Qishing (QR phishing)

Qishing — also written quishing — is phishing in which the malicious URL is embedded in a QR code rather than rendered as clickable text. The target receives an email, a printed flyer, a parking ticket, or a poster instructing them to scan; the scanned URL leads to a credential page, a fake MFA prompt, or an OAuth consent screen. The technique saw a sharp rise through 2023-2024, with multiple email-security vendors and ANSSI bulletins flagging the trend.

Two structural advantages drive its adoption:

• Filter bypass. A QR image is, to a legacy email gateway, an attachment of opaque pixels — not a URL to be reputation-scored. Even URL-rewriting filters and link-detonation sandboxes commonly skip them.
• Channel switch to personal devices. Most office workers scan a QR with their phone, not their managed laptop. The phone often lacks the corporate DNS filter, EDR, browser-isolation, and password-manager warnings that would have caught the link on the laptop.

Defining variants:

• Email-borne QR. A “fax received,” “voicemail,” “DocuSign,” or “MFA re-enrollment” message with a QR image attached.
• Physical QR. Stickers placed over legitimate codes on parking meters, restaurant tables, EV chargers, or office posters — a low-cost attack with disproportionate reach.
• MFA-enrollment hijack. A “scan to re-enroll your authenticator” QR routes the target to attacker-controlled secrets, transferring the second factor.
• OAuth-grant funnel. The destination is a real Microsoft or Google consent page for a malicious app, which captures persistent access without ever asking for a password.

The defensive lever combines a technical floor and a behavioral one. Floor: bring personal phones used for work email under at least DNS-level filtering and conditional access. Behavior: build the reflex — through simulation campaigns and just-in-time nudges — to type the URL manually for any auth-related QR, and to assume any QR delivered by email is hostile until proven otherwise.