Quishing is phishing delivered through a QR code. Instead of a clickable link in an email or message, the attacker sends or places a QR code that, when scanned, takes the victim to a phishing page, a malicious download, or a payment redirect. Because QR codes are images, they bypass the text-based link filters that most email systems use.

Why is quishing effective?

Three reasons. First, QR codes are opaque — humans cannot read them, so nobody previews the URL. Second, QR scans happen on phones, which have smaller address bars and less tolerance for careful URL inspection. Third, QR codes can be printed as stickers and placed over legitimate codes on parking meters, restaurant menus, and charging stations, so even cautious users can be fooled by the physical context.

How do I preview a QR code before scanning it?

Use a QR scanner that decodes the code and displays the destination URL without opening it. Modern iOS and Android cameras show a preview banner with the URL before you tap it — read that preview carefully. For suspicious codes or codes where your phone opens the link automatically, upload a photo of the code to a dedicated QR scanning service like ScanTotal's QR Scanner, which decodes the code and runs the resulting URL through a full safety check.

Can a QR code install malware directly?

Not by itself. A QR code is just an encoded string — usually a URL. The danger comes from what is behind the URL. A QR code cannot install an app silently, but it can send you to a page that tricks you into downloading a malicious app, entering credentials, or authorising a payment. On Android, a QR code can lead you to a sideloaded .apk install; on iOS, it can lead to configuration profile installs or TestFlight abuse.

Quishing: How QR-Code Phishing Works (and How to Spot It)

Published: 19 April 2026 • 8 min read • By ScanTotal Security Team

Last reviewed: 4 May 2026 by Kumari Rajapaksha — Founder, ScanTotal

QR codes went from pandemic-era convenience to universal interface in about three years. You scan them for menus, parking payments, EV chargers, conference check-ins, Wi-Fi passwords, banking logins, and a dozen other things a day. You barely think about it. That's exactly why attackers love them.

Quishing — short for QR-code phishing — is phishing with a QR code as the delivery mechanism instead of a clickable link. It's one of the fastest-growing attack patterns in 2026, and the reason is structural: a QR code is opaque to humans and to most email filters, so it slips past defences that would catch an ordinary phishing link in seconds.

Here's how quishing works, where it's showing up in 2026, and the habits that keep you out of it.

Why quishing beats old-school phishing defences

A traditional phishing email arrives with a visible URL — either as an inline link or hidden behind a button. Every major email provider scans those URLs, compares them against reputation lists, inspects their structure, and flags or quarantines suspicious ones. The defences are mature and effective.

A QR code short-circuits all of that. The URL is encoded into pixels. Email scanners either skip the image entirely or need specialised OCR-plus-QR-decoding pipelines to read it. Most current enterprise filters don't do this by default. So an attacker sending a phishing email whose call-to-action is a QR image sails through filters that would block the same URL posted as text.

Once the image reaches your inbox, the attack relies on two things:

You'll scan the code on your phone, not your computer. Your phone has a smaller address bar and a harder-to-read URL preview, and you're probably doing it one-handed.
You trust QR codes more than you trust links. Years of using QR codes for menus and payments have trained you to treat them as neutral infrastructure, the way you treat a doorbell or a lift button.

That combination — bypassed filters plus trusted-but-opaque delivery — is why quishing works.

All three patterns exploit the same gap: a QR code is opaque to your eyes and (usually) to your email filter, but trusted enough that you scan it anyway.

The three dominant patterns in 2026

Pattern 1: QR-in-email (the corporate attack)

Pattern 1

The "scan to review" email

Lure: "Your Microsoft 365 security settings need to be reviewed. Scan the code below from your phone to continue." Or: "Your HR document is ready. Scan the code to view."

Why it works: Corporate email filters don't OCR and decode the QR, so the malicious URL never gets checked. The user pulls out their personal phone — often not covered by the corporate security stack — and scans.

Where it lands: A lookalike Microsoft login, Okta login, or payroll portal. Credentials are captured and replayed.

This is the corporate-crime-of-choice pattern and has been documented repeatedly by CISA and by enterprise incident response firms. It often arrives from a spoofed internal address and references a real process (quarterly review, document approval, multi-factor reset) to increase believability.

Pattern 2: Sticker overlays on physical infrastructure

Pattern 2

The parking meter, EV charger, or restaurant sticker

Lure: A real parking meter, electric vehicle charger, restaurant table, or parcel-locker has a QR code you're expected to scan to pay or view a menu. An attacker prints a lookalike sticker and places it directly over the legitimate one.

Why it works: The context — you're at the actual meter — overrides any scepticism you'd apply to an email QR.

Where it lands: A fake payment page that harvests card details and often charges a real card for a plausible amount so the victim doesn't immediately notice.

Parking-meter quishing has been reported across Australia, the UK, the US, and much of Europe. In Brisbane and the Gold Coast, local councils have had to publish warnings after multiple reports of stickered meters in 2024 and 2025, and similar reports have come from FBI field offices in Texas and Florida. Charging-station quishing targets EV drivers paying through apps — the fake page captures both card details and sometimes the driver's charging-app credentials.

Quick check at a meter or charger: Does the QR sticker look flat and uniform, or is it raised, slightly misaligned, or covering other printed text? Is the URL preview after decoding a domain you'd expect the operator to use, or something generic? If anything feels off, pay inside the app or at the terminal.

Pattern 3: Payment-redirect QRs

Pattern 3

The "scan-to-pay" scam

Lure: An invoice, a charity appeal, or a messaging-app chat where someone sends a QR code "to make payment easier." In India, the UPI ecosystem has variants where a scammer sends a "collect request" QR disguised as a payment-received QR.

Why it works: Payment QRs are legitimate and common. Scanning one to pay a bill is normal behaviour.

Where it lands: The QR either encodes a payment from you (not to you), or routes through a fake payment page that captures details.

For more on the UPI variant specifically, see UPI Payment Scams in India. The general principle — read the payment preview carefully before authorising — applies to any payment-QR scenario globally.

What happens after you scan

Scanning a QR code doesn't do anything dangerous by itself. The QR is just a string, almost always a URL. The risk comes from what's at the other end, and the attacker's ideal outcome is one of:

Credential harvest. A lookalike login page collects your username and password, often also a one-time code if the attacker is prepared to intercept it live.
Malware download. On Android, a redirect to an .apk install. On iOS, a push for a configuration profile or TestFlight enrolment that routes traffic through attacker-controlled infrastructure.
Unauthorised payment. A payment page that captures card details, or a payment-request QR that sends money from you.
Identity data harvesting. A fake form that collects enough personal details (date of birth, passport number, address) to enable follow-on identity fraud.

The point of the QR is to get you to the page without the usual link-safety cues. Everything after that is standard phishing or malware distribution.

How to preview a QR safely

Use your phone's built-in preview

Both iOS Camera and Android Google Lens / default camera apps show the decoded URL before opening it. Read it. Look for:

Does the domain match what you'd expect from the operator? A Linkt parking meter shouldn't link to linkt-au-pay-secure.com.
Is it an IP address or a bit.ly-style shortener? Legitimate operators almost never use those in printed materials.
Is there a suspicious path like /verify, /pay-now, or /update on an unfamiliar domain?

If the URL looks suspicious, don't tap.

Scan the QR with a dedicated scanner first

Our QR Scanner lets you upload a photo of a QR code (or a screenshot someone sent you) and see exactly what it encodes. The scanner then pushes the decoded URL through our URL safety pipeline — reputation, heuristics, and live probe — and tells you whether the destination is safe before you visit it.

This is the single most effective habit against quishing: never scan with the intent-to-follow camera when you're unsure. Scan with the decode-and-preview scanner first.

If you've already scanned

Most phones will show you the URL preview with an "Open in browser?" prompt. Close the prompt and then paste the URL into a scanner from your clipboard. If you've already tapped through, see What to Do If You Clicked a Suspicious Link for the response checklist.

For organisations: four quick controls

If you run IT or security for an organisation where users are getting quishing emails, four controls cover most of the attack surface:

Enable QR extraction in your email security. Major providers (Microsoft 365, Proofpoint, Mimecast) now offer QR-aware scanning. Turn it on.
Warn users about scan-from-phone prompts. Any email asking the user to scan a QR to complete a corporate action should be treated as suspicious by policy.
Run a test campaign. A QR-phishing simulation shows which users click through and informs training.
Harden mobile device access. If personal phones can reach corporate SSO, quishing becomes a one-step attack. Conditional access and device compliance narrow that path.

The one habit that matters most

Preview every QR code before you visit. That's it. Your phone's camera shows you the URL. Read it, don't just tap it. If the URL looks anything less than expected, upload the image to a QR scanner that checks the destination. It takes ten seconds and neutralises almost every quishing variant.

The QR code ecosystem isn't going to shrink — codes are genuinely useful, and they aren't going away. The defence isn't to stop scanning; it's to stop scanning blindly.

Got a QR code that feels off?

Upload a photo and see what it actually encodes — plus a full safety check on the destination.

Scan a QR Code Now — Free