QR code phishing, also known as quishing, is a phishing attack where an attacker embeds a malicious QR code in an email or other communication to trick victims into visiting a fraudulent website, entering credentials, or downloading malware. The QR code typically redirects users to a page designed to steal login credentials, financial information, or install malicious software.
QR code phishing attacks have grown rapidly in frequency because traditional email security filters are poorly equipped to analyze QR code images. At first glance, a QR code appears to be a benign image without a malicious URL or suspicious text visible to scanners—research indicates that approximately 17% of all attacks that bypass built-in spam filters use QR codes.
How QR phishing works
The attacker creates a phishing email containing an embedded QR code image. The email may impersonate a trusted organization, request account verification, or claim the recipient must scan the code to complete an action.
The recipient scans the QR code with their mobile device's camera, which is less protected by enterprise security tools than desktop email clients.
The QR code redirects the victim to a malicious website—often a convincing replica of a legitimate login page—where credentials are harvested.
Common QR phishing attack variants include
Credential Harvesting: QR codes linking to fake Microsoft 365, Google, or banking login pages designed to steal usernames and passwords.
Malware Downloads: Malicious QR codes linking to infected websites that automatically download malware to compromise mobile devices or steal data.
Invoice Fraud: QR codes directing users to fake payment portals, tricking them into making payments to attacker-controlled accounts.
Email Impersonation: Attackers embed malicious QR codes in spoofed emails impersonating trusted contacts to manipulate recipients into harmful actions.
Pangratis detects QR code phishing attacks using image recognition technology that analyzes QR codes within emails to identify and block malicious content that traditional text-based filters miss.