Quishing – a blend of "QR code" and "phishing" – has become one of the fastest-growing cybersecurity threats of 2026. Unlike traditional phishing that uses suspicious email links, quishing hides malicious URLs behind innocent-looking QR codes, making them nearly impossible to detect with standard email filters.
Key Statistic
Quishing attacks increased by 587% between 2024 and 2026, according to cybersecurity research. It's now the #1 growing attack vector targeting both individuals and businesses.
How Quishing Works
The mechanics of quishing are deceptively simple. Attackers create a malicious QR code that, when scanned, redirects victims to a fake website designed to steal credentials, payment information, or install malware. The attack exploits a fundamental human behavior: we trust QR codes because we can't read them.
Unlike a suspicious URL like http://paypa1-secure-login.tk/verify that might raise red flags, a QR code hides its destination completely.
Victims scan first and think later – often too late.
The Typical Quishing Attack Flow
- 1. Creation: The attacker generates a QR code pointing to a phishing site, malware download, or cryptocurrency drainer.
- 2. Distribution: The QR code is distributed via email (bypassing spam filters), printed and placed in physical locations, or shared on social media.
- 3. Deception: The victim scans the code, believing it to be legitimate (a menu, payment portal, WiFi login, etc.).
- 4. Exploitation: The victim enters credentials, payment info, or unknowingly downloads malware.
- 5. Exfiltration: The attacker harvests the data and uses it for financial fraud or identity theft.
Why Quishing is So Effective
Several factors make quishing particularly dangerous compared to traditional phishing:
1. Bypasses Email Filters
Traditional phishing relies on clickable links that email security systems can scan and block. QR codes are images – they pass through spam filters undetected because the malicious URL is encoded in pixels, not text.
2. Implicit Trust in QR Codes
After the COVID-19 pandemic normalized QR code usage for menus, payments, and check-ins, people became conditioned to scan first and ask questions never. A 2025 survey found that 76% of users trust QR codes without verifying the destination.
3. Mobile Device Vulnerabilities
QR codes are scanned on phones, which typically show truncated URLs and lack the security extensions common on desktop browsers. Users can't easily preview the full URL before visiting.
4. Physical World Integration
Attackers can place fake QR stickers over legitimate ones in the real world – on parking meters, restaurant tables, ATMs, and event posters. This adds a layer of legitimacy that purely digital attacks lack.
Real-World Quishing Examples
Parking Meter Scams (Austin, Texas)
In early 2024, scammers placed fake QR code stickers on over 100 parking meters in Austin. When drivers scanned to pay, they were redirected to a convincing fake payment page that captured credit card information. The scam spread to cities in the UK and Australia before authorities caught on.
Microsoft 365 Credential Harvesting
Corporate employees received emails with QR codes claiming to require "2FA verification" for their Microsoft 365 accounts. The codes led to a pixel-perfect replica of the Microsoft login page, capturing thousands of credentials before detection.
Cryptocurrency Wallet Drainers
At crypto conferences, attackers distributed flyers with QR codes promising "free airdrops." The codes led to wallet-draining smart contracts that emptied victims' crypto wallets within seconds of connection.
How to Protect Yourself from Quishing
Protecting yourself from quishing requires a combination of awareness, verification, and the right tools:
Verify Before Scanning
Use a QR code safety checker like RexoGate to preview the destination URL before visiting.
Look for Physical Tampering
Check if a QR code looks like a sticker placed over something else. Legitimate codes are usually printed directly.
Check the URL Domain
Even after scanning, verify the domain matches what you expect. Watch for typosquatting (paypa1 vs paypal).
Never Enter Credentials from QR Scans
If a QR code leads to a login page, navigate to that site directly by typing the URL instead.
Be Skeptical of Unexpected QR Codes
QR codes in emails, text messages, or random public places should trigger immediate suspicion.
How RexoGate Detects Quishing Attacks
RexoGate's QR Code Safety Checker uses 14 risk heuristics to analyze QR code destinations before you visit them:
- Protocol Verification: Flags HTTP (insecure) links that should use HTTPS.
- Typosquatting Detection: Identifies domains like paypa1.com or amaz0n.com designed to deceive.
- Punycode Analysis: Detects homograph attacks using Unicode characters (xn-- domains).
- Suspicious TLD Flagging: Warns about high-risk domain extensions (.tk, .xyz, .ru, etc.).
- URL Shortener Detection: Alerts when the destination is hidden behind bit.ly or similar services.
- Phishing Keyword Analysis: Scans for terms like "verify", "login", "account", "urgent" in suspicious contexts.
- File Extension Checks: Blocks links to executable files (.exe, .apk, .dmg, etc.).
All analysis happens 100% locally in your browser. Your QR codes are never uploaded to any server, ensuring complete privacy.
The Future of Quishing
As awareness grows, attackers will continue to evolve their tactics. We expect to see:
- AI-Generated QR Codes: Dynamically generated codes that evade pattern-based detection.
- Time-Delayed Attacks: QR codes that initially point to safe sites, then redirect to phishing pages after a delay.
- Cross-Platform Targeting: QR codes that detect your device and serve platform-specific malware.
- Deepfake Integration: QR codes embedded in AI-generated videos or images for added credibility.
The key to staying safe is maintaining healthy skepticism and always verifying before trusting.
Conclusion
Quishing represents a significant evolution in phishing tactics, exploiting our trust in QR codes and the seamless integration of digital and physical worlds. The good news is that with the right awareness and tools, you can protect yourself completely.
Remember: No legitimate organization will pressure you to scan a QR code for sensitive actions. When in doubt, navigate directly to websites by typing the URL, and always verify QR codes before scanning.