, that action could expose your bank account, passwords, and personal data if it was a malicious QR code.  

Quishing is a fast-growing cyberattack that attempts to steal users’ confidential information using fake QR codes. This strategic attack mainly targets business heads and executives. According to a 2024 report by Abnormal Security Corp., C-suite executives receive QR phishing attacks 42 times more than average employees. Business email compromise (BEC), a popular method of cyberattack using fake emails, increased a whopping 108% between 2022 and 2023.

With the growing use of QR codes in everyday life, quishing is becoming more prominent. Therefore, every QR code user must know the malicious activities or practices associated with QR codes and preventive actions against QR code phishing. 

Meaning of quishing or QR code phishing

“Quishing,” or QR code phishing is a well-planned attempt to trick QR code users into visiting malicious links and websites. Upon scanning and clicking on a malicious QR code, users are taken to a phishing site that leads to compromising their sensitive information.

Quishing often bypasses conventional security systems, such as email security gateways, as the systems perceive QR codes attached to an email as harmless images. As a result, many QR code users become victims of email phishing. 

How does quishing work?

Quishing works when users intentionally or unintentionally click a fraudulent link that appears when scanning a malicious QR code. Phishing attacks mainly aim to steal personal and financial information, such as debit or credit card details, login credentials, or personal identification information.

Scammers use users’ sensitive information for financial fraud, identity theft, unauthorized account access, or ransomware. They often use malicious QR codes through printed flyers and posters, email, and social media platforms. 

Upon scanning the QR code, users are taken to a bogus website or link. Victims are often prompted to enter sensitive information, such as users’ names, emails, date of birth, bank details, and account login passwords.

Key QR phishing statistics to look at

• The rapid rise in the use of smartphones for QR code scanning is a crucial reason behind the growing rate of quishing. Statista said nearly 89 million Americans scanned a QR code using their smartphones in 2022. The figure might reach 100 million users in 2025.  
• In China, as many as 10 billion mobile devices were used for QR code payments in 2022. 
• According to a report, the total number of smartphone users globally has crossed 4.88 billion in 2024, accounting for 60.42% of the world’s population.

QR code phishing has also increased significantly. Let’s see some data:

• As per a Check Point Software Technologies report, QR code phishing UPI scams in India increased more than double from 15,000 cases in 2022 to over 30,000 cases in 2023. 
• Over 3 billion phishing emails are sent every day, resulting in more potential for QR code users falling for quishing.
• Gmail blocks over 100 million phishing attempts every day. 
• As explained by Pymnts, QR codes accounted for more than 20% of all online scams.
• According to IBM, the global average data breach cost in 2024 would be worth USD 4.88 million —a 10% increase over last year and the highest total ever.
• As per the Cyber security breaches survey 2024 by GOV.UK, phishing remains the most common type of cyber security breach and attacks, targeting 84% of businesses and 83% of charities in the UK.

How do we protect from QR phishing attacks?

Here are the key insights on securing your personal information and avoiding QR code phishing. 

✅ Never entertain unsolicited QR codes: Avoid scanning the QR code attached to emails or social media posts when you don’t know the sender. Don’t scan QR codes randomly in public places. Be cautious with the QR codes shared through email or social media, especially if you didn’t request them.

✅ Verify the source before scanning: Confirm the authenticity of the QR code before scanning, even if you think you know the source. You can verify the sender’s name by searching online or contacting the company directly before scanning.

✅ Recheck the QR code URL: Wait for some time before clicking the URL that appears after scanning the QR code. Recheck the QR code URL to see if it matches the company you know or the website you expect to visit. Don’t click the suspicious URLs.  

✅ Spot phishing signals: Compare the QR code you receive in emails with the one saved in your Google Wallet or UPI account. You can see the differences, such as graphic errors and email address discrepancies. Avoid scanning the QR code that creates a sense of urgency to take action or a message with poor grammar.  

✅ Be mindful of the information provided online: Don’t entertain emails or text messages from unknown senders requesting your personal and financial information. You must be 100% sure it’s safe to scan the QR code before providing sensitive information, such as contact number, date of birth, login credentials, credit card details, etc. 

Businesses can take some additional steps to prevent themselves from quishing as follows:

☑️ Implementing two-factor authentication: Email phishing is the most common business threat. Using two-factor or multi-factor authentication will prevent business email compromise (BEC) attackers from hacking business emails. 

☑️ Update software and security features: Update your software to the latest version, and keeping advanced security features can help you prevent phishing attacks.

☑️ Security awareness training for employees: Imparting cybersecurity awareness and training your employees on QR code safety can help businesses avoid dangers from quishing. Through training, employees can learn to spot BEC attempts and implement practices like confirming the source of the QR codes or payment requests. 

What if an organization is already a victim of quishing?

Let’s assume that your organization is already a victim of QR code phishing. You must adopt the following steps to stop the further spread of the scam or at least reduce the damage. Here is how you should do it. 

➡️ Remove the QR code immediately: Remove or replace the malicious QR code immediately from your existing physical and digital spaces, including printed posters, menus, social media, and websites. This will help prevent the further escalation of the phishing attack.

➡️ Notify customers and staff urgently: Alert customers, business partners, and staff about the phishing attack and explain the situation clearly. Establish proper communication by giving clear instructions on how to handle the situation. Timely communication can save customers from financial loss and personal data theft, preventing companies from bad brand image or reputation.  

➡️ Identify the source of the fraudulent QR codes: Conduct a thorough evaluation of the source of the QR code and its target destination. Investigate the quishing motive by identifying if users are prompted to a phishing site or download malicious content. Timely intervention and investigation can protect customers and organizations from further damage. 

➡️ Report the incident to the security team: Report the phishing attack instantly to the relevant authorities. For instance, if your organization has a separate security team, report the incident to the team as soon as you detect or realize quishing. Organizations can file a complaint with a local cybercrime cell. Authorities can take appropriate countermeasures to prevent other organizations from facing the same incident. 

➡️ Communicate the issue resolution: Inform your customers, staff, and other business stakeholders as soon as your organization resolves the issues. You can update them about your actions to handle the situation. Restoring confidence and reassuring customers that your organization has their back is essential.

Conclusion

Today, QR codes are everywhere, and so is the potential for quishing. QR users must be cautious when using QR codes, especially when scanning a QR code attached to an email, text, or social media post from unfamiliar sources. 

Businesses must realize the potential threat of QR codes when used for phishing attacks. Taking appropriate countermeasures will enable businesses to protect themselves from QR code phishing.

Frequently asked questions