QR code phishing bypasses email security gateways entirely. Here's how quishing attacks work, why they're surging in Indian enterprises, and how to train employees to spot them.
India's rapid adoption of QR codes for payments has created an unexpected security problem: employees have been trained to scan QR codes without thinking. Attackers are exploiting this with quishing — QR code phishing.
How QR Code Phishing Works
- 1Attacker embeds a malicious URL inside a QR code
- 2The QR code is delivered via email (as an image), printed sticker in the office, or physical flyer
- 3Employee scans with their phone — bypassing all endpoint security on their laptop
- 4Phone browser opens a credential-harvesting page
Why Quishing Bypasses Your Defenses
- Email security gateways scan URLs and attachments — not images containing embedded URLs
- Scanning happens on personal phones, outside corporate MDM and endpoint security
- Mobile browsers show abbreviated URLs — the full malicious domain is often hidden
Real-world quishing in India
Fake parking payment QR codes stuck over legitimate ones, redirecting to UPI credential pages. Fake 'WiFi registration' QR codes in office lobbies harvesting corporate credentials.
Employee Training: What to Look For
- Always check the URL preview before proceeding after scanning
- Be suspicious of QR codes in emails asking you to 'scan to verify' something
- Never scan QR codes on physical stickers placed over existing codes
76%Scan rate on first QR phishing simulation
3×Higher click rate vs email phishing
89%Reduction after one QR simulation cycle
QR code phishingquishingQR phishingmobile security
A
Written by
Arjun Mehta
Security Researcher at PhishShield
