There’s a QR code on the table at your favorite café. One on the parking machine. One in the email from “HR” about your new benefits portal. One stuck to the wall at the trade show last week.
You scanned all of them without thinking twice.
That’s exactly what attackers are counting on.
What Is Quishing?
Quishing – QR + phishing – is a cyberattack where criminals embed a malicious link inside a QR code. Scan it, and you’re redirected to a fake login page, a credential harvester, or a malware download. The goal is identical to traditional phishing. The delivery is what makes it dangerous.
Because when a malicious URL is encoded inside the pixel matrix of an image, your email security gateway sees an image file and passes it through – completely uninspected. Every spam filter, every URL blocklist, every link scanner your IT team put in place? Bypassed in one scan.
The Numbers Are Not Small
Microsoft analysed over 8.3 billion email-based phishing threats in Q1 2026 and flagged a 146% rise in quishing attacks – reaching their highest point in the past year.
QR codes now appear in 12% of all phishing attacks globally – up from just 0.8% in 2021.
Palo Alto Unit 42 telemetry averages more than 11,000 malicious QR detections every single day. And around 80% of QR-bearing phishing files had zero detections on VirusTotal when first encountered.
Zero. Your tools had never seen them before. They passed right through.
Why This Hits SMEs Especially Hard
The attack shifts the user from a managed desktop to an unmanaged mobile device – bypassing endpoint protection, web proxies, and corporate DNS filtering entirely.
Your staff scan the QR on their personal phone. That device has none of your company’s security controls on it. The attack happens entirely outside your perimeter.
And 73% of users scan QR codes without verifying the destination first. Not because they’re careless – but because QR codes were designed for speed and trust. That design is the vulnerability.
Where It Happens – Closer Than You Think
Attackers replace payment QR codes on restaurant tables with fake codes linked to their own accounts. Victims scan fake parking QR codes and submit card details to phishing pages. Fraudulent donation QR codes appear during events or disasters.
In the office context: fake HR emails with QR codes directing staff to “reset their Microsoft 365 password.” A printed notice in the lift asking employees to scan for the new Wi-Fi. An invoice from a supplier – with a QR code replacing the bank transfer details.
Thailand’s QR payment infrastructure (PromptPay, bank apps) makes this especially fertile ground. Staff are conditioned to scan and pay without hesitation.
What Your Business Should Do
- Train staff on one simple rule: Always preview the URL before you tap. Most phone cameras show a brief preview after scanning – teach staff to read it, not skip it.
- Never scan a QR code in an unexpected email. If HR or IT sends a QR code asking you to log in somewhere, call them first. Verify out-of-band.
- Check physical QR codes before scanning. A sticker placed over a legitimate code is the most common physical attack vector. If it looks applied, not printed, be suspicious.
- Move away from SMS-based MFA. Quishing attacks often target 2FA codes. Hardware keys or authenticator apps are significantly more resistant.
- Get your security posture assessed. If your team doesn’t know whether your email gateway can detect image-based threats, that’s the gap. A SafeComs IT Security Audit will tell you exactly where you stand.
The Bottom Line
Your staff were trained to hover over links before clicking. Quishing removes the link entirely. Most security awareness programmes have not caught up yet – and attackers know it.
The square looks harmless. It isn’t.
📩 safecoms.com | Secure | Comply | Simplify
Sources
- Microsoft Email Threat Landscape Report Q1 2026 – TechRadar
- Keepnet Labs Quishing Statistics 2026 – keepnetlabs.com
- Acronis Security Blog – acronis.com
- Palo Alto Unit 42 / Cyble Scanception Research 2026
- ECCU Cybersecurity Blog – eccu.edu
