Stop Scanning Random QR Codes: Quishing Is the New Phishing

QR codes are everywhere, from menus and event tickets to parcel lockers and “special offers.” That convenience is exactly why attackers love them.

Why quishing works

• You can’t “read” a QR code with your eyes. The destination hides until you scan.

• People trust codes more than links. Marketing has trained us to expect QR codes everywhere.

• Speed + mobile = less caution. Scans auto-open on small screens with less context.

• And it’s prolific: Millions of QR-code emails hit inboxes daily.

What we’re seeing

• Attackers increasingly embed QR codes inside PDF/XLSX attachments (bypassing simple link filters). Roughly 25% of recent phish used this “QR-in-PDF” trick. Seqrite

• Common lures: “MFA expiring,” “sign this DocuSign,” “view secure document,” or “urgent billing/update.” APWG Documents

How to spot a risky QR code (and what to do instead)

Red flags

• A QR code in an unexpected email or PDF, especially about accounts, billing, MFA, or document signing.

• Codes on stickers covering parking meters, posters, menus, or public signage.

• A link preview that’s shortened or doesn’t match the brand you expected.

Safer behaviours

• Type the address yourself (e.g., portal.microsoft.com, docusign.com) or use bookmarks.

• If you must scan, preview the URL first (press-and-hold on mobile). If it’s shortened or odd, don’t open.

• Only scan setup/MFA codes from official, logged-in pages—never from an email attachment.

• 
  

Copy-paste policy snippet (for your team)

Company Rule on QR Codes

• Do not scan QR codes from emails, PDFs, SMS, or social DMs to access company resources.

• For signing, billing, MFA, and file access, navigate via saved bookmarks or type the official URL.

• Report suspicious QR codes (email or physical) to IT/Security with a screenshot/photo. If you scanned one by mistake, follow the steps below immediately.

  
  

“I already scanned it—now what?”

1. Don’t enter credentials. If you did, change the password now and sign out of all sessions; reset MFA if prompted.

2. Close the page and uninstall any profile/app you didn’t intend to install.

3. Run an AV/malware scan on the device.

4. Report it to IT/Security with a screenshot of the code or link preview.

   
   

Guidance for IT & Security

• Email security: Flag/quarantine messages with QR codes in attachments (PDF/XLSX) and common impersonation terms (MFA, DocuSign, invoice).

• Shortener controls: Block URL shorteners at the proxy/secure web gateway.

• Mobile controls: Via MDM/UEM, disable auto-open after scan and enforce safe browsing on managed devices.

• Conditional Access: Require MFA + device compliance; use sign-in risk policies.

• Training: Add QR scenarios (including physical-world posters/parking meters) to phishing simulations.

• IR playbooks: Include quishing steps (password reset, token revocation, device scan, SIEM search for lookalike domains).

  
  

The bottom line

Treat QR codes like blind links. If you wouldn’t click a mystery link, don’t scan a mystery code especially for logins, payments, or “secure documents.”

Need help? Book a quick Cyber Health Conversation to find out how ORCA Opti can help harden your information security.