Glossary Home

Quishing

What is quishing?

Quishing, QRishing, or QR-based social engineering attack is a type of phishing attack that uses QR codes to trick users into visiting malicious websites. Unlike traditional phishing emails that include a visible link, quishing embeds the harmful link inside a QR code. When the user scans the code, often using their smartphone, they are unknowingly directed to a fake website designed to steal personal information, login credentials, or install malware.

Why is quishing dangerous?

QR codes are easy to trust and scan, especially when printed on posters, flyers, or emails. This makes it easier for attackers to bypass security filters and trick users into taking unsafe actions.

Real-life quishing examples

Quishing attacks have been on the rise globally, targeting people in both digital and physical settings. Some notable incidents include:

• Fake delivery emails (Global, 2024): QR codes in phishing emails pretended to be from delivery companies like FedEx or DHL, leading users to fake rescheduling pages that steal personal information.
• Parking meter scams (Texas, USA, 2023): Fraudulent QR code stickers on meters redirected drivers to fake payment sites to steal credit card details.
• Workplace flyer attack : Employees scanned QR codes from fake HR survey flyers, leading to credential harvesting through spoofed login pages.
• Restaurant menu fraud: QR codes placed on tables in some restaurants redirected diners to malicious sites posing as food ordering platforms.
• Fake police fine notices (UK, 2024): Victims received letters with QR codes claiming to show traffic violations, which led to phishing payment portals.

How to prevent quishing attacks?

Quishing attacks can be hard to spot, especially since QR codes are often trusted and used everywhere, from menus to business cards. Here are some effective ways to protect yourself and your organization:

1. Be cautious with QR codes in emails:
   • Don’t scan QR codes sent via unexpected or suspicious emails, even if they appear to come from trusted sources.
   • Be extra careful with QR codes that urge urgent action like "Verify now," "Reset your password," or "Claim your reward."
2. Preview the link before visiting:
   Most smartphones let you preview the URL after scanning a QR code and before opening the site. Check the link carefully:Does the domain look correct?
   • Are there misspellings or unusual characters?
   • Is it using HTTPS?
   • If the URL looks strange or unfamiliar, don’t proceed.
3. Use a QR scanner with security features:
   • Install QR code scanner apps that offer link preview or malicious link detection before opening the destination.
   • Some mobile security apps have built-in QR protection features.
4. Avoid scanning random QR codes in public places:
   • Be wary of QR codes placed in public areas, especially if they look like stickers or appear on top of existing signs.
   • Attackers often paste fake QR codes over legitimate ones (e.g., on posters, parking meters, or ads).
5. Verify the source:
   • If you receive a QR code in an email or message from a business, double-check by visiting their official website or contacting them directly.
   • Legitimate companies rarely ask users to scan QR codes for critical tasks like account logins or payments.
6. Train employees (for organizations):
   • Conduct cybersecurity awareness training to educate staff about quishing and how to recognize suspicious QR codes.
   • Share real-life examples to help them understand how these attacks work.
7. Use email security tools:
   Organizations should use email security solutions such as Zoho eProtect that can detect and block image-based threats, including embedded QR codes that lead to malicious websites.
8. Physically inspect QR codes:
   • If a QR code is stuck onto a sign board (like a restaurant menu or parking meter), check if it looks tampered with or placed over another code.
   • When in doubt, ask an employee or use a trusted app to access the information.