Quishing Statistics 2026: 30+ Numbers That Show How Fast QR Phishing Is Growing

QR code phishing — quishing — is one of the fastest-growing classes of cyberattack. The numbers below are pulled from public 2025–2026 industry research by Keepnet Labs, Palo Alto Networks Unit 42, Cyble, NordVPN/CNBC, and Acronis. Every figure links back to its primary source. The picture is consistent: by every measure, quishing is now mainstream phishing.

Volume and growth

• 587% growth in 2023 — Keepnet Labs measured a 587% jump in quishing incidents in 2023, the largest year-over-year growth of any phishing technique that year (Keepnet Labs, 2026).
• ~5× increase from August to November 2025, with quishing emails climbing from roughly 46,000 to about 250,000 per month in tracked telemetry (Keepnet Labs, 2026).
• 11,000+ malicious QR codes detected per day on average — Palo Alto Unit 42's offline web crawlers find roughly 75,000 QR codes daily and 15% lead to malicious URLs (Palo Alto Networks Unit 42, 2026).
• Acronis observed the same August-to-November 2025 surge in its 2026 SEG-blind-spot analysis, attributing it to QR phishing's ability to bypass image-blind email filters (Acronis, 2026).

Share of phishing

The 2024 dip is widely attributed to a temporary detection-rate effect: email gateways shipped QR-aware OCR mid-year, which reduced what was logged. By 2025 attackers adapted with distorted and fragmented QR codes designed to defeat OCR (Help Net Security, 2026), and the share rebounded.

User behavior

• 73% of Americans scan QR codes without verifying them, per a NordVPN survey reported by CNBC in 2025; the same survey estimated more than 26 million people had been steered to malicious sites this way (CNBC, 2025).
• Nearly 80% of malicious QR-bearing PDFs in Cyble's “Scanception” campaign had zero VirusTotal detections at first sight, with the campaign affecting organizations across 50+ countries (Cyble, 2025).
• Quishing landing pages overwhelmingly live on newly registered or freshly stood-up infrastructure, which is why reputation engines often catch up only after the first wave (Acronis, 2026).

Where attacks happen

• Email remains the dominant delivery channel — Microsoft 365 password-expiry, HR/payroll, and shipping pretexts are the most common (Acronis, 2026).
• Public-space stickering over parking meters and pay stations remains a steady real-world vector. Austin and San Antonio both reported stickered meters pointing to a fraudulent “passportlab.xyz” site, prompting an FBI IC3 advisory (FOX 7 Austin, 2022).
• Printed mail with QR codes referencing IRS, USPS, DMV, or charity pretexts has grown noticeably in US and UK consumer-protection reporting (FTC Consumer Advice, 2023).

What this means for individuals and organizations

The data tells one consistent story: text-based email filters can no longer be the only line of defense, and the user's phone is now the most-attacked endpoint. The countermeasures that follow from this reality are not surprising — preview every URL, use phishing-resistant MFA, deploy a SEG that OCRs QR images (Microsoft Defender for Office 365, 2024, Mimecast, 2024), and train users specifically on QR-based pretexts. We cover those in detail in the complete quishing guide.

Frequently asked questions

How many quishing attacks happen per day?

Palo Alto Networks Unit 42 telemetry averages more than 11,000 detections of malicious QR codes per day. The true count is higher because many quishing emails slip past legacy filters and never trigger a detection.

What share of phishing emails use QR codes?

Per Keepnet Labs, QR-based phishing reached approximately 12% of all phishing attacks by 2025, up from 0.8% in 2021.

Are quishing detection rates improving?

Slowly. Microsoft Defender for Office 365 and Mimecast URL Protect both now extract URLs from QR images and pass them through reputation checks, but Cyble found nearly 80% of analyzed QR-bearing PDFs had zero VirusTotal detections at first sight, so first-wave attacks still get through.