QR codes used for phishing—often called “quishing”—are on the rise and now pose a significant threat to both individuals and organizations. Experts at Barracuda Networks warn that this type of attack is becoming increasingly sophisticated, complex, and difficult to detect.
These attacks trick recipients into visiting malicious websites or downloading harmful software.
What makes quishing especially dangerous is that it often slips past traditional email filtering methods. A fake QR code is rarely the only sign of a malicious email, but with the help of AI and image-recognition technologies, such threats can be revealed. AI-based detection also considers other indicators such as sender reputation, message content, image size, and placement.
Users should exercise caution when scanning QR codes received via email or other channels. If scanning is necessary, download a reputable QR scanner from a trusted app store. If QR-code attacks are not already part of your organization’s cybersecurity training, address the gap as soon as possible. While QR codes have made everyday tasks more convenient, they have also created new avenues for cybercriminals, says Olesia Klevchuk, an email security specialist at Barracuda Networks.
Examples of quishing
One common quishing tactic embeds a QR code within an email and urges the recipient to scan it, sending them to a fraudulent site designed to look legitimate. Victims are often prompted to enter login credentials, which are then captured by attackers. Fake QR codes can also direct users to surveys or forms requesting personal details such as name, address, or national identification numbers. Scammers may entice victims with promises of rewards, prizes, or requests for a small payment in exchange for providing information.
Similarly, QR codes can link to sites that automatically trigger downloads of malicious software onto the victim’s device when scanned. That malware can range from spyware to ransomware, enabling attackers to steal data or seize control of an infected device.
QR codes may also be used to open payment pages, follow social media accounts, or send emails from the victim’s own accounts. This capability allows attackers to impersonate their victims and target others in the victims’ contact lists.