What Is Quishing and Why Is It Surging in 2026?

Quishing (QR code phishing) is a social engineering attack where criminals embed malicious QR codes in emails, PDFs, or physical documents. When the target scans the code with their smartphone camera, they're taken to a fake login page that steals their credentials.

What makes quishing uniquely dangerous in 2026 is that it bypasses traditional email security entirely. Most email security gateways inspect links in the message body, block known malicious domains, and sandbox attachments to detect phishing. QR codes are images — not clickable links — so the scanner has nothing to analyse. The malicious URL lives in the QR code's encoded data, which the gateway never decodes.

The scale of the problem is growing fast. Security firm KnowBe4 reported a 650% increase in quishing attacks between 2023 and 2025. In the first quarter of 2026 alone, Abnormal Security detected over 67,000 quishing campaigns targeting enterprise inboxes — and the detection rate is still low because conventional filters miss the attack.

Major brands being impersonated in quishing campaigns include Microsoft (most common at 36% of attacks), ADP payroll portals (24%), DocuSign (18%), and Google Workspace login pages (12%). The QR codes typically redirect to convincing credential harvesters hosted on compromised legitimate websites — which pass domain reputation checks.

How Quishing Attacks Work

A typical quishing attack follows this sequence:

The attacker sends an email or PDF attachment containing a QR code. The email is designed to create urgency — "Your account has been locked — scan this QR code to verify your credentials," "New payroll document requires your signature," or "Important security update — authenticate within 24 hours."

The target scans the QR code with their phone. Because the phone isn't managed by corporate MDM or protected by the organisation's web filter, it has direct internet access. The QR code resolves to a phishing page that mimics a login portal — Microsoft 365, Google Workspace, ADP, or DocuSign — often using HTTPS with a recently registered domain.

When the target enters their credentials, the page captures them, displays a "verification complete" message, and redirects to the real service. The user thinks nothing happened. Meanwhile, the attacker now has valid credentials — often with multi-factor authentication bypassed through adversary-in-the-middle (AiTM) techniques.

The sophistication of quishing attacks has increased significantly. Modern campaigns use QR codes that blend into branded PDF templates, multiple redirect hops to evade analysis, AiTM proxies that capture session cookies after initial authentication, and geofencing that serves the legitimate page to security researchers scanning from known IP ranges.

Why Traditional Email Security Fails Against QR Code Phishing

Conventional email security layers are image-centric: they parse message content, scan attachments, and inspect URLs. Quishing defeats every layer differently. The URL is embedded as pixel data in the QR code, not as clickable text — link scanners never see the destination. Attachment sandboxing renders the PDF but doesn't decode embedded QR codes — the malicious link never triggers. Sender reputation checks are irrelevant because the email itself contains no malicious payload — just a picture that happens to encode a URL.

Even security awareness training has gaps when it comes to quishing. Most employees have been trained not to click suspicious links. Very few have been trained not to scan QR codes in unsolicited emails. The NCSC's recent guidance on QR code phishing (published February 2026) explicitly advises that employees should treat unsolicited QR codes with the same suspicion as unsolicited links.

How to Detect a Quishing Attack

There are several red flags that quishing campaigns share. The QR code appears unexpectedly in an email claiming urgency especially when it demands immediate action. The email asks you to scan the code on your personal device bypassing corporate security. The login page URL doesn't match the service's real domain — for example, login-microsoft-com-2fa.pages.dev instead of login.microsoft.com. The domain was recently registered — a WHOIS lookups reveals a creation date within the last 30 days.

Check the destination before scanning: most smartphone cameras show a URL preview before you navigate to the page. If the URL looks suspicious, don't proceed. Forward suspicious emails to your IT or security team — most organisations have a dedicated reporting address.

Protecting Your Organisation Against Quishing

The NCSC and CISA have published coordinated guidance for defending against QR code phishing. The most effective defences include:

Deploy QR-specific email scanning. Some security vendors now offer QR code decoding in their email gateways. Abnormal Security, Proofpoint, and Mimecast have updated their platforms to extract and scan URLs from embedded QR images in email attachments. This is the single most effective technical control.

Educate employees about quishing. Security awareness training must be updated to cover QR code phishing explicitly. The same rules apply: don't scan QR codes in unsolicited emails, verify the destination URL before navigating, and report suspicious messages to the security team.

Use FIDO2 hardware keys for critical systems. Quishing attacks that rely on credential harvesting are ineffective against FIDO2 passkeys because the key uses public-key cryptography tied to the specific domain — a phishing page on login-microsoft-com-2fa.pages.dev won't authenticate against the real Microsoft authentication endpoint.

Limit QR code scanning on managed devices. Organisations using mobile device management (MDM) can restrict QR code scanning to approved applications only. Android Enterprise and Microsoft Intune both support policies that disable the default camera QR scanner and route scanning through a managed browser with URL filtering.

Enable DMARC with a reject policy. While DMARC won't block quishing directly, it reduces the volume of email spoofing — making it harder for attackers to impersonate trusted brands in the email sender field.

FAQs

Can QR codes spread malware? No. QR codes encode text data — typically a URL. They cannot contain executable code or infect a device on their own. The risk is that the destination URL leads to a credential harvesting page or a drive-by download site.

Should I stop using QR codes entirely because of quishing? No. QR codes remain a legitimate and useful technology for contactless payments, restaurant menus, and two-factor authentication setup. The key is to be cautious about QR codes that arrive unexpectedly in email, on paper flyers, or posted in public places.

Does two-factor authentication protect against quishing? Standard TOTP-based 2FA is not sufficient against modern quishing attacks. Adversary-in-the-middle quishing attacks capture both the password and the TOTP code, then use them to authenticate to the real service in real-time. Only FIDO2 hardware keys and passkeys resist AiTM attacks.

How do I report a quishing attack? Forward the suspicious email to the National Cyber Security Centre's Suspicious Email Reporting Service (report@phishing.gov.uk in the UK) or the FBI's IC3 (www.ic3.gov in the US). Also report to your organisation's IT security team.

What percentage of phishing attacks now use QR codes? Industry estimates suggest that QR code phishing now accounts for approximately 4-7% of all phishing attacks, up from less than 1% in 2023. The proportion is higher in targeted sectors — financial services (12%) and government (9%) see the most quishing activity.

Real-World Quishing Campaign Analysis

A notable quishing campaign detected by Cofense in March 2026 targeted a Fortune 500 financial services firm. The attackers sent emails impersonating the company's payroll department, with each message containing a PDF attachment titled "March 2026 Payroll Verification." The PDF displayed a QR code alongside official-looking branding.

When employees scanned the QR code, they were taken to a credential harvesting page mimicking the company's Okta SSO portal. The domain — payrollverify-okta.com — had been registered 72 hours before the campaign launched. Security analysts at Cofense identified the campaign after 11 employees voluntarily reported the email. Post-incident analysis estimated that 140 employees scanned the code, and 38 entered their credentials before IT shut down the phishing domain.

What made this campaign particularly dangerous was its use of AiTM proxying. Even employees with TOTP-based multi-factor authentication were compromised — the phishing page captured both the password and the six-digit code, relayed them to the real Okta service, and exfiltrated the resulting session cookie. This technique defeats standard 2FA because the attacker authenticates in real time rather than replaying stolen credentials later.

The lesson is clear: quishing attacks are not amateur operations. They're sophisticated, well-funded campaigns that target specific organisations with tailored approaches. Protect yourself with a comprehensive security solution like Kaspersky Premium, which includes QR code scanning protection and real-time phishing URL blocking.