Quishing is phishing delivered through a QR code that hides the final destination from casual inspection. It is effective because the user scans an image rather than clicking a visible link, which weakens traditional email filtering and makes destination validation a separate control problem.
Expanded Definition
Quishing is a phishing variant that uses a QR code as the delivery mechanism for a malicious or deceptive destination. The QR image itself can be embedded in email, printed material, posters, invoices, or packaging, which shifts the trust decision away from a visible hyperlink and toward whatever device opens the code. That distinction matters: security controls that inspect text URLs, block suspicious domains, or rewrite links may not fully address a QR-based lure because the user often sees only an image until scanning.
Within cybersecurity operations, quishing is best understood as a social engineering technique that exploits the gap between message transport and destination verification. The risk is not the QR code alone, but the workflow it enables: a user scans, the mobile browser opens, and the attacker lands the victim on a credential harvest page, malware download, or payment diversion site. Guidance varies across vendors on how to classify the technique, but no single standard governs quishing as a standalone category yet. The most common misapplication is treating it as ordinary phishing only, which occurs when teams rely on email URL inspection without validating QR-rendered destinations.
Examples and Use Cases
Implementing defenses against quishing rigorously often introduces user friction and additional verification steps, requiring organisations to weigh convenience against destination assurance.
- A finance employee receives an invoice with a QR code that points to a lookalike payment portal, and the mobile login page captures credentials before traditional email filters flag anything.
- A workplace poster advertises a benefits portal via QR code, but the code resolves to a malicious site that collects personal data after the scan. This kind of workflow illustrates why destination validation needs its own control path, as reflected in the NIST Cybersecurity Framework 2.0.
- A package label includes a QR code for tracking support, yet the code is swapped during transit or re-labeling and sends the recipient to a credential harvesting page.
- A helpdesk email uses a QR code to accelerate mobile sign-in, but the code redirects to an attacker-controlled domain that mimics the organisation's identity provider.
- A public event ticket uses a QR code that leads to a fake refund page, where the attacker collects card data and authentication codes in a single interaction.
Why It Matters for Security Teams
Quishing matters because it exploits a visibility gap in user trust and technical inspection. Security teams that rely on link rewriting, URL reputation, or desktop browser protections may miss the attack path when the real destination is hidden behind a scan action on a mobile device. That makes quishing especially relevant to identity security, because the final target is often a login page, token prompt, or payment workflow where stolen credentials can be reused immediately.
From a governance perspective, teams should treat QR-code workflows as a distinct user journey with its own validation, logging, and awareness requirements. The operational answer is not simply to ban QR codes, but to control how they are issued, where they point, and how users verify the destination before authenticating. Mobile access, contractor onboarding, event access, and supply-chain communications are common pressure points, so the attack surface is broader than email alone. Organisations typically encounter the impact only after credentials are reused, fraudulent payments clear, or a support queue fills with users who scanned a malicious code, at which point quishing becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST AI RMF and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AT-1 | Awareness and training help users recognise QR-based social engineering attempts. |
| NIST AI RMF | AI-assisted phishing detection and governance apply where quishing is part of broader social engineering. | |
| NIST SP 800-63 | AAL2 | Credential assurance matters when QR scans lead to authentication flows. |
Use AI risk governance to assess QR-lure detection and response workflows.
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org