QR code phishing, known as quishing, has emerged as one of the fastest-growing attack vectors in 2026. The Proofpoint 2025 State of the Phish Report found that QR-code-based phishing attacks increased by over 400 percent year-over-year, yet fewer than 5 percent of organizations include QR code scenarios in their security awareness training. The attack exploits a fundamental gap: email security gateways analyze text, URLs, and attachments, but most cannot decode and inspect QR codes embedded in images. This means quishing emails reach inboxes at dramatically higher rates than traditional phishing.
How Do Quishing Attacks Work?
A typical quishing attack embeds a QR code in an email or document that appears to come from a trusted source such as IT support, HR, a building management system, or a parking service. The pretext is designed to feel routine: scan this code to update your MFA settings, verify your parking permit, access your benefits enrollment portal, or view a shared document. When the employee scans the QR code with their personal mobile device, they are redirected to a credential-harvesting page that mimics a legitimate login portal. The attack is particularly effective because personal mobile devices typically lack the enterprise security controls present on corporate laptops, employees trust QR codes as a familiar technology used in legitimate business contexts, the redirect happens on a personal device outside the organization's network monitoring, and email filters cannot inspect the URL encoded in the QR image.
Why Are Detection Rates So Low?
Traditional email security solutions analyze the text body, sender reputation, embedded URLs, and attachment file types of incoming messages. A quishing email typically contains no clickable URL in the message body, the malicious destination is encoded within a PNG or JPEG image of a QR code that security tools treat as a benign image, the email text is clean business language with no suspicious keywords, and the sender may be a compromised legitimate account with a trusted reputation. Some advanced email security platforms have begun adding QR code decoding capabilities, but adoption is still limited and the technology is easily evaded by using slightly modified QR formats, embedding codes in PDF attachments, or using dynamic QR codes that redirect through clean intermediate URLs before reaching the phishing page.
How Do You Add QR Simulations to Your Program?
Building a quishing simulation program requires adjusting both your technical infrastructure and your training approach. Start with awareness: many employees have never been warned about QR code phishing and do not associate QR codes with security risk. Introduce the concept through a brief educational module before launching simulations. For the simulation itself, create realistic QR codes that direct to benign tracking pages (not credential harvesting pages on personal devices, which raises privacy concerns). Track scan rates as your primary metric. Typical first-campaign scan rates for organizations that have never tested QR phishing are 30 to 45 percent, far higher than email phishing click rates, because employees have not been conditioned to be suspicious of QR codes.
What Should Your Anti-Quishing Policy Include?
Develop a clear policy that addresses QR code risks. Key elements include a prohibition on scanning QR codes received via email on personal devices without verification, guidance on using a QR code scanner that previews the URL before opening it, a process for reporting suspicious QR codes through the same channel used for phishing reports, and guidelines for legitimate internal use of QR codes (for example, requiring that all legitimate internal QR codes use a specific, recognizable short domain). Training should emphasize that QR codes in emails should be treated with the same suspicion as clickable links and that the same verification procedures apply. For organizations looking to build comprehensive multi-vector simulations, see our guides on SMS phishing simulation and voice phishing simulation.