QR Code Phishing (Quishing)
That QR code skips every email filter you have.
What You'll Learn in QR Code Phishing (Quishing)
- Explain how QR codes bypass traditional email security filters and URL scanning
- Identify the warning signs of a phishing email that uses QR codes instead of clickable links
- Apply mobile URL inspection techniques before entering credentials on a phone
- Recognize cross-device attack strategies that exploit gaps between corporate and personal security
- Demonstrate proper verification procedures for unexpected IT communications
QR Code Phishing (Quishing) Training Steps
-
A Routine Wednesday
It's Wednesday morning at Verdantis Solutions, an environmental consulting firm specializing in sustainability analytics. You are Alice, a project coordinator managing client deliverables and internal reporting. You've just settled into your home office with a coffee and opened your laptop to check for overnight messages.
-
An Urgent Security Email
A new email arrives from what appears to be the IT Security team. The subject line reads 'Mandatory: Multi-Factor Authentication Migration - Action Required by Friday.'
-
Scanning the QR Code
The email looks official and the deadline is just two days away. Alice picks up her phone to scan the QR code, thinking it will be faster than navigating through IT portals.
-
Opening the Link
The phone's QR scanner detects a URL: http://verdantis-security.net/verify. Alice taps 'Open in Browser' without scrutinizing the URL - after all, it came from an IT Security email.
-
The Fake MFA Portal
The mobile browser opens to what appears to be a Verdantis Solutions MFA migration portal. The page uses the company's green branding, has a shield icon, and asks Alice to 'verify her identity' by entering her work credentials before proceeding with the MFA setup. The professional appearance makes it seem legitimate - but the URL in the address bar tells a different story.
-
Something Went Wrong
After submitting her credentials, the page displays an error: 'MFA migration service temporarily unavailable. Please try again later.' Alice is frustrated but assumes it's a temporary server issue. She makes a mental note to try again tomorrow and returns to her work.
-
Security Alert
Two days later, Alice receives an urgent email from the Verdantis Solutions Security Operations Center.
-
Connecting the Dots
Alice feels a chill as she connects the dots - the MFA migration email, the QR code, the credentials she entered on that 'verification portal.' It wasn't a server error. It was a trap. The QR code in the email led her phone's browser to a fake Verdantis login page that harvested her credentials. The attacker now had full access to her account.
-
Red Flags - The Email
Let's go back and examine the original phishing email with fresh eyes. Several red flags were hiding in plain sight.
-
Red Flags - The Phone
Now let's look at the phishing page that Alice visited on her phone. The URL and protocol reveal clear signs of a fraudulent site.