QR code phishing, known as quishing, is a social engineering attack that embeds malicious URLs inside QR codes delivered through email, printed materials, or even physical stickers placed in offices and public spaces. It works because most email security tools scan text and links but cannot read the URLs encoded in QR code images. The attack redirects victims to credential harvesting sites, malware downloads, or fraudulent payment pages, and it is hitting businesses across New Jersey and the tri-state area hard.
Why Quishing Is Growing So Fast
Traditional phishing relies on clickable links that email gateways can inspect, sandbox, and block. QR codes sidestep that entire detection chain. The malicious URL is encoded as an image, and most secure email gateways treat images as harmless content. When an employee scans the code with their personal phone, they leave the protection of your corporate network entirely. There is no DNS filtering, no endpoint detection, and no web proxy between them and the attacker's page.
The shift to QR codes in legitimate business workflows has made this worse. Restaurants use them for menus, HR departments use them for benefits enrollment, IT teams use them for MFA setup, and parking garages use them for payment. Employees are trained to scan QR codes without thinking twice.
Attackers exploit that trust. Common quishing scenarios include fake Microsoft 365 MFA reset emails with a QR code, fraudulent DocuSign notifications, parking lot payment stickers overlaid with malicious codes, and fake IT department communications asking staff to re-authenticate by scanning a code.
How a Quishing Attack Typically Works
The anatomy of a quishing attack follows a predictable pattern. The attacker sends an email that appears to come from a trusted source: Microsoft, your IT department, a vendor, or even a coworker. The email contains a QR code with a prompt like "Scan to verify your account" or "Scan to view the shared document."
When the employee scans the code with their phone, they are taken to a convincing replica of a login page. The page collects their username and password, and sometimes their MFA token in real time. With those credentials, the attacker logs into the real account, often within seconds.
Because the scan happens on a personal device, your security stack never sees the malicious URL. There is no log entry, no alert, and no opportunity for your endpoint protection to intervene.
How to Protect Your Business from Quishing
Deploy email security that scans QR codes. Modern email security platforms from vendors like Microsoft Defender for Office 365, Proofpoint, and Abnormal Security now include QR code scanning capabilities. These tools extract the embedded URL from QR code images and evaluate it against threat intelligence feeds before the email reaches the inbox. If your current email security does not scan QR codes, it has a significant blind spot.
Train employees to treat QR codes like links. Your security awareness training should explicitly cover quishing. The core message is simple: never scan a QR code from an email or an unexpected source without verifying it first. If an email asks you to scan a QR code to log in, go directly to the application instead. Type the URL manually or use a bookmark.
Require managed devices for corporate authentication. If employees can only authenticate through company-managed devices with endpoint protection, conditional access policies, and DNS filtering, scanning a malicious QR code on a personal phone will not compromise the corporate account. Conditional access in Microsoft Entra ID can enforce this.
Implement phishing-resistant MFA. FIDO2 security keys and passkeys are immune to credential harvesting attacks because they verify the domain of the login page cryptographically. Even if an employee enters their username and password on a fake page, the attacker cannot intercept a FIDO2 authentication. This is the single most effective defense against all credential phishing, including quishing.
Inspect physical QR codes in your office. Attackers have been known to place fraudulent QR code stickers over legitimate ones in office lobbies, parking lots, and break rooms. Audit any QR codes posted in your physical workspace. If you use QR codes for internal processes, print them on tamper-evident materials and verify them periodically.
What to Do If an Employee Falls for a Quishing Attack
Act fast. The attacker will use stolen credentials immediately. Your incident response plan should include these steps: reset the compromised account password, revoke all active sessions, review sign-in logs for unauthorized access from unusual locations, check email rules for auto-forwarding to external addresses, scan the mailbox for sent messages the attacker may have used to propagate the attack internally, and notify affected parties if data was accessed.
If you work with a managed IT provider, they should be able to execute this response within minutes using automated playbooks and 24/7 monitoring. Speed is everything because attackers frequently use compromised accounts to launch secondary BEC attacks against your vendors and customers.
How This Fits Into Your Broader Security Posture
Quishing is not an isolated threat. It is part of a broader trend where attackers find gaps in automated defenses and exploit human behavior. The same principles that protect against quishing protect against every form of credential theft: phishing-resistant MFA, conditional access, employee training, and layered email security.
If your organization has not reviewed its email security configuration recently, or if your security awareness training does not specifically cover QR code threats, you have a gap that attackers are actively exploiting. Businesses in northern New Jersey are not immune. We have seen quishing attempts targeting law firms, medical practices, and manufacturing companies across Morris, Passaic, and Essex counties this year.
How can I tell if a QR code is malicious?
Before scanning any QR code, use your phone's camera to preview the URL without opening it. Most modern phones display the destination URL before navigating. Look for misspelled domains, unusual top-level domains (.xyz, .top, .buzz), and URLs that do not match the organization the email claims to be from. When in doubt, do not scan it. Navigate to the service directly.
Does Microsoft 365 protect against QR code phishing?
Microsoft Defender for Office 365 added QR code scanning to its email protection in late 2024. If you have Defender Plan 2, make sure the feature is enabled. Organizations using basic Exchange Online Protection without Defender do not have this capability and should consider upgrading or adding a third-party email security layer.
Should we stop using QR codes internally?
No, but use them deliberately. Print QR codes on branded, tamper-evident materials. Host destination URLs on your own domain. Educate staff that legitimate internal QR codes will always point to your company's domain. And never distribute QR codes via email when a direct hyperlink would work just as well.