Is quishing a real word?

It is industry jargon coined by combining "QR" and "phishing." Security vendors and researchers adopted it around 2023 once QR phishing volume started doubling year over year, and it has stuck.

Is quishing only an email problem?

No. Email is the highest-volume channel, but quishing also appears on physical signage (parking meters, restaurant tables, mailers, billboards) and in printed letters that look like government correspondence.

Why do attackers use QR codes instead of links?

Two reasons. First, QR codes hide the URL from email security filters that scan text. Second, scanning forces the victim onto their phone, which usually has weaker security controls than a corporate laptop.

What Is Quishing? QR Code Phishing Explained in Plain English

Quishing5 min readPublished Apr 27, 2026

Quishing is QR code phishing. An attacker hides a malicious link inside a QR code instead of putting it in plain text. When you scan, the URL opens — usually a fake login page that looks like a real service (Microsoft, your bank, USPS) — and the rest of the attack works exactly like classic phishing: stolen credentials, stolen money, account takeover.

The word: “quishing” = “QR” + “phishing.” Coined by security researchers around 2023, when QR-based attacks started growing fast enough to deserve their own label.

Quishing vs. classic phishing

The end goal is the same — trick a victim into handing over credentials, payment details, or installing malware. The difference is the delivery channel:

	Classic phishing	Quishing
Where the URL lives	Plain text in email or SMS	Encoded inside a QR code image
Email filter visibility	Easy to scan, rewrite, block	Often invisible to text-based filters
Device the victim uses	Whatever opens the link	Almost always a personal phone
Corporate controls in play	SEG, web proxy, EDR	Few — phone is off the corporate network

Why it works

Quishing is effective because it exploits a structural blind spot. Email security gateways evolved around the assumption that URLs are text. They strip URLs, run them through reputation feeds, and rewrite dangerous ones. They do not, by default, OCR every embedded image — and even when they do, attackers use distorted, colorful, or fragmented QR codes that defeat OCR.

On top of that, scanning a QR forces the user onto a personal mobile device, which usually has weaker DNS filtering, no EDR, and no SSO conditional access policies. Palo Alto Unit 42 frames this as “phishing on the edge of the web and mobile” for that reason — every corporate control has already been bypassed by the time credentials are entered (Palo Alto Networks Unit 42, 2026).

Combine that with NordVPN's 2025 finding that 73% of Americans scan QR codes without verifying them (CNBC, 2025), and you have a very efficient attack. Cyble's 2025 “Scanception” campaign analysis showed how effective this can be — nearly 80% of the malicious QR-bearing PDFs they tracked had zero VirusTotal detections at first sight (Cyble, 2025).

What a quishing attack looks like

A typical 2026 quishing email reads something like this:

Subject: Action required — your password expires today

Hi [name],
Your Microsoft 365 account password is set to expire in 4 hours.
To keep your access, scan the secure code below with your phone and re-authenticate.

[QR code image]

IT Support

The QR points to a Microsoft 365 login clone hosted on a freshly registered domain. The user scans, enters credentials and an MFA code, the attacker proxies both to Microsoft in real time, the attacker is now logged in.

How to protect yourself

Always preview the URL before opening — both iOS Camera and Android Google Lens show it.
Run unfamiliar QR codes through Is This QR Safe? before opening.
Move to passkeys or hardware security keys; classic 6-digit MFA codes are routinely proxied by quishing kits.
Treat stickered or out-of-place QR codes as suspicious by default.

For the full playbook, see our complete quishing guide and how to check a QR code is safe.

Frequently asked questions

Is quishing a real word?: It is industry jargon coined by combining "QR" and "phishing." Security vendors and researchers adopted it around 2023 once QR phishing volume started doubling year over year, and it has stuck.
Is quishing only an email problem?: No. Email is the highest-volume channel, but quishing also appears on physical signage (parking meters, restaurant tables, mailers, billboards) and in printed letters that look like government correspondence.
Why do attackers use QR codes instead of links?: Two reasons. First, QR codes hide the URL from email security filters that scan text. Second, scanning forces the victim onto their phone, which usually has weaker security controls than a corporate laptop.

Sources

Keepnet Labs — QR Code Phishing Statistics & Quishing Trends (2026).
CNBC — "Quishing" scams dupe millions of Americans as cybercriminals turn the QR code bad (2025).
Acronis — The Blind Spot in Your SEG: Why QR Code Phishing Is the New 2026 Battlefield (2026).
Cyble — Scanception: A QRiosity-Driven Phishing Campaign (2025).
Palo Alto Networks Unit 42 — Phishing on the Edge of the Web and Mobile Using QR Codes (2026).