What is QR phishing (quishing)?

QR phishing, also known as QR-code phishing or “quishing,” is an evolution of phishing attacks, and it refers to an attack where cybercriminals embed malicious QR codes into emails or attachments. When the QR code is scanned, victims are redirected to fake websites that look legitimate, and when a user logs in, their credentials are stolen, leading to cascading compromises of sensitive data and eventual theft.

Quishing attacks are effective because QR codes bypass traditional email security measures and exploit users’ trust. Because it’s a newer type of attack, users are generally less aware of QR code threats than suspicious links, making them more likely to scan without considering any potential security issues.

In a report released by Barracuda, it was revealed that researchers analyzed nearly 670 million emails where they discovered some disturbing trends. 83% of malicious Microsoft 365 documents and 68% of malicious PDFs now contain QR codes that lead to phishing websites. Quishing has become a major method that attackers use to package their threats.

Quishing attacks are surprisingly straightforward, but effective. Cybercriminals impersonate well-known companies like Microsoft and Adobe, using their brand recognition to gain a recipient’s trust. But it doesn’t stop there — even internal company departments like HR or payroll are targeted. The tone of these emails is usually urgent; a password needs to be reset, the HR department needs you to update your information — anything that will prompt you to act quickly without thinking it through. 

The malicious QR code is either embedded directly in the email body or, as is becoming more popular, in an attached PDF document. The use of PDF files is strategic on multiple levels because PDFs are a trusted file format in a business setting, making users less wary about opening the attachment. 

QR codes that are accessed by mobile users are less likely to face resistance from corporate firewalls because there is a greater chance that the device will be off-site when the QR code is scanned. An attack has a much better chance of success when the malicious site is visited from a personal device, or outside of the corporate network, where there are no security controls to block access. 

Once credentials are entered and the user attempts to log in, their sign-in details are immediately captured by threat actors.  These stolen credentials are then used in subsequent attacks where the user has reused the same email address and password on different sites, allowing the attacker to take over accounts, compromise business emails, or begin moving laterally through the organization’s systems.

Quishing is not slowing down and is becoming one of the fastest-growing phishing campaign techniques used by cybercriminals today.

Credential theft and account takeovers (ATOs) are the initial objectives of a quishing attack. With a compromised employee account, attackers gain entry into the organization and use that as a staging area for more serious attacks. 

ATOs have become a surprisingly common incident type. A Barracuda study shows that 22% of companies experienced an account takeover incident  in the previous 12 months. When an attacker has access to an account, they have the opportunity to start studying emails, identifying desirable targets such as stakeholders and senior personnel. From there, they can start launching convincing spear-phishing attacks against other employees once suitable targets have been discovered. Attacks like this are effective because the emails seem to be coming from an employee within the company, taking advantage of employee trust, which leads to more stolen credentials. 

Business sectors like finance, healthcare and education are at higher risk because of the sensitive data that they work with. If private medical records are stolen, there could be lengthy investigations, fines and even regulatory sanctions. Financial institutions run the risk of having unauthorized wire transfers being initiated via compromised accounts, leading to financial losses and reputational damage.

When a quishing attack is successful, IT and security teams have to test systems and audit data to check for unauthorized access. The investigation into the breach to find any additional compromised accounts is no small task and can lead to wasted productivity and lost hours of work as resources are diverted to the cleanup.

There are several factors that have made the scourge of quishing more prevalent than ever, with the most obvious being the acceptance and adoption of QR codes. QR codes are seemingly used everywhere, from advertising to informational posters, making it almost second nature for people to scan them. Attackers have noticed this behavior shift and have been quick to exploit it.

Quishing’s success relies on its ability to evade detection. Most secure email gateways (SEGs) are configured to only analyze text, links and attachments. QR codes are images without these attributes, which creates a blind spot. This allows QR codes to slip through email filters undetected, arriving in unsuspecting users’ inboxes.

Some security vendors have started to catch up and implement QR code scanning capabilities, which has forced threat actors to adapt their approach. Attackers now use sophisticated techniques like split QR codes, where fragments of malicious code are embedded across multiple images. This helps them avoid detection by security tools, but they can still be scanned by unsuspecting victims who will then be directed to a malicious site. 

Nested QR codes use a different technique. By layering multiple QR codes into a single image, cybercriminals are able to fool some email scanners by having a legitimate URL in the center of the QR code, with the malicious code wrapped around the border of the image. When a user scans the QR code with their phone, the malicious URL is activated — navigating the user to a phishing website.   

Quishing is far more likely to succeed in organizations where not much time is given to educating users about the potential dangers of scanning unverified QR codes. Security training and policies need to be updated if quishing’s popularity is to be stopped. Untrained users are the weakest link in the chain, and if the trend of quishing is going to be flattened, then security policies need to take a proactive training approach to educating users.

Real-world quishing campaigns show just how effective they are by exploiting trust and pressuring users with urgency. Below are some examples of quishing attacks that were highlighted in the Barracuda 2025 Email Threats Report.

Microsoft impersonation

It’s no surprise that Microsoft’s branding is often used as part of quishing attacks, with Microsoft 365 services being the main spoofed identity at around 51% of all attacks analyzed by Barracuda. These emails often urge users to verify their accounts or reset their passwords by scanning a QR code that is embedded in a PDF document. The link redirects to a fake website where user credentials are stolen for ATO attacks once they are used to log into the site.

Bitcoin sextortion scams 

These types of scams showed up in around 12% of malicious PDFs in Barracuda’s research. A sextortion scam is a threatening email that is sent by attackers claiming to have highly personal, compromising information about a user, threatening to release it unless payment is made, usually in Bitcoin. The QR code is sent as an attachment for the user to scan in order to pay this ransom.

HR payroll impersonation

Cybercriminals impersonate the HR or payroll department and send emails that urge employees to update their personal details, such as payroll banking details or other financially relevant information. The QR code leads the user to a fake website that mimics an internal portal. If the QR code is accessed via a mobile device when the user is not connected to the corporate network, then the chances of success are much higher, as there are no security scans to interrupt the connection. When the user attempts to log in with their credentials, the attackers store the username and password to gain access to the organization’s network. From there, further attacks can be mounted, allowing the cybercriminals to embed themselves into the network.

Advanced evasion techniques 

Phishing as a Service (PhaaS) platforms like the Gabagool PhaaS kit use split QR codes to defeat email scanners, making the quishing QR codes difficult to intercept. The Tycoon 2FA platform uses nested QR codes — legitimate QR codes with malicious content embedded either around or within them. This technique also confuses mail scanners and sometimes allows these malicious payloads to make it into a user’s inbox. 

Countering quishing attacks requires a multi-front defense. User awareness training, advanced system security and better policies all need to work in tandem to stop this rising threat. 

• Advanced email security tools: Use modern email security platforms that employ AI to scan and render QR codes, analyzing their payloads in secure environments to detect malicious links before they reach users.
• User education and security awareness training: Users must be trained to identify quishing red flags and have clearly defined reporting channels for suspicious emails that contain QR codes.
• Email authentication protocols: Enhance email spoofing defenses with DKIM, SPF and DMARC to verify sender identities and block suspicious domain usage. 
• Multifactor authentication (MFA): Harden defenses with MFA to prevent account takeovers. Even with stolen credentials, attackers need access to a second authentication factor to proceed with login authorization.
• Verification processes: Employees should be required to verify suspicious requests via an alternate channel before scanning QR codes, especially if it involves financial information or sensitive company data.
• Continuous monitoring and incident response: Deploy incident response teams and systems to help detect indicators of compromise (IOC), with protocols in place to automatically lock accounts, issue password reset requests and terminate sessions for suspicious logins.

Quishing is a serious problem that is gaining traction — but it is just one of many evolving threats that are currently plaguing email security. As criminals keep developing new techniques that bypass traditional defenses, organizations need to use actively developed security solutions that can keep up.

Barracuda's email protection uses AI-powered threat detection and real-time monitoring to protect against quishing and other sophisticated attacks. It uses multimodal AI that analyzes email content, attachments and embedded objects (including QR codes) to identify threats that legacy filters miss.

Download the 2025 Email Threats Report for more detailed insights into the current threat landscape, or start a free trial to see how Barracuda Email Protection can defend your organization against quishing attacks.