Glossary

What is quishing?

Quishing is phishing that uses malicious QR codes. Instead of a clickable link, the attacker hides a phishing URL inside a QR code — on a poster, email or invoice — so when you scan it with your phone you're taken to a fake site that steals credentials or payment details.

How quishing works

A QR code is just an encoded link, but you can't read where it leads before scanning. Attackers exploit that trust: they place codes on parking signs, fake invoices, or inside emails, knowing people scan first and check later.

Because scanning happens on a personal phone — often outside corporate security controls — quishing can bypass email filters and endpoint protection entirely.

Where quishing shows up

Common quishing lures include parking and payment posters, package-delivery notices, restaurant menus and 'verify your account' emails that embed a QR code instead of a link.

How to prevent quishing

  • Preview the URL your phone shows before opening it, and don't proceed if it looks off.
  • Be suspicious of QR codes in unexpected emails or public places.
  • Never enter credentials or payment details on a site reached only via a scanned code.
  • Report suspicious codes to your security team.

How HookPhish helps

HookPhish includes QR-code (quishing) lures in its simulation library, so employees practice the newer attack channels — not just classic email links.

Related

PhishingSmishingPhishing simulationFree URL scanner

Frequently asked questions

Are QR codes dangerous?+

QR codes are safe in themselves, but they can hide malicious links. The risk is scanning a code from an untrusted source and trusting the page it opens.

How do I scan a QR code safely?+

Use a scanner that previews the URL, check the domain before opening it, and never enter credentials or payments on a site reached only via a scanned code.

Why is quishing effective?+

You can't see a QR code's destination before scanning, and scanning often happens on personal phones outside corporate security controls.

Security training designed for people. Built for enterprise.

Learn how HookPhish can effortlessly transform your security program and reduce your human cyber-risk.

Fill out the form to schedule a 30-minute chat with a product expert. We'll discuss the challenges you want to solve, walk through HookPhish, and answer any questions.

2026
Top 50
Enterprise
2026
Top 50
Security
2026
Leader
Enterprise
2026
Momentum
Leader
2026
High Performer
Mid-Market
2026
Best Results
Enterprise

Book a personalized demo

Looking to become a partner? Use this form instead.

Select your country from the list.

1/2