Cybercriminals are constantly evolving their techniques to stay ahead of traditional security defenses, and one tactic that has been gaining momentum over the last few years is QR code phishing—also known as “quishing.” This attack method takes advantage of how QR codes are used in everyday life, tricking users into scanning codes within emails that lead to credential theft, malware, or other forms of compromise.

‍

QR Code Phishing: How It Works

QR phishing (quishing) is a cybercrime that leverages QR codes to deliver malicious payloads or redirect users to fraudulent websites. As QR codes become a standard part of daily interactions — from restaurant menus to digital payments — users are conditioned to scan them without hesitation. This growing familiarity makes QR codes an effective delivery mechanism for phishing campaigns.

‍

Most Common Types of Quishing

There are two main types of QR codes used today:

• Static QR codes, which permanently encode information like URLs or contact details.
• Dynamic QR codes, which point to a remote server where the actual content can be updated without changing the code's visual representation.

While dynamic codes offer convenience for legitimate purposes, they also provide attackers with flexibility to redirect users to harmful destinations after the QR code has already been distributed.

In a typical quishing attack, a malicious QR code is embedded into an email—either directly in the message body or within a PDF or image attachment. When the recipient scans the code, they may be redirected to a spoofed login page designed to harvest credentials or to a site that initiates an automatic malware download.

Because QR codes are visual and don’t reveal their underlying content, users can’t easily verify where a code leads before scanning. Worse, they often use their personal mobile phones to scan the codes, which are outside the scope of enterprise security monitoring and controls.

‍

Why Quishing Is a Growing Risk in Cybersecurity

Quishing presents a unique challenge to organizations because it evades the traditional safeguards that email security and endpoint protection solutions rely on. Most security tools are designed to analyze text-based URLs, file attachments, or scripts.   QR codes, as image-based objects, can slip past these detection mechanisms entirely.

Quishing emails are just as effective as traditional phishing, yet they are harder to detect.

• High phishing efficacy: According to a 2025 study analyzing over 71,000 phishing emails, quishing emails are just as effective as traditional phishing at drawing users to malicious landing pages—yet they are far harder to detect, even for advanced operational tools;
• Widespread use in attacks: QR codes now appear in roughly 22% of all phishing campaigns and nearly 2% of scanned QR codes were found to be malicious in a recent analysis.

Together, these trends highlight a major gap in current security operations: phishing vectors that rely on visual payloads rather than machine-readable text are slipping past detection systems undetected.

‍

How Qevlar Eye Addresses Quishing

At Qevlar, our mission is to close investigation gaps through automation, speed, and comprehensive visibility. We recognized early on that QR code-based phishing posed a unique challenge not just for detection—but for triage, analysis, and attribution within an investigation.

To address this, we’ve updated Qevlar Eye, our internally developed threat intelligence platform, to detect and analyze QR codes across multiple delivery formats.

Qevlar Eye now automatically:

• Detects QR codes embedded in the body of emails, attached image files, and documents like PDFs
• Extracts and decodes the QR code content—typically URLs, file download links, or dynamic redirection instructions
• Investigates the payloads using the same deep pipeline applied to other observables: URL analysis, sandboxing, threat reputation checks, and cross-correlation with other signals in the investigation

What sets Qevlar Eye apart is that it doesn’t just extract and scan QR code data—it interprets the findings in context. If the QR-linked domain overlaps with findings and context derived from the investigation it is part of, Qevlar Eye will classify the finding accordingly—whether it's clearly malicious or requires further corroboration.

All of this happens in real time and without any human intervention. Analysts receive a comprehensive, investigated summary, and breakdown of investigation steps and key findings;  what content did Qevlar Eye detect on the URL within the QR code and it’s rational for classification as malicious or not. This reduces the risk of QR code threats slipping through existing security product that aren’t able to detect and investigate QR codes, and removes the need for a human analyst to find and investigate the manually.

‍

Bottom Line

With this update, Qevlar AI  strengthens its position as a comprehensive, autonomous investigation platform built for modern threat tactics. QR code-based phishing is just one of many techniques that attackers now use to exploit weaknesses in both technology and human behavior. By proactively closing this gap, we’re giving SOC teams the ability to detect more, respond faster, and trust the investigation process end-to-end.