← Blog

Quishing: the QR code scam hiding in plain sight

Tenant Strike4 min read

QR codes are everywhere now, and we scan them without a second thought. Attackers turned that habit into an attack — sometimes with nothing more than a sticker. Here is how QR code scams work.

QR codes went from novelty to everywhere in just a few years. We scan them on restaurant menus, parking meters, posters, packages, and invoices, usually without a moment's thought. That reflex — point, scan, trust — is exactly what attackers turned into a technique. It's sometimes called quishing, short for QR code phishing, and one of its versions requires no hacking at all. Just a sticker.

Why a QR code is the perfect disguise

A QR code is unreadable to humans. You can't glance at one and tell where it leads, the way you might squint at a suspicious web address. You have to scan it to find out — and by then you're already on the page. That opacity is the whole appeal for an attacker. A malicious link wrapped in a QR code looks identical to a legitimate one.

QR scams also tend to move you onto your phone, which is often less protected than a work computer and where small screens make fake login pages more convincing. And many of them sidestep email filters entirely, because the dangerous part isn't text in an inbox — it's a square printed on paper or embedded in an image.

The forms it takes

  • The sticker swap. An attacker prints a QR code that points to their own page and sticks it over a legitimate one — on a parking meter, a poster, a payment terminal. You scan what you think is the real code and land on a fake payment or login page.
  • The QR in an email. Since filters scan text and links but often ignore images, attackers put the phishing link inside a QR code image. The email says "scan to verify your account," moving the victim to a phone to complete the trick.
  • The fake invoice or document. A QR code on what looks like a bill, a delivery notice, or a "secure document" that leads to a credential-harvesting page.
  • The too-good offer. A code promising a discount, a prize, or free Wi-Fi that instead installs something or steals a login.

For a business, the risk is the same as any phishing: an employee scans, lands on a page that looks like a Microsoft or bank login, enters their credentials, and hands them over.

How to scan safely

You don't need to swear off QR codes. You need a short pause before you act on where one takes you.

  1. Check the link before you go. Most phone cameras show the web address a QR code points to before opening it. Read it. If it's a shortened link, an odd domain, or anything that doesn't match where you expected to land, stop.
  2. Be suspicious of stickers. If a QR code looks like it was added on top of something — a slightly crooked sticker on a sign or terminal — don't scan it. Pay or access services through the official app or a typed-in address instead.
  3. Never enter a password on a page you reached by scanning. If a scanned code asks you to log in to a work or financial account, close it and go to that service directly. Legitimate codes rarely need you to sign in to something sensitive.
  4. Treat "scan this to verify" emails as phishing. Real account-verification almost never depends on scanning a code with a second device.

The instinct to teach your team is simple: a QR code is just a link you can't read, so give it the same suspicion you'd give a link you can read.

When a scan goes wrong

If someone scanned a code and entered a work password, treat it like any credential slip: change the password right away, sign the account out everywhere, and confirm multi-factor authentication is on so the stolen password isn't enough on its own.

That containment layer is worth checking before you ever need it. Tenant Strike connects to your Microsoft 365 in read-only mode and verifies the settings that decide whether a handed-over password becomes a real problem — multi-factor authentication enforced, no quiet forwarding rules, no over-broad app approvals. Five minutes, no changes, and a clear list of what to firm up.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.