CIVRA Get Started
Threats explained

QR Code Phishing (Quishing), What Small Teams Should Know

March 24, 2026 4 min read The CIVRA Team
The short answer

QR code phishing, or quishing, hides a malicious link inside a scannable image so it slips past filters that only read text and clickable URLs. The attacker counts on you scanning the code with your phone, which moves the attack off your protected work device. Treat any unexpected QR code in an email as suspicious and verify through a known channel.

QR code phishing, often called "quishing," is an attack where a scammer hides a malicious link inside a QR code instead of a normal clickable link. When you scan the code with your phone, it sends you to a fake login page or downloads something harmful. The trick works because most email filters read text and URLs, not the contents of an image.

What quishing actually is

A QR code is just a link in picture form. Your phone camera reads the pattern and opens whatever web address is encoded inside. Attackers love this because the dangerous part of the message is no longer text. It is an image, and many security tools do not decode it.

A typical quishing email looks routine. It might claim you need to reset a password, review a document, or confirm a delivery. Instead of a button, it shows a QR code and a line like "scan to continue."

Why attackers switched to QR codes

For years, phishing relied on links and attachments. Filters got better at catching both. QR codes give attackers a way around that progress.

  • They hide the destination. A filter scanning for bad URLs sees only an image, not the link inside it.
  • They move you to a less-protected device. You scan with your personal phone, which usually has no company security software on it.
  • They feel modern and trustworthy. People scan QR codes for menus, payments, and event check-ins, so a code in an email does not raise alarms.

This is the same pattern we see with other targeted attacks. If you want the bigger picture, our guide on why spam filters miss targeted attacks explains the gap in plain terms.

How a quishing attack plays out

Most quishing follows a simple sequence:

  1. You get an email that looks like it comes from a service you use or someone at work.
  2. The message creates light pressure. Your account is locked, a document is waiting, a payment failed.
  3. Instead of a link, it shows a QR code to scan.
  4. You scan it with your phone and land on a convincing fake login page.
  5. You type your password, and the attacker captures it.

From there they can read your email, send messages as you, or move toward a business email compromise scheme that targets payments.

Warning signs to watch for

A QR code in an email is not automatically bad, but it should make you slow down. Be especially careful when you see:

  • A QR code where you would normally expect a button or link. Real services usually just link you directly.
  • Urgency or a threat. "Scan within 24 hours or lose access" is a pressure tactic.
  • A sender you cannot clearly verify. Look closely at the actual email address, not just the display name.
  • A code asking you to log in. Legitimate password resets rarely arrive as a QR code to scan.

How small teams can protect themselves

You do not need a security department to defend against quishing. A few habits cover most of the risk.

  • Make verification a rule. If a message asks you to scan and log in, confirm it through a known channel like a saved bookmark or a phone call.
  • Never scan a code that leads to a login page. Open the real site yourself instead.
  • Turn on multi-factor authentication. If a password is stolen, the second factor slows the attacker down.
  • Talk about it as a team. A two-minute conversation about quishing prevents more incidents than most tools.

For broader habits, our piece on how to spot a phishing email is a good companion read.

Where CIVRA fits

Tools that only check text and links struggle with QR codes. CIVRA looks deeper at the whole message, including sender identity and behavior, look-alike domains, attachments, and the language and intent of what is being asked. That means a message pushing you to scan and hand over credentials gets flagged based on what it is trying to do, not just whether it contains a known bad link. CIVRA runs alongside Microsoft 365 and Google Workspace and is built for small teams without dedicated IT or security staff.

FAQ

Can a QR code in an email really steal my password?

Not on its own, but it can send you to a fake login page that captures whatever you type. The QR code is just the delivery method. The damage happens when you enter your credentials on the page it opens.

How is quishing different from normal phishing?

Normal phishing uses clickable links or attachments that filters can scan. Quishing hides the link inside an image, so text-based filters often miss it and you scan it on a phone that usually has no company protection.

Is it safe to scan QR codes at all?

Scanning a code on a restaurant table or a printed sign is generally low risk. The concern is QR codes that arrive unexpectedly in email or messages and then ask you to log in or pay. Treat those with caution.

What should I do if I already scanned a suspicious code?

If you entered a password, change it right away and turn on multi-factor authentication. Then watch your account for unusual activity and let your team know in case others got the same email.

Quishing works by hiding intent inside an image, which is exactly the kind of attack a deeper analysis layer is built to catch. See how CIVRA inspects the whole message at civra.ai/features, or start protecting your inbox.

Stop the email that gets through.

CIVRA catches the targeted phishing and business email compromise your filter misses — built for small teams without a security department.

Start free →

← All posts