Cybercriminals are creative and often look for the path of least resistance when targeting victims. As public awareness around spotting suspicious emails or shady links improves, attackers adapt. They find new ways to reach people when their guard is down. One tactic in particular has been showing up more and more: quishing.

If you haven’t come across the term before, you’re not alone. It’s a newer threat, and it’s growing fast. Quishing attacks use QR codes that direct victims to malicious phishing URLs and at Netcraft, we’re seeing a surge in QR code-based phishing tactics. Like many online scams that prey on human behavior, quishing is catching people off guard and successfully stealing private and personal information.

This isn’t something individuals alone need to worry about. Businesses are at risk, too. If attackers are impersonating your brand using QR codes to trick your customers, you need to know about it. Because when customers fall for these scams, it’s your company they’ll remember — not the attacker behind it. These attacks are often carried out in digital spaces, but we recently observed quishing attacks targeting travelers — offline — in public spaces across North America and Europe.

In this post, we’ll walk through what quishing is, how it works, why it’s becoming more common, and what businesses and individuals alike can do to stop it.

What Is Quishing?

Quishing, short for QR code phishing, is exactly what it sounds like: attackers use QR codes to lure people to fake, malicious websites. These codes can appear anywhere—emails, text messages, flyers, posters, social media. Scan one, and you might land on a convincing login page for your bank, your email account, or an online service you trust.

From there, it plays out like any other phishing scam. You're prompted to log in, confirm your details, maybedownload something. In seconds, an attacker gains access to sensitive information.

For businesses, the added concern is that these QR codes are often designed to impersonate well-known brands and expected experiences. If one of those brands is yours, you may have no idea your customers are being targeted until the damage is done.

How Quishing Works and Why It’s Hard to Catch

We’re getting better at recognizing suspicious emails and questionable links. Though if we're being honest, these tactics still work. Despite growing awareness, link-based scams are still alarmingly effective. What gives quishing an added advantage is that it hasn’t really proliferated the public conversation yet. Most people aren’t thinking twice about scanning a QR code. There’s no instinct to “hover” and inspect where it leads. That lack of gut-check makes it easier for attackers to catch people off guard, especially when they’re using your brand as bait.

Here’s a common scenario: An attacker creates a QR code that points to a phishing site. They embed it into an email or document that looks legit. And they throw in a sense of urgency, like “Your account will be deactivated in 24 hours.” The message is opened, the code gets scanned, and the malicious spoofed website does the rest.

What makes this increasingly risky for businesses is that most email security systems don’t inspect the content of QR codes, especially when they’re included as images. This gives scammers a relatively easy way to bypass filters and reach people directly, including your customers and employees.

Quishing Is Catching On

There are a few reasons quishing has taken off.

First, QR codes are everywhere. During the pandemic, people grew accustomed to scanning them for everything from menus to contactless payments. That familiarity makes them feel harmless even when they’re not.

Second, mobile devices are a softer target. They don’t have the same level of protection or oversight as company laptops, and people tend to move quickly when they’re on their phones. And since the nature of QR codes force targets to use their mobile devices, it could be that threat actors are taking actions that increase their chances of success. This combination makes mobile users much more vulnerable.

And third, from an attacker’s point of view, quishing is easy to scale. A single phishing site linked to a QR code can be reused in dozens of fake emails, texts, or even physical mailers.

This growing trend means individuals and organizations need to be alert with protections in place. If attackers are spoofing your brand, it puts your customers and your reputation at risk.

Who’s Being Targeted?

It might be quicker to share who isn’t because it’s showing up in many different spaces. Quishing has been used to target employees in finance, HR, and IT. But we’ve also seen consumers hit with fake shipping notices or account alerts. It’s appeared in banking and financial institutions, education, healthcare, retail, transit, and even government services.

If your company uses QR codes or if your customers interact with your brand online, there’s potential for abuse. All it takes is one convincing fake, and someone could be tricked into giving away credentials while thinking they’re dealing with your business.

For organizations, this isn’t just a security issue. It’s a brand trust issue. Customers expect you to keep them safe, and if they’re scammed in your name, they may not come back.

What Can You Do?

Individuals should exercise caution if a QR code arrives unexpectedly, especially if there’s pressure to act fast. Use your phone’s preview function to check where a code will take you before tapping. Keep your devices updated and always turn on multi-factor authentication to add a valuable layer of protection.

But businesses have a bigger role to play here. Educate your teams about quishing. Include it in your security awareness training. Make sure your email filters and anti-phishing tools leverage OCR (optical character recognition) and other means of analyzing QR codes, not just text-based URLs.

Most importantly, take steps to protect your customers. Monitor for impersonation. If someone is spoofing your brand in a quishing campaign, you need to know fast so you can warn customers and get the malicious content blocked and removed from the internet.

How Netcraft Helps

Quishing might be a newer technique, but it’s built on a familiar tactic: deception. What’s different now is how easily attackers can scale it and how convincing it looks.

That’s why we focus on catching and stopping these threats before they reach your customers. Our platform constantly monitors for phishing activity across the web, including QR-based scams. We can identify fake login pages, lookalike domains, and malicious links embedded in images, then move quickly to take them down.

We also give brands visibility into where and how they’re being impersonated, so they’re not left in the dark. And because our takedowns are automated, we move fast, often before the scam gains traction.

Whether you’re looking to protect your employees, safeguard your customers, or defend your brand’s reputation, we’re here to help.

FAQ: Quick Answers to Common Questions

What makes quishing different from regular phishing, and why does it matter for businesses?
Quishing uses QR codes instead of regular links to send people to fake websites. That might not sound like a big difference, but it’s actually a problem because most email filters and security tools don’t scan QR codes the way they do regular URLs. So these scams can slip through and land in your customers' inboxes. If someone scans a code that pretends to be from your company, ends up on a fake site, and gets scammed, your brand is the one that takes the hit. It's not just about security. It's about trust.

Why are QR codes working so well for scammers?
QR codes are everywhere now. People use them to see menus, pay bills, check in at events, etc. We’re used to scanning them without thinking. Scammers take advantage of that. They count on the fact that most people won’t stop to ask, “Where is this code taking me?” And once someone scans it, especially on a phone, it’s harder to tell if the site they land on is real or fake.

Can normal email security stop quishing from reaching customers?
Most email security tools don’t look inside images, and QR codes are just that: images. Unless a business is using more advanced tools that can read QR codes and check where they point, there’s a good chance these scams will get through. That’s what makes quishing so risky. A lot of companies don’t even realize it’s happening until a customer reports something.

What should you do if customers scan a bad QR code that uses your brand?
The first thing is to act fast. Let customers know what happened and what to watch out for. Use your official channels—email, your website, social media—so they know it’s really you. Encourage them to change their passwords and keep an eye on their accounts. Behind the scenes, you should try to identify the source of the scam and get the fake site taken down as soon as possible. The quicker you respond, the more you can limit the damage and show customers that you’re on top of it.

How can Netcraft help with this kind of threat?
At Netcraft, we find and take down fake websites that impersonate your brand, including those linked in QR code scams. We continuously monitor for this kind of activity, so we’re able to move quickly on suspicious activity. We also give you visibility into how and where your brand is being used in these scams, so you’re not left in the dark. The goal is to help you protect your customers before they ever get tricked—and to keep your brand out of harm’s way.