Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Defence

What Is QR Code Phishing (Quishing) and How Do I Stop It?

Quick Answer

Quishing uses QR codes in emails to bypass security filters. The malicious link is hidden in an image, not scannable text. When scanned with a phone, users are taken to credential theft sites. Defence requires updated email security, user awareness, and mobile device controls.

Quick answer: Quishing uses QR codes in emails to bypass security filters. The malicious link is hidden in an image, not scannable text. When scanned with a phone, users are taken to credential theft sites. Defence requires updated email security, user awareness, and mobile device controls.

Why QR Phishing Works

Traditional email security scans text and URLs. QR codes hide URLs in images—invisible to basic filters.

The attack:

  1. Email arrives with QR code (often posing as MFA reset, document access, HR notice)
  2. Email security doesn't detect malicious URL (it's an image)
  3. User scans QR code with personal phone
  4. Phone opens malicious site outside corporate security controls
  5. User enters credentials on fake login page
  6. Attacker harvests credentials
Why it's effective:
  • Bypasses email URL scanning
  • Moves attack to personal mobile device
  • Mobile browsers hide full URLs
  • People trust QR codes (we've been trained to scan them)
  • Urgency drives action ("Scan to verify your account")

Common Quishing Scenarios

MFA/Security verification "Your MFA is expiring. Scan to re-verify." "Suspicious login detected. Scan to secure your account."

HR and payroll "Scan to view your updated benefits package." "Required: Update your direct deposit information."

Document access "Scan to view shared document." "DocuSign: Scan to complete signature."

IT support "Scan to install required security update." "VPN access: Scan to configure."

Why Traditional Defences Fail

URL scanning: Can't read URLs embedded in images

Link rewriting: Nothing to rewrite—it's a picture

Reputation filtering: No URL to check until it's scanned

Sandboxing: Email contains an image, not an executable

The QR code creates a security blind spot.

How to Defend Against Quishing

1. Updated email security

Modern email security with:
  • QR code detection and analysis
  • Image-based URL extraction
  • AI/ML detection of quishing patterns
  • Warning banners on emails containing QR codes
Microsoft Defender for Office 365 and leading email security vendors now include quishing protection.

2. User awareness training

Train staff to:
  • Be suspicious of unexpected QR codes in emails
  • Verify requests through other channels
  • Check URLs before entering credentials
  • Report suspicious QR code emails
Key message: Legitimate organisations rarely send QR codes via email for security actions.

3. Mobile device security

If users scan with corporate phones:
  • Mobile Threat Defence (MTD)
  • Web filtering on mobile devices
  • Managed browser requirements
If users scan with personal phones:
  • You've lost control—awareness is critical
  • Consider blocking personal device email access

4. Conditional Access

Even if credentials are phished:
  • Block sign-ins from unusual locations
  • Require compliant devices
  • Detect risky sign-in patterns
  • Use phishing-resistant MFA

5. Reporting culture

Make it easy to report suspicious emails:
  • One-click reporting button
  • No blame for false positives
  • Fast response to validate/block

Signs of Quishing Attempts

Red flags:

  • Unexpected QR code in email
  • Urgency ("Act within 24 hours")
  • Generic greeting ("Dear User")
  • Sender doesn't match claimed organisation
  • Request for security action via QR code
  • External email claiming to be internal
Legitimate uses of QR codes:
  • Event tickets
  • Restaurant menus
  • Marketing materials
Rarely legitimate:
  • Security verification via email QR code
  • Password/MFA reset via QR code
  • Document signing via QR code

What We Implement

We protect against quishing through:

  • Advanced email security with QR code detection
  • Security awareness training covering current threats
  • Conditional Access limiting blast radius of stolen credentials
  • Mobile security for corporate devices
  • Incident response when attacks succeed
Quishing exploits a gap between email security and mobile device use. Defence requires addressing both.

---

about email security updates.

---

Related Questions