The silent threat: Why 2026 could be the year of “quishing”

Quishing
Photo Credit: Lee Charlie / Shutterstock.com

Executive Summary

  • “Quishing”, or QR code phishing, creates a unique security gap by moving the attack from your organisation’s PC to your employee’s (often unprotected) smartphone.
  • Because QR codes are images and not text, they frequently slip past standard email security filters that are only looking for malicious links or keywords.
  • The rise in physical scams – like fake parking meter stickers and digital delivery scams, makes quishing an essential training topic for 2026 and beyond.

Introduction

By now, the vast majority of us would be able to spot a questionable email.

You can check sender’s email address, maybe scan the email for spelling mistakes, or realise that it’s unlikely that the MD would send an urgent wire transfer first thing on a Monday morning.

We’re getting quite good at spotting scams like this.

But cybercriminals are nothing if not adaptable. If they can’t trick you into clicking a link on your computer, they’ll try to get you to scan one with your phone.

Welcome to the age of the awkwardly named “quishing.”

That odd-sounding term stands for “QR Phishing”, but it’s no laughing matter. In fact, reports of quishing have only increased during 2025.  

And, with the festive season upon us – meaning a flood of delivery notifications and party invites – it’s the perfect time for scammers to strike.

Humble QR code or Cyber Security nightmare?

To understand why quishing is such an effective vector for cyberattackers, you only need to look at the way most organisations protect themselves from cybercriminals.

Conventional measures, like firewalls, endpoint protection systems, and email filters, might be very effective for scanning incoming emails for malicious URLs and attachments. But a QR code attack breaks that chain in two important ways:

  1. It’s invisible to the filter. To a basic email scanner, a QR code is just an image, a picture of some black squares. Unless your security software has advanced OCR (Optical Character Recognition) capabilities, it won’t know that the image contains a link to a fake Microsoft 365 login page. It just sees a picture and lets it through.

  2. It moves the attack off-network. This is the part that’s actually quite clever. When your employee receives a QR code in an email with a message saying, “Scan to update 2FA settings,” it’s not their mouse that does the clicking. Instead, they reach for their phone. At that point, they’ve essentially left the safety of your corporate firewall and into much more dangerous territory.

What quishing looks like in the real world : 3 examples

As we head into 2026, the attacks are becoming more targeted and more like context-aware social engineering. But what does that look like in the real world?

Here are 3 examples of quishing attacks to be aware of over the winter:

  1. The “failed delivery” attempt. You’ll see this one a lot around the festive period. You get an email (or even a physical card through your office letterbox) claiming a parcel couldn’t be delivered. There’s a QR code to “reschedule delivery” that leads to a site which looks exactly like DPD or Royal Mail, asking for a small redelivery fee. They don’t really want the £1.50 charge – they just want the credit card details.
  • The parking meter switch. In this scam, criminals print their own QR code stickers and stick them on top of the real payment codes on parking machines. When your staff park up for a client meeting and scan the code to pay via an app, they’re unwittingly handing their payment details straight to the bad guys.

  • The “MFA update” panic. This is the most dangerous one for businesses. Users receive an email purportedly from their IT support team or Microsoft themselves, claiming that their Multi-Factor Authentication (MFA) has expired. It asks them to scan a QR code to re-authenticate, then leads to a perfect replica of the Microsoft login page. When the user types in their password, it’s game over.

How to fight back

The trickiest thing about tackling quishing is that technology is only half the solution.

That’s because the attack usually happens on the user’s phone, often outside your control as a business, making the best defence the human brain.

Here are some tips to avoid falling into a quishing trap in 2026:

  • Train your team (again). Security awareness training usually focuses on clicking links and other “conventional” attack vectors. You’ll need to re-jig your training syllabus to include these newer attack types. Educated your staff so that they treat a QR code with the same suspicion as that random USB drive they found in the car park.
  • Check the QR code preview. Most smartphones show a small preview of the URL when you hover the camera over a QR code. If the sticker says “Pay for Parking” but the URL is x7z-secure-payment.biz, it’s probably best not to tap it.

  • Question the context. Microsoft will rarely, if ever, send you an email asking you to scan a QR code to log in. If you see a QR code in an email on your laptop, ask yourself: “Why can’t I just click a link?” If there’s no valid reason, it’s probably a trap.
  • Consider mobile defence. If your team uses their personal phones for work, it might be time to look at Mobile Threat Defence (MTD) solutions. These can block malicious links on the device itself, regardless of whether they came from an email, a text, or a QR code.

Don’t wait until it happens to you

We refer to quishing as a silent threat because it bypasses all of the usual security measures you have in place. But the damage it causes can be very real – and very expensive.

If you’re worried that your current email security setup is letting QR codes slip through the net, or if you want to run a phishing simulation to see how many of your staff would actually scan a rogue code, we can help.

Speak to your Get Support Customer Success Manager or call our friendly team on 01865 594 000.