QR Code Phishing (Quishing)

That QR code skips every email filter you have.

What Is QR Code Phishing (Quishing)?

A company-branded email lands in your inbox. Subject line: Mandatory Security Upgrade. The message explains a new multi-factor authentication rollout and includes a QR code for quick mobile setup. The sender address matches your IT department. The branding is pixel-perfect. You scan the code with your phone. That is exactly what attackers are counting on. QR codes convert URLs into images, which means email security filters that scan text-based links never see the malicious destination. Your phone opens a login page that looks identical to your company's SSO portal. You type your credentials on a smaller screen where URL inspection is harder. The attacker now has your username and password. Hoxhunt reported a 587% surge in QR code phishing attacks in 2023. The technique is effective because it exploits a gap between devices. Your laptop has endpoint protection, email filtering, and browser security extensions. Your personal phone likely has none of those. By moving the attack from your work computer to your mobile device, attackers sidestep the entire corporate security stack. In this exercise, you'll receive a realistic quishing email and walk through the full attack chain. You'll learn to preview QR code destinations before scanning, verify IT communications through official channels, and recognize the telltale signs that distinguish a legitimate QR-based workflow from a credential harvesting operation.

What You'll Learn in QR Code Phishing (Quishing)

QR Code Phishing (Quishing) — Training Steps

  1. A Routine Wednesday

    It's Wednesday morning. You've just settled into your home office with a coffee and opened your laptop to check for overnight messages.

  2. An Urgent Security Email

    A new email arrives from what appears to be the IT Security team. The subject line reads 'Mandatory: Multi-Factor Authentication Migration - Action Required by Friday.'

  3. Scanning the QR Code

    The email looks official and the deadline is just two days away. Alice picks up her phone to scan the QR code, thinking it will be faster than navigating through IT portals.

  4. Opening the Link

    The phone's QR scanner detects a URL: http://veranthos-security.net/verify. Alice taps 'Open in Browser' without scrutinizing the URL - after all, it came from an IT Security email.

  5. The Fake MFA Portal

    The mobile browser opens to what appears to be a Veranthos Solutions MFA migration portal. The page uses the company's green branding, has a shield icon, and asks Alice to 'verify her identity' by entering her work credentials before proceeding with the MFA setup. The professional appearance makes it seem legitimate - but the URL in the address bar tells a different story.

  6. Something Went Wrong

    After submitting her credentials, the page displays an error: 'MFA migration service temporarily unavailable. Please try again later.' Alice is frustrated but assumes it's a temporary server issue. She makes a mental note to try again tomorrow and returns to her work.

  7. Security Alert

    Two days later, Alice receives an urgent email from the Veranthos Solutions Security Operations Center.

  8. Connecting the Dots

    Alice feels a chill as she connects the dots - the MFA migration email, the QR code, the credentials she entered on that 'verification portal.' It wasn't a server error. It was a trap. The QR code in the email led her phone's browser to a fake Veranthos login page that harvested her credentials. The attacker now had full access to her account.

  9. Red Flags - The Email

    Let's go back and examine the original phishing email with fresh eyes. Several red flags were hiding in plain sight.

  10. Red Flags - The Phone

    Now let's look at the phishing page that Alice visited on her phone. The URL and protocol reveal clear signs of a fraudulent site.