QR code phishing — known as quishing — has been a growing threat for several years. Now it’s getting harder to spot. Attackers are using stylised, branded QR codes that look completely legitimate to bypass both human instinct and automated security tools.
QR codes have become part of the fabric of everyday life. They’re on restaurant menus, product packaging, event signage, email signatures, and marketing materials. Most people scan them without a second thought — and that’s exactly what attackers are counting on.
Quishing, or QR code phishing, uses malicious QR codes to redirect victims to sites designed to steal credentials, harvest personal data, or deliver malware. It’s not a new technique, but it’s evolving rapidly — and the latest generation of attacks is significantly harder to detect than anything that came before.
Traditional phishing emails contain a link. Security-conscious users know to hover over a link before clicking, check the domain, and look for subtle misspellings. Organisations invest in email security tools — including solutions like Proofpoint — that scan links automatically and flag suspicious URLs before they ever reach an inbox.
QR codes remove that entire layer of visibility. There is no URL to inspect before you scan. The destination is hidden inside a machine-readable image, invisible to the human eye. The moment someone points their phone camera at a malicious QR code, they’ve already initiated the redirect — and most people are doing this on personal mobile devices that sit entirely outside corporate security controls.
Until recently, QR codes had a consistent look — black squares on a white grid. While not foolproof, this visual consistency meant that tampering or substitution sometimes stood out. A code that looked slightly different, or was placed somewhere unexpected, could trigger a degree of scepticism.
That visual cue is disappearing. Attackers are now producing stylised, “fancy” QR codes — incorporating brand colours, logos, rounded shapes, gradient fills, and decorative backgrounds — that look indistinguishable from legitimate marketing materials. These codes still scan perfectly, but the design removes the subconscious signal that prompted users to pause and verify.
Black and white grid pattern. Consistent visual format meant anomalies were sometimes noticeable. Security tools built around standard pattern detection could flag deviations.
Incorporates colours, logos, rounded corners, and branded backgrounds. Visually identical to legitimate marketing. Defeats pattern-based detection and removes user hesitation.
Branded designs trigger trust rather than caution. A QR code that looks like it belongs to a known brand is more likely to be scanned without hesitation.
Modern email security handles most quishing attempts, but codes buried inside zipped files or nested attachments can slip through even robust defences.
QR codes are scanned on smartphones — often personal devices operating entirely outside corporate MDM, endpoint protection, and network monitoring.
Quishing attacks are not limited to dodgy emails. They appear across a wide range of channels, some of which businesses are less likely to be guarding against. Physical environments are increasingly targeted — malicious QR codes placed over legitimate ones on posters, parking meters, delivery notices, and shared office equipment. Digital channels include email campaigns, PDF attachments, Microsoft Teams messages, and even QR codes embedded in legitimate-looking invoices.
The delivery-package angle is particularly worth noting for staff awareness. Scammers are sending physical parcels or notices with QR codes that appear to be from Australia Post or courier services, prompting recipients to scan and “verify delivery details.” The physical, real-world nature of these attacks makes them feel more legitimate than a suspicious email link ever could.
Solutions like Proofpoint are highly effective at detecting and blocking malicious QR codes delivered via email — decoding embedded codes, analysing destination URLs, and stopping threats before they reach the inbox. Where risk remains is in specific edge cases: QR codes concealed inside nested attachments or compressed files can be harder to analyse. And critically, quishing doesn’t only arrive via email — physical environments, messaging platforms, and printed materials all fall outside email security coverage entirely. That’s why technical controls and staff awareness need to work together.
Quishing sits at the intersection of technical controls and human behaviour — and like most social engineering threats, the human side is where most of the risk lives. The most effective response combines the right security tools with staff who know what to look for.
Quishing is not an emerging threat on the horizon — it’s active, it’s growing, and the latest branded QR code variants are genuinely difficult for both people and tools to catch. The businesses most at risk are those whose security awareness training hasn’t caught up with how the threat has evolved, and whose staff still associate phishing exclusively with suspicious emails.
Updating your training, reinforcing verification habits, and ensuring your email security configuration is current are practical, achievable steps. They don’t require significant investment — they require awareness and consistency. That’s where Technicalities can help.
If your team’s security training hasn’t been updated recently — or doesn’t yet cover quishing — get in touch. We can help you assess your current posture and build a training programme that reflects today’s threat landscape.
Email Us →