Cyber Doc logo Cyber Doc
Cybersecurity Term

What is quishing?

Phishing that uses QR codes to hide the destination of a malicious or fake website.

Email & Fraud Last reviewed: 2026-05-20

← Back to Learn Centre

What is quishing?

Quishing is phishing that uses a QR code to send someone to a fake or malicious website.

Simple example

A printed notice or email attachment contains a QR code that claims to open a payment page, but it leads to a fake login site.

Why it matters

QR codes can hide the real destination, making it harder for users to judge whether a link is safe.

Common warning signs

  • The activity is unexpected or unusual for the business context.
  • The request or system behaviour creates pressure to act quickly.
  • Normal approval, verification, or security processes are bypassed.
  • There are signs of unauthorised access, data exposure, or system change.
  • Staff are unsure whether the request, message, or system behaviour is legitimate.

Cyber Doc view

This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.

What to do

Proactive steps

  • Be cautious with QR codes from unexpected sources.
  • Use official websites or apps instead of scanning unknown codes.
  • Train staff not to scan QR codes in suspicious emails or posters.
  • Use mobile security and MFA where possible.
  • Verify payment or login requests through trusted channels.

Reactive steps

  • Stop using the page if it looks suspicious.
  • If credentials were entered, change them from the real site.
  • Review account activity and MFA settings.
  • Preserve the QR code image, email, or poster if possible.
  • Warn other staff if the code may affect them too.

Related terms

  • Phishing
  • Smishing
  • Credential theft