All posts

QR code phishing up 25%: how quishing attacks bypass MFA

Huma ShaziaJuly 14, 2026 at 12:17 AM6 min read
QR code phishing up 25%: how quishing attacks bypass MFA

Key Takeaways

QR code phishing up 25%: how quishing attacks bypass MFA
Source: Latest news
  • QR code phishing attacks increased 25% year-over-year, now hiding in email attachments like malicious PDFs
  • Quishing bypasses corporate security by shifting the attack from protected email to unprotected personal devices
  • Microsoft reports QR-based campaigns grew from 10% to 30% of total phishing attacks in recent months

That QR code in your inbox might be a trap. QR code phishing, called quishing, is surging as attackers embed malicious links in codes that bypass email security filters and multi-factor authentication protections. According to Hoxhunt's 2026 Phishing Trends Report, these attacks jumped 25% year-over-year, with a new twist: scammers are hiding the codes inside PDF attachments instead of the email body.

Image (Source: Latest news)
Image (Source: Latest news)

Google's Trust & Safety team issued a warning in June that traditional email phishing is being replaced by adversary-in-the-middle (AITM) attacks paired with quishing. The combination is effective. Microsoft's Defender team says QR-based campaigns now represent 30% of total phishing attempts, up from 10% just months ago.

Advertisement

How quishing attacks steal your credentials

The attack chain is simple but effective. You receive an email with a QR code, often disguised as a message from your bank, employer, or a service like Microsoft 365. Curiosity or urgency pushes you to scan it with your phone. The code redirects you to a cloned website that looks identical to the real thing.

When you enter your username and password, the attacker captures them in real time. But the damage goes further. Because you believe you're logging into a legitimate service, you complete any MFA prompts. The attacker captures your session token along with your password, giving them full access to your account. They've bypassed MFA without breaking it.

587%
Rise in QR code phishing attacks from 2023 to 2024, according to ReliaQuest and Abnormal Security data

"QR codes are essentially trust shortcuts. We've trained users to scan without thinking, and attackers know this," said Roger Grimes, Data-Driven Defense Evangelist at KnowBe4.

Why corporate security tools miss these attacks

Email security filters scan text and links. They struggle with QR codes because the malicious URL is encoded in an image. When a quishing email arrives, the filter sees nothing suspicious. The payload is hidden in plain sight.

The bigger problem is device switching. When an employee scans a QR code with their personal phone, the attack moves off the corporate network entirely. Network-based phishing detection, secure web gateways, endpoint protection on company laptops: none of it applies to a personal smartphone scanning a code and opening a browser.

This is why Microsoft and Google are both flagging AITM-plus-quishing as a priority threat. The attack exploits a gap in security architecture, not a flaw in any single product.

Physical QR codes are also compromised

Quishing isn't limited to email. Hoxhunt's report notes that malicious QR codes have appeared in physical spaces: posters, fake business cards, even stickers placed over legitimate codes on parking meters and restaurant menus. The FBI issued a public warning about this tactic in 2022, and attacks have only grown since.

A QR code on a poster at a conference or stuck to a public kiosk could redirect you to a credential harvesting site. There's no email filter to catch it. The only defense is user awareness.

Advertisement

How to defend against quishing

Treat QR codes with the same suspicion you'd give an unexpected email attachment. If you weren't expecting a code, don't scan it. If you must scan, preview the URL before opening it. Most smartphone cameras now show the destination link before you tap.

  • Never scan QR codes from unsolicited emails or attachments
  • Preview the URL your phone detects before tapping through
  • Verify unexpected requests through a separate channel (call the sender, check the official website directly)
  • Train employees to recognize quishing attempts, especially in PDF attachments
  • Consider mobile threat defense solutions that can scan URLs on personal devices

For organizations, the challenge is that bring-your-own-device policies create blind spots. You can't force security tools onto personal phones, but you can build a culture where employees question every QR code they encounter. Security awareness training should now include quishing scenarios.

ℹ️

Logicity's Take

Quishing exploits a genuine gap: security tools optimized for text and links can't parse images. For CTOs and security leads, the takeaway is that MFA alone won't save you. Phishing-resistant authentication, such as FIDO2/WebAuthn hardware keys, removes the session-token vulnerability entirely. Vendors like Yubico (hardware keys from $25) and Okta (enterprise plans starting around $6/user/month) offer solutions, but adoption remains low. Until passwordless authentication goes mainstream, user training is your primary defense against QR-based attacks.

What makes quishing different from traditional phishing

The underlying psychology is identical: create urgency, promise reward, or instill fear. The difference is the delivery mechanism. A QR code feels benign. We scan them at restaurants, conferences, and retail stores daily. That familiarity breeds complacency.

Attackers also benefit from the format's opacity. You can't hover over a QR code to see where it leads. You have to scan it first. That friction, the extra step of pulling out your phone and opening your camera, ironically makes the attack more effective. Users who take the trouble to scan feel committed to following through.

Frequently Asked Questions

What is quishing?

Quishing is QR code phishing. Attackers embed malicious URLs in QR codes to trick users into visiting credential-harvesting sites. The format bypasses traditional email security filters that scan text and links.

How does quishing bypass MFA?

The attacker uses an adversary-in-the-middle setup. When you enter credentials on the fake site, they're relayed to the real site in real time. You complete MFA thinking you're logging in legitimately, and the attacker captures both your password and session token.

Can antivirus software detect quishing attacks?

Most traditional antivirus and email security tools cannot scan QR codes for malicious URLs because the link is encoded in an image. Some mobile threat defense solutions now offer QR scanning, but coverage is limited.

Are physical QR codes also dangerous?

Yes. Attackers have placed malicious QR codes on posters, fake business cards, and stickers over legitimate codes on parking meters and restaurant menus. The FBI has issued warnings about this tactic.

How can I tell if a QR code is safe?

Preview the URL before tapping. Most smartphone cameras show the destination link after scanning. If the domain looks unfamiliar or misspelled, don't open it. When in doubt, navigate to the service directly through your browser instead of scanning.

Also Read
OpenAI's new prompting guide: stop overthinking, start with the result

AI-generated phishing content is making attacks harder to spot. OpenAI's guidance on prompt engineering applies to defenders too.

ℹ️

Need Help Implementing This?

If you're building security awareness training or evaluating phishing-resistant authentication for your organization, reach out to the Logicity team. We can connect you with vendors and consultants who specialize in zero-trust architecture and employee security training.

Source: Latest news

Advertisement
H

Huma Shazia

Senior AI & Tech Writer

Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.

Related Articles