{"id":42323,"date":"2026-06-17T17:16:28","date_gmt":"2026-06-17T15:16:28","guid":{"rendered":"https:\/\/smartfense.com\/?p=42323"},"modified":"2026-06-18T10:25:19","modified_gmt":"2026-06-18T08:25:19","slug":"quishing-qr-code-phishing-how-to-simulate","status":"publish","type":"post","link":"https:\/\/smartfense.com\/en\/blog\/quishing-qr-code-phishing-how-to-simulate\/","title":{"rendered":"Quishing (QR code phishing): what it is and how to simulate it"},"content":{"rendered":"

There is a sign with one QR code stuck on top of another. At a glance you cannot tell, the new sticker covers the original and points somewhere else. Whoever scans it thinks they are paying for parking or opening the restaurant menu, but they just handed over their data on a fake page.<\/p>\n

That is quishing, also written qrishing, and it is one of the fastest growing attack vectors of the past year. The uncomfortable part for the security team is that almost everything built to stop email phishing never sees it coming.<\/p>\n

What is quishing?<\/h2>\n

Quishing is a variant of phishing that uses a QR code as the lure. Instead of a text link, the attacker hides the malicious URL inside a QR code so the person scans it and lands on a fraudulent page.<\/p>\n

The name comes from joining QR and phishing, and you will see it written both ways, quishing and qrishing, depending on the source. The goal is the usual one (steal credentials, payment data, or push someone to install something on their device), but the wrapper changes, and that change is exactly what makes it effective.<\/p>\n

How does a quishing attack work?<\/h2>\n

The scheme is simple, and that is why it works.<\/p>\n

The attacker generates a malicious QR code that points to a page under their control, a copy of a bank login portal, the corporate mail sign-in, or a payment gateway. Then they place it where people let their guard down: stuck over a legitimate QR in a public space, inside an official-looking email or PDF, or printed on a letter that appears to come from a supplier.<\/p>\n

The person scans, reaches the fake page, types their credentials, and hands them to the attacker without noticing. Because the QR almost always opens on a phone, the jump from the corporate environment to the personal device is immediate.<\/p>\n

Why do traditional filters miss it?<\/h2>\n

Here is the part that worries people most. An email filter analyzes links and attachments, but a QR code travels as an image. To the filter it is a square of pixels, not an address it can check against reputation lists.<\/p>\n

And there is a second problem. The QR is almost always scanned on a personal phone, outside the corporate network and its controls. The security team loses visibility at the exact moment of the scan. It is the same gap we covered in what your SIEM does not see<\/a>, where the person\u2019s behavior happens in a place traditional tools cannot reach.<\/p>\n

That is why blocking is not enough. If the defense depends on a system intercepting the attack, quishing slips underneath.<\/p>\n

How do you simulate quishing?<\/h2>\n

The way to know how exposed your organization is, is to stage a controlled attack before the real one arrives. A quishing simulation reproduces the scenario in a safe environment and measures what happens.<\/p>\n

In practice, the campaign includes a QR code that leads to your own harmless landing page instead of a fraudulent site. When someone scans it they hand over nothing; it is simply recorded that they scanned, and that data feeds that person\u2019s risk indicator. With that, the organization knows where to reinforce.<\/p>\n

What sets a good simulation apart is in how it is designed, something we develop in how to design a simulation campaign that changes behavior<\/a>. The QR is one more channel within that logic, not an isolated trick.<\/p>\n

How do you train people against quishing?<\/h2>\n

Technology helps, but against quishing the final decision is always made by a person with a phone in their hand. Three reflexes are worth building:<\/p>\n