What Is Quishing: Protecting Against QR Code Scams in 2026

Quishing is QR-code phishing. It hides a malicious link inside a QR code image. According to the Canadian Anti-Fraud Centre, fraudsters are increasingly using QR codes in various scams to steal personal information and money.

If you've opened an email lately that asks you to scan a code to reset a password, review a bill, or track a package, you've already seen why this works. The message looks tidy. The QR code looks normal. Your phone makes scanning feel routine, so you move faster than you would with a plain text link.

That small shift matters. With ordinary phishing, people often hover over a link and pause. With quishing, the dangerous part sits inside an image, and the scan usually happens on a phone where the full web address may be harder to inspect.

Many business owners understand phishing in general, but quishing creates a new blind spot. If you'd like a refresher on the broader problem first, our guide to what email phishing looks like in practice covers the older pattern that quishing builds on.

What Is Quishing

A common situation looks like this. You get an email that says your Microsoft 365 session expired, or that a courier couldn't deliver a parcel. Instead of a button, the email tells you to scan a QR code to fix the issue on your phone.

That is quishing, short for QR-code phishing. Attackers place a malicious link inside a QR code so you scan it, open a fake site, and hand over login details or trigger a malware download.

An infographic explaining the concept of quishing, highlighting QR code-based phishing attacks and data theft risks.

Why the scam feels normal

QR codes are everywhere now. Restaurants use them for menus. Offices use them for guest Wi-Fi, forms, and sign-ins. Shipping notices, event check-ins, and support portals often include them too.

Attackers rely on that familiarity. They don't need to invent a strange behaviour. They only need to copy a behaviour you already trust.

Practical rule: A QR code is not proof that a message is legitimate. It's only another way to deliver a link.

Why security teams pay attention to it

Quishing isn't a niche trick. Malwarebytes describes it as a rapidly evolving cyber threat that bypasses traditional email security filters by embedding malicious links within QR codes, and notes that the Federal Trade Commission has reported a rising trend in these schemes (Malwarebytes on what quishing is).

That warning matters because the attack changes where your attention goes. Instead of checking a visible link on your computer, you scan an image and jump to a site on your phone. The handoff feels smooth, which lowers your guard.

For a small business owner, the risk is practical, not abstract. One employee scans a fake payroll code, enters credentials on a spoofed page, and the attacker may gain access to email, invoices, or internal messages. The QR code itself isn't dangerous. The hidden destination is.

How QR-Code Phishing Works

Most quishing attacks follow a simple chain. The criminal creates a fake login page, turns its address into a QR code, wraps that code in a convincing message, and waits for someone to scan it.

An infographic showing the five steps of a QR-code phishing attack, also known as quishing, leading to data compromise.

What the attacker does first

The first step is usually a fake destination. It might copy a Microsoft 365 login, a bank sign-in page, or a document-sharing screen. The page often looks polished because criminals know the QR code already did the hard part, which is getting you to visit.

Then they convert that web address into a QR code. According to IBM's security research, quishing differs from ordinary phishing because it uses a two-dimensional barcode, which stores data horizontally and vertically, to redirect people to spoofed login pages or malware.

What you experience when you scan

From your side, the process feels harmless. You open your phone camera, scan the code, and tap the prompt. On mobile, you may only see a shortened preview or a quick browser handoff, not a careful desktop-style inspection of the full address.

That is one reason these attacks work so well. People scan in the middle of the day, often while moving between tasks. A rushed employee handling invoices or account alerts may treat the code as a shortcut instead of a risk.

A few common paths look like this:

  1. Account reset
    An email says your password expired and asks you to scan a code to re-authenticate.

  2. Document review
    A message claims a secure file must be opened on mobile for compliance reasons.

  3. Payment or delivery
    A code promises to fix a failed delivery, confirm banking details, or release an invoice.

The QR code is only the lure. The real theft happens on the page that opens after the scan.

Proofpoint also notes that security teams now use QR code analysis engines with computer vision and machine learning to decode embedded URLs and assess risk. That tells us two things. First, defenders know this is a serious problem. Second, the basic email stack still needs extra help to inspect image-based threats well.

Why Quishing Slips Past Email Filters

A business owner gets an email that looks routine. It asks them to review a secure document or confirm an account detail, and instead of a blue link, it shows a QR code. The email gateway lets it through. The phone scan opens the risky page later.

A computer monitor displaying complex digital data streams with a green sign saying Bypass Filters above it.

The blind spot in many inboxes

Traditional filters are built to inspect what they can read quickly. They check sender reputation, headers, attachment types, known phishing wording, and visible URLs. A QR code interrupts that process because the destination is tucked inside an image instead of written out in text.

A simple comparison helps here. A normal phishing email is like a parcel with the address printed on the label, so scanners can read it right away. A quishing email hides that address inside a photo of the label. The message may still be suspicious, but the main clue is harder for basic filtering tools to parse.

IBM describes quishing as a threat that hides in plain sight because attackers replace clickable links with QR codes that many email scanners do not inspect well (IBM on why scanners miss quishing).

That is why an email can pass security checks and still lead to a phishing page later.

If you want a plain-language explanation of how inbox protections usually inspect messages, our guide to spam filtering and email security basics explains what filters look for and where image-based threats can slip through.

Why QR codes create a second layer of risk

Quishing also shifts the attack onto a mobile device. That matters because the scan often happens outside the protected business environment. An employee may use a personal phone, open the page in a mobile browser, and never see the same warnings, URL previews, or security controls they would notice on a desktop.

For Canadian businesses, that gap is especially important. Attackers have used QR-driven phishing in banking and payment scams, including cases reported in Canada that target mobile users with fake account prompts and phone-based credential theft. Generic guides often stop at "QR codes hide links." The more practical point is that the handoff to mobile can bypass both the email filter and the user's usual verification habits.

The compliance side matters too. If a staff member scans a fake code and exposes customer or employee information, the problem extends beyond a password reset. Under PIPEDA, organisations must notify the Privacy Commissioner and affected individuals about breaches that pose a "real risk of significant harm," and they must document all breaches and retain those records for at least 24 months.

This is especially critical for Canadian businesses. Email security isn't just about preventing the initial scan—it's about ensuring that if a breach occurs, your email infrastructure is designed to minimise exposure. Typewire was built with this in mind: by hosting email and audit data in Canada under Canadian jurisdiction, it ensures that if a quishing incident happens, the full record of that breach stays under your control and PIPEDA jurisdiction, rather than routing through US-based servers where retrieval for incident response becomes more complicated.

A short explainer can help if you'd like to see the attack flow visually.

Why this matters

Quishing succeeds because many email defences were designed to judge written links, while the actual destination now sits inside a scannable image and opens on a phone. For a small business, the practical lesson is straightforward. Treat a QR code in email with the same caution you would give any unexpected login link, invoice update, or banking request.

Real Quishing Examples

The easiest way to spot quishing is to see how it shows up in everyday work. These aren't exotic attacks. They often arrive in ordinary business situations.

A person holding a smartphone to scan a restaurant menu QR code standing on a wooden table.

The fake IT reset

A staff member receives an email that says multi-factor authentication needs to be reconfigured. The message avoids a visible button and instead says, "For security, scan this code on your mobile device." The destination opens a sign-in page that looks like a normal Microsoft or Google login.

This catches people because the format feels more secure than a clickable link. In reality, the QR code only hides the same kind of phishing destination.

The delivery problem that isn't real

A small retailer gets a shipping notice saying a parcel is held at a depot. The message includes a QR code to reschedule delivery. The owner scans it between customer calls, lands on a payment page, and enters business contact details or card information.

The trap works because it creates a small, believable inconvenience. People want the parcel released, so they act before they verify.

The mobile banking and fake IVR trap

A more worrying pattern involves banking. Malwarebytes notes that quishing can redirect people to fake IVR systems, and a CBC report cited in FuseCS says that in early 2025 31% of quishing victims in Vancouver lost money through fraudulent IVR calls after scanning malicious QR codes (FuseCS summary of quishing and fake IVR losses).

This attack can unfold in a few steps:

Scenario What the victim sees What the attacker wants
Banking alert A QR code to "verify unusual account activity" Login details or phone-based verification data
SMS or email follow-up A prompt to call a support number after scanning Trust and urgency
Fake IVR system Automated prompts that sound bank-like PINs, account details, or one-time codes

If a QR code leads you into a phone tree, treat it with the same suspicion as a surprise login page.

How to Protect Yourself and Your Business

The best defence is not to stop using QR codes entirely. It's to treat them like links, because that's what they are. Once you make that mental switch, your habits improve fast.

Safer scanning habits for individuals

Start with a pause. If a message is unsolicited and asks you to scan a code to fix a problem, slow down. Use a separate path to verify the request, such as typing the known website address yourself or calling the sender through a trusted number you already have.

These habits help most:

  • Preview before opening. If your phone shows the destination, inspect it before tapping. If the address looks unfamiliar, misspelled, or unrelated to the organisation, stop.

  • Avoid urgency traps. Messages about account lockouts, invoices, and package issues often try to rush you.

  • Use the official app or site. If your bank or software provider needs action, open the app or website directly rather than entering through a QR code.

  • Keep work and personal caution aligned. A personal phone can still expose business accounts if you use it for email or sign-ins.

Practical controls for businesses

Staff training matters, but policy matters too. Teams need a simple rule they can follow under pressure: no one should scan a QR code from email to handle credentials, payroll, banking, or password resets unless the request is verified through a separate channel.

The Canadian Centre for Cyber Security says quishing can circumvent DMARC (Domain-based Message Authentication, Reporting, and Conformance) compliance policies, and recommends DMARC-aligned anti-phishing software plus CIRA's Canadian Shield DNS resolver as defensive benchmarks (Canadian Centre guidance on phishing and quishing defences).

A sensible business checklist looks like this:

  1. Train for the format, not just the concept
    Many teams train for suspicious links but not suspicious QR codes. Show employees examples from invoices, courier messages, and IT notices.

  2. Set a verification rule
    If a code asks for credentials, payment, or identity confirmation, employees should verify through another channel first.

  3. Review mobile exposure
    Quishing often succeeds on phones. Check whether your team uses personal devices for work sign-ins and whether your mobile browser habits are part of security training.

  4. Prepare for incident handling
    If someone scanned a malicious code, respond as you would to any phishing event. Reset passwords, review account activity, and document the incident.

Key takeaway: The safest QR code is the one you don't scan until the context makes sense.

The privacy and compliance side

Security and privacy connect quickly here. If your organisation handles personal information, you remain responsible for it even when third-party vendors process it under PIPEDA, according to the practical summary linked earlier. That means your provider choices, staff practices, and incident records all matter.

Data location matters too. A Canadian data sovereignty overview notes that organisations must obtain explicit consent before collecting, using, or disclosing personal information, and that individuals retain rights to access and correct their data under PIPEDA's fair information principles (overview of Canadian data sovereignty and PIPEDA duties).

For businesses using outside providers, jurisdiction should be part of the discussion. OpsGuru's overview explains that data residency is not the same as data sovereignty, and that contractual safeguards and Transfer Impact Assessments can matter when foreign providers are involved (data sovereignty versus residency in Canada).

If you want practical next steps for employee habits, our guide to avoiding phishing emails at work pairs well with a quishing policy.

Staying Vigilant in a QR-Code World

Quishing works because it hides an old scam inside a familiar format. The QR code isn't the problem on its own. The problem is an unverified destination combined with a moment of trust.

The safest mindset is calm scepticism. If a code arrives unexpectedly, asks for credentials, or pushes you toward urgent action, stop and verify through a separate channel. That one habit will prevent many of the most common attacks.

We should also be honest about limits. No filter catches everything, and no user spots every trick. Good protection comes from layers: better filtering, stronger policies, clearer training, careful mobile habits, and a provider that treats privacy and security seriously.

Last updated: July 2026.


If you want an email provider that keeps quishing incident data and email metadata under Canadian jurisdiction for compliance and incident response, Typewire is built for this. We run our own infrastructure in Vancouver, keep all data in Canada, and focus on straightforward, ad-free email designed around privacy and PIPEDA compliance.