• Home
  • Malicious QR Codes
Threat 01 // Quishing

Malicious QR Codes

A QR code is a link you cannot read. Attackers exploit exactly that — turning a harmless-looking square into a doorway to credential theft, fraud and malware. This is “quishing,” and it is one of the fastest-growing tricks against businesses.

# What it is

Quishing (QR-code phishing) is a social-engineering attack that replaces the clickable link in a traditional phishing message with a QR code. The victim scans the code with a phone camera and is taken to a website controlled by the attacker — typically a fake login page, a payment-fraud page, or a prompt to install an “app.”

The trick works because a QR code is unreadable to humans. With a normal link you can hover, inspect the domain, and decide. With a QR code there is nothing to inspect — you simply point and trust.

Key idea

The QR code is not the weapon. It is the wrapping paper. It exists to hide a malicious destination and to move the victim onto a personal phone, where business security controls usually do not reach.

# How the attack works

  1. Lure. The attacker delivers a QR code — in an email (often as an image to dodge link scanners), a PDF invoice, a printed letter, or a sticker placed over a legitimate code in the physical world.
  2. Pretext. The surrounding message creates urgency or routine: “Scan to review your payslip,” “Scan to pay for parking,” “Scan to re-activate your account.”
  3. Scan. The victim uses a phone — outside the company firewall, often with no endpoint protection — and the encoded URL opens.
  4. Harvest. The destination is a convincing clone of a known brand or internal portal. The victim enters credentials, MFA codes or card details, which flow straight to the attacker.
  5. Pivot. Stolen credentials are used to access email, cloud apps or banking — often within minutes, before anyone notices.

# Real-world examples

Patterns that have repeatedly targeted organisations:

  • Fake MFA “re-enrolment.” An email claiming the company is updating multi-factor authentication, with a QR code to “re-register your device.”
  • Sticker overlays. Malicious QR stickers placed on parking meters, restaurant tables and EV chargers, redirecting payments to the attacker.
  • Invoice and shipping lures. A PDF invoice or delivery notice with a QR code to “view” or “release” the item.
  • HR and payroll bait. “Scan to view your updated benefits or bonus statement” — timed around payroll dates.
Why filters miss it

When the QR code is delivered as an image, there is no text URL for an email gateway to scan. The malicious link is, quite literally, a picture.

# How to detect it

Treat a QR code as suspicious when you notice any of these signals:

  • An email’s main call to action is a QR code rather than a normal button or link.
  • The message pushes urgency — accounts “expiring,” payments “failing,” access being “revoked.”
  • You are asked to scan with a personal phone to do something work-related.
  • The QR code arrives as an image attachment or sits inside a PDF.
  • After scanning, the preview URL does not match the brand it claims to be.
  • A printed or public QR code looks like a sticker applied over another code.
  • The destination immediately asks for a password, MFA code or card number.

# How to defend against it

People

  • Train staff that a QR code is an unreadable link — same caution as any link.
  • Use a scanner that previews the full URL before opening it.
  • Never enter credentials or payment details on a page reached from a scan.
  • Verify unexpected requests through a known channel, not the message itself.

Technology & process

  • Enforce phishing-resistant MFA so a stolen password alone is not enough.
  • Use email security that can analyse QR codes inside images and PDFs.
  • Protect mobile devices that touch company data with managed security.
  • Give staff a fast, blame-free way to report a suspicious code.

# How Pendergrass Consulting helps

Pendergrass Consulting helps Research Triangle businesses close the quishing gap on both sides: the human and the technical. We run security awareness training (including QR-based phishing simulations), deploy email and endpoint protection that inspects QR payloads, and harden your MFA and identity setup so a single stolen password cannot open the door.

Explore our services

# Frequently asked questions

What is quishing?
Quishing is phishing that uses a QR code instead of a clickable link. The QR code hides a malicious web address, so the victim only sees a square of dots and has no easy way to tell where it leads before scanning.
Can a QR code itself contain a virus?
Not directly. A QR code is just encoded text — usually a URL. The danger is where that URL takes you: a credential-harvesting page, a malicious download, or a payment-fraud site. The QR code is the delivery vehicle, not the payload.
Why do attackers use QR codes instead of normal links?
QR codes bypass many email link-scanners, they are usually opened on a phone (which has fewer protections than a managed laptop), and a person cannot read the destination URL at a glance — so the usual "check the link" advice does not work.
How can my staff scan QR codes safely?
Use a scanner that previews the full URL before opening it, never enter passwords or payment details on a page reached from a scanned code, treat codes on stickers or printed letters with suspicion, and report anything that asks you to log in unexpectedly.

SECURE.EXE

Could your team tell a real QR code from a fake one?

A short phishing simulation answers that question fast. Pendergrass Consulting can test, train and harden your defenses against quishing.

Book a Security Review Call +1-252-432-3325