Quishing (a portmanteau of “QR” and “phishing”) is a cyberattack where criminals embed malicious URLs inside QR codes to redirect victims to fraudulent websites designed to steal credentials, financial information, or install malware. Unlike traditional phishing links that users can inspect before clicking, QR codes completely conceal their destination until scanned, making this one of the fastest-growing and hardest-to-detect scam vectors.
Attackers leverage the familiarity and low-suspicion nature of QR code scanning—often using hybrid approaches that combine quishing with smishing texts or vishing calls—and exploit technical blind spots since most email filters cannot scan embedded QR codes for malicious links.
Additionally, quishing creates an attack pathway that jumps from secured work devices to personal phones, further complicating security monitoring efforts.
Photo by Risto Kokkonen on Unsplash