QR phishing (quishing)

How it works

A QR code appears in an email, poster, invoice, or parking meter. Because it is an image, security filters often miss the embedded URL, and the victim opens it on a phone, outside corporate protections, where the lookalike page does its work.

How it relates to brand impersonation

Quishing is a fast-growing delivery method for brand-impersonation phishing, especially against financial institutions. The destination is still a lookalike page that monitoring and takedowns can address.

How nebty helps

Our guide on QR phishing for financial institutions breaks down the threat, and nebty takes down the fraudulent destinations these codes point to.

Why QR codes slip past defences

A QR code is just an image, and that is the whole trick. Email security tools that scan for malicious links often do not read the URL hidden inside a picture, so a quishing message can sail through filters that would have blocked the same link in text. The code also moves the victim onto a personal phone, outside the corporate browser, endpoint protection, and proxy that might otherwise flag the destination. Physical placement adds another angle: a sticker over a real QR code on a poster, parking meter, or restaurant table sends people to a lookalike page they had every reason to trust. The defences are to treat an unexpected QR code like any unknown link, to preview the URL before opening it, and, for a brand, to take down the lookalike destinations these codes point at. Our QR phishing guide covers the threat in depth.