Before scanning a QR code, read this.

The adoption of QR codes has become massive in recent years, driven by the digitalisation of services, the standardisation of digital payments and the demand for contactless experiences. This convenience has turned the QR code into an everyday item and, therefore, an increasingly exploited vector by attackers.

This gives rise to quishing, a variant of phishing that uses malicious QR codes to redirect users to fraudulent websites, with the aim of stealing credentials, collecting sensitive data or distributing malware.

Unlike traditional phishing, quishing removes one of the main user defence barriers, which is the ability to see the link before clicking. The destination is hidden within the QR code, which significantly reduces risk perception and facilitates manipulation through social engineering.

This type of attack has been gaining traction in multiple contexts, from email campaigns to physical scenarios. Cases have already been identified in which legitimate QR codes were replaced by fraudulent versions in parking meters, restaurants, events and promotional materials, leading victims to highly convincing fake pages.

From a security standpoint, the impact is significant. Malicious QR codes can often bypass traditional security controls, including email filters and some web protection solutions, especially when access occurs via mobile devices.

According to the Microsoft Threat Intelligence Email Threat Landscape Q1 2026 report, quishing recorded an increase of 146% in a single quarter, from 7.6 million attacks in January to 18.7 million in March 2026, becoming the fastest-growing email attack vector.

Quishing is part of a broader framework of expanding social engineering techniques: the Microsoft Digital Defence Report 2025 identified phishing in all its variants as responsible for 28% of intrusions investigated that year.

In a scenario where the attack surface is expanding and users interact daily with QR codes without prior validation, prevention is no longer solely technical but also behavioural.

How to protect yourself:

• Confirm the source of the QR code before scanning it
• Avoid entering credentials or sensitive data after accessing via a QR code
• Use tools that allow you to preview the URL before opening it
• Be wary of QR codes received via email, SMS or unsolicited messages
• Ensure devices and applications are kept up to date
• Reinforce continuous training in social engineering and phishing awareness
• Implement security solutions that analyse links generated by QR codes

Think before you scan. One second of validation can prevent a security incident.