QR Code Phishing (Quishing): A Growing Threat to Small Business

Your team has been trained for years to hover over links and inspect email addresses before clicking. Attackers know this, so they found a way around it: they put the malicious link inside an image your phone is eager to scan. QR code phishing, nicknamed “quishing,” has become one of the fastest-growing tricks aimed at small businesses, and most security training never mentions it. This guide explains how it works and how to protect your team.

What Quishing Is

Quishing is phishing that uses a QR code instead of a clickable link. The attacker sends an email, prints a flyer, or places a sticker, and embeds a QR code that points to a malicious website. When someone scans it with their phone camera, they are taken to a fake login page or a malware download, exactly as they would be with a traditional phishing link.

The reason it works is mechanical. A QR code is just an image to an email security filter. The scanner that checks links in your inbox sees a picture, not a URL, so the malicious destination sails past the very filters that would have blocked a normal phishing link. The attack then jumps to the victim’s personal phone, which usually has none of the corporate security protections their work computer has.

Why Small Businesses Are Targets

QR codes became normal during the years when restaurants, parking lots, and event check-ins all moved to them. People now scan codes without a second thought, which is precisely the instinct attackers exploit. A small business with limited security tooling and untrained staff is an easy mark, and the payoff is the same as any phishing campaign: stolen credentials, drained accounts, or a foothold for ransomware.

The Common Quishing Plays

A handful of scenarios show up over and over.

• The fake MFA reset. An email claims your Microsoft or Google multi-factor authentication needs reconfiguring, with a QR code to scan. The code leads to a credential-harvesting page that mimics the real login.
• The parking or toll scam. A sticker placed over a legitimate QR code on a parking meter or a fake toll notice sends people to a payment page that steals card details.
• The “you have a document” lure. An email says a shared file or voicemail is waiting, with a QR code to access it.
• The fake invoice or delivery notice. Aimed at finance and operations staff, these mimic vendors and shipping companies.

The common thread is urgency plus a code, designed to move someone from a guarded work computer to an unguarded personal phone.

How to Spot a Malicious QR Code

Teach your team a few reliable instincts. Be suspicious of any QR code that arrives by email, especially one that creates urgency about accounts, payments, or security. Legitimate companies rarely ask you to scan a code from an email to log in. When scanning any code, pause on the preview of the URL that your phone shows before you open it, and confirm the domain is exactly what you expect, not a look-alike with extra words or odd spelling. In the physical world, check whether a QR code is a sticker placed over something else, which is a classic tampering sign.

Above all, treat the destination of a scanned code with the same skepticism you would a link in an email. The QR code is just a different envelope around the same trick.

Controls That Actually Help

Training is the front line here because the technical filters are weak against image-based attacks. Add quishing examples to your security awareness program so people recognize the pattern. Beyond awareness, a few controls reduce the damage.

Enforce phishing-resistant multi-factor authentication, such as authenticator apps or hardware keys, so that even a stolen password does not hand over an account. Make sure employees’ phones have basic protection and updated operating systems. Establish a simple, blame-free way for staff to report a suspicious code or email, because speed of reporting limits damage. And give people a verification habit: when an email pressures them to scan a code about an account or a payment, they should confirm through a known channel, like typing the company’s real website address themselves or calling a known number.

The Bottom Line

Quishing succeeds by exploiting a trained reflex and a gap in your tools. The link inspection you taught your team still matters, but it has to extend to where the link is hiding inside a QR code. Add it to your training, lean on strong multi-factor authentication, and build a culture where scanning a code from an unexpected email feels as risky as clicking a stranger’s link, because it is exactly that.

The Physical-World Angle

Quishing is not only an email problem. Because QR codes live in the physical world, attackers have moved into it. The tactic is low-effort and effective: print a malicious QR code on a sticker and place it over a legitimate one. It has shown up on parking meters, restaurant tables, public charging stations, and event posters. The victim scans what looks like an official code and lands on a fake payment or login page.

If your business displays QR codes for customers, such as on a menu, a payment terminal, or a flyer, this becomes your problem too, because a tampered code damages your customers and your reputation. Check your customer-facing codes periodically for stickers placed over them, and consider printing codes in a way that is harder to overlay cleanly. Teach staff to glance at any code customers interact with and report anything that looks added on top.

What to Do If Someone Scanned a Malicious Code

Mistakes happen, and the response matters more than the blame. If an employee scans a code and realizes something is wrong, or worse, enters credentials on the resulting page, move quickly. Change the password for any account whose credentials may have been entered, and do it from a known-good device. If multi-factor authentication is in place, review recent sign-ins for anything unfamiliar and revoke active sessions.

Report the incident internally so others can be warned, since these attacks usually arrive in batches aimed at multiple staff. If financial accounts or payment details were involved, contact the bank or processor. The single biggest factor in limiting damage is speed, which is why a blame-free reporting culture pays off; people who fear punishment hide their mistakes until the damage is done. Make it easy and safe to say “I think I scanned something bad,” and you will hear about problems while you can still fix them.