In an era where convenience drives technology adoption, QR codes have found their way into everything from restaurant menus to secure logins. But as these codes become commonplace, cybercriminals have found a new opportunity: QR code phishing, or "quishing." This form of phishing attack is on the rise in 2025, catching many organizations off guard.
In this article, we'll explore what quishing is, how it's evolving, and what defense strategies your organization should implement. We'll also look at benchmark data, common vulnerabilities, and how tools like Your DMARC complement a layered email security strategy.
What Is Quishing and Why Is It Dangerous?
Quishing involves embedding malicious URLs into QR codes. When users scan the code with a mobile device, they’re taken to a phishing site designed to harvest credentials, download malware, or exploit browser vulnerabilities. Because QR codes are often perceived as secure and visually unassuming, users are more likely to trust and engage with them.
In 2025, attackers are embedding these malicious QR codes in:
Printed flyers and posters (e.g., job ads, parking tickets)
Emails with image-based QR codes to bypass filters
Phishing pages disguised as secure login portals
SMS and messaging apps ("smishing" combined with quishing)
2025 Quishing Benchmarks: What We’re Seeing
Data collected from simulated phishing campaigns and incident response logs in 2025 show:
Metric | Benchmark Range (2025) |
Scan Rate | 10% - 18% |
Click-Through (Post-Scan) | 7% - 14% |
Credential Submission | 2% - 5% |
Reporting Rate | 25% - 35% |
Mobile Usage | > 85% (for scanned attacks) |
The higher scan and click rates compared to traditional email phishing reflect the novelty and trust users place in QR codes.
Why Are QR Code Phishing Attacks Harder to Detect?
Bypass Email Filters: Many email security systems can’t parse QR code images or decode embedded URLs.
Mobile Behavior: Users scanning QR codes often do so on their phones, outside of company-monitored environments.
Visual Trust: QR codes look generic. Users rarely inspect the destination URL after scanning.
No Context: A user might scan a code in a parking lot or on a flyer—completely detached from the security awareness context of their workplace.
Common Attack Types in 2025
Fake MFA Prompts: Users are prompted to scan a QR code to verify their identity, which leads to a credential phishing site.
Malicious Job Applications: Fake resumes or event posters with QR codes that redirect to malware.
Vendor Invoice Scams: PDF invoices with embedded QR codes requesting payment or login.
Physical QR Code Tampering: Real-world codes (e.g., restaurant menus or parking meters) replaced with malicious stickers.
Key Vulnerable Industries
Manufacturing: Vendors receive QR-based phishing in invoices.
Retail: QR codes used in marketing campaigns and receipts.
Healthcare: Patient portals accessed via QR codes.
Education: Event check-ins and mobile learning materials.
Government: Public service kiosks and notices.
Defense Strategies for Organizations in 2025
1. User Awareness & Training
Teach users to inspect URLs after scanning.
Run QR-based phishing simulations.
Train employees to report unfamiliar or suspicious QR codes.
2. Email Security Filters
Use OCR and QR code scanners in secure email gateways.
Block emails containing QR code images by policy unless scanned and verified.
3. Mobile Device Management (MDM)
Implement browser restrictions and anti-phishing tools on mobile devices.
Prevent auto-login or autofill on mobile browsers.
4. Monitor Physical Spaces
Regularly inspect public QR codes in offices, parking lots, and reception areas.
Use tamper-proof signage.
5. Authentication Best Practices
Mandate Multi-Factor Authentication (MFA).
Use phishing-resistant authentication methods like FIDO2 keys.
6. Integrate with DMARC and Domain Monitoring
Use Your DMARC to monitor spoofed domain usage.
Combine reporting data with phishing incidents tied to quishing attempts.
How Your DMARC Helps in the Fight Against Quishing
While DMARC itself can’t stop a user from scanning a malicious QR code, it plays a vital role in:
Preventing domain spoofing in emails containing QR codes.
Alerting your team to unauthorized senders using your brand in phishing campaigns.
Giving context to phishing simulation reports by correlating with real attacks.
Use Your DMARC’s dashboards to:
Track spikes in unauthorized senders.
Monitor sources embedding QR code images.
Set up alerts when QR-based phishing is detected in your domain ecosystem.
Simulating QR-Based Attacks Internally
To truly prepare your organization, simulate QR-based phishing internally:
Send printed flyers or internal announcements with benign QR codes leading to an awareness landing page.
Use click tracking to measure engagement and credential submission rates.
Offer instant feedback and optional microlearning.
This builds realistic muscle memory—something that traditional simulations may miss.
Future of Quishing: What to Expect
AI-Enhanced QR Attacks: Dynamically generated landing pages tailored to victims.
Deepfakes + QR Codes: Fake video instructions telling users to scan.
Integrated with IOT: Smart displays or kiosks delivering malicious codes.
Malware-as-a-QR-Service: Paid services offering phishing kits with dynamic QR deployment.
Conclusion: Awareness + Authentication = Protection
QR code phishing is no longer a fringe tactic—it’s a mainstream threat. In 2025, protecting your organization requires a blend of education, technical controls, and domain monitoring.
Phishing doesn’t always come as an email. Sometimes, it’s disguised in a square black-and-white code stuck to a wall, printed on an invoice, or sent through a chat message. Be ready.
With proactive simulation, mobile security policies, and the support of tools like Your DMARC, your team can stay a step ahead of quishing attacks.
Don’t just scan and go. Stop. Look. Think. Report.