Quishing is no longer just an email problem. Attacks are shifting the “click” to QR codes, postal mail, and smartphones. That changes what effective security awareness must cover.
QR codes are becoming the new phishing standard
QR codes are considered convenient because they “only” need to be scanned. That very convenience is increasingly being exploited as an entry point. The key difference from classic phishing is not the look and feel, but the channel shift. The scan often happens on a smartphone, while security controls on the corporate endpoint and in email gateways are bypassed.
A recent note in the FBI/IC3 flash on Quishing describes this mechanism explicitly. Attackers embed a malicious URL in a QR code, force a switch from the corporate device to a mobile device, and thereby circumvent common email protection mechanisms. Particularly relevant is that quishing campaigns often lead to credential harvesting and then to session token theft, enabling identity takeover in cloud environments.
When “support mail” arrives, it’s no longer an edge case
Awareness programs are often optimized for email. That makes sense, but it is now incomplete. In practice, there are increasing scenarios where physical letters, printed notices, or inserts in packages provide the initial foothold. Typical is a staged narrative with urgency, an alleged required action, and a QR code positioned as the “fastest way” to resolve the issue.
Wallet manufacturers now explicitly warn that they do not request seed phrases or backups and that postal contact should also be treated as an indicator of fraud. In the Ledger guidance on ongoing phishing campaigns, it is emphasized that the recovery phrase must never be shared or entered anywhere and should only ever be used directly on the device. The Trezor guide on scams and phishing is equally clear: unsolicited contact via messenger, phone, and even postal mail should be treated as phishing.
Why finance, executives, and wallet users are especially affected
Attackers care about two things. They want either immediate monetization or to compromise identities that grant access to money flows and sensitive systems in the next stage.
- For wallet users, the recovery phrase is effectively the key. Anyone who gets it can import wallets and move assets.
- For finance and executive target profiles, the combination of authority, time pressure, and proximity to business processes is attractive. QR codes in letters or supposed “compliance” notices can feel more credible than mass phishing emails.
- Scanning on a smartphone is a strategic advantage for attackers because it often bypasses the organization’s security infrastructure and shifts the attack toward identity compromise.
The second attack vector many overlook
It’s not only letters that matter. Unexpected packages can also act as social-engineering carriers. The FTC warning about QR codes on packages explains that QR codes on inserts can lead to phishing sites that steal payment data or access credentials. It also notes that this path can be used to trigger malware downloads or device access.
What security awareness must deliver now
The key adjustment is not “more training,” but “cover different attack surfaces.” Awareness must treat physical mail and QR codes as first-class phishing channels and prioritize the groups where impact is greatest.
Practical checks for employees
- Treat QR codes like links. Check context first, then scan.
- Before opening, verify the destination URL in the preview if the device provides that feature.
- Do not enter secrets that would fully compromise accounts. For wallets, never disclose the recovery phrase.
- For letters and packages containing QR codes, always use the internal reporting route instead of “quickly testing it.”
Controls for organizations
- Integrate the mailroom, reception, and executive assistants into the security reporting process, including simple photo or scan forwarding for triage.
- Treat mobile security as part of phishing defense because the attack path often starts outside classic EDR and network-inspection boundaries.
- Extend awareness simulations with QR scenarios, including printed artifacts for particularly exposed groups.
A sentence that belongs in every training
If a message, letter, or package pressures you to scan a QR code immediately and then enter credentials or wallet backups, it is almost always a scam.
FAQ – Quishing (QR Code Phishing)
Quishing is phishing via QR codes. The QR code typically leads to a fake login or payment page that steals credentials, MFA codes, payment data, or other sensitive information. The scan is often deliberately shifted to a smartphone to bypass security controls on the corporate device.
In everyday usage, the terms are often used interchangeably. Quishing usually emphasizes the phishing method, while QR code phishing describes the technical carrier. In both cases, the QR code is only the transport mechanism; the attack happens via the destination the code points to.
Smishing is phishing via SMS or messenger apps. Vishing is phishing via phone calls. Quishing uses QR codes in emails, postal mail, posters, packages, or on devices such as parking meters. The common denominator is social engineering; the difference is the channel and therefore which technical controls apply or can be bypassed.
QR codes reduce the friction of clicking. Many people don’t check the destination URL because they can’t see it in full before opening it. In addition, quishing often shifts the attack to mobile devices, which are not always monitored as strictly as laptops or desktops in corporate environments. As a result, classic email and web controls can be partially bypassed.
A QR code is essentially just data, such as a URL or text. The risk comes from what happens after scanning. That can be a link to a malware download site, a link to install an app, a deep link into an app, or a page that requests access credentials. The QR code is not the malware; it is the entry point.
Common examples include fake Microsoft or cloud login pages, supposed MFA resets, package notifications, parking or charging-station payments, internal posters like “Wi-Fi update” or “security update,” and postal mail posing as support or compliance notices. Almost always there is an urgency cue and an instruction to scan and act quickly.
Typical signs include unusual time pressure, threats of account suspension, strong calls to action, unexpected “verification,” and QR codes used instead of normal links. With physical media, additional indicators include tampering signs such as overlaid QR code stickers, crooked labels, or damaged surfaces. A QR code is not proof of legitimacy; it is merely a transport channel.
Use a scanning function that shows a link preview before opening. Check the domain and subdomain carefully, including typos, unusual TLDs, and extra words. Don’t open links that are shortened, look random, or don’t fit the situation. When in doubt, don’t open the QR link at all; use a known official path such as the app or a manually typed web address.
Treat QR codes like links. Scan only when the source and context are plausible. Open only after checking the URL. Never enter credentials, MFA codes, or wallet recovery phrases on pages reached via a QR code. Use internal reporting channels immediately if a message or postal item seems suspicious, especially when it involves payment or login prompts.
Strong identity controls matter most because quishing often targets account takeover. This includes phishing-resistant MFA such as FIDO2 or passkeys, conditional access, risk-based sign-in detection, and consistent session/token invalidation when suspicious activity is detected. On mobile devices, MDM, URL reputation, DNS filtering, browser hardening, and mobile threat defense help. Reporting processes and fast triage for suspicious QR codes are also critical.
Awareness must cover physical mail, posters, packages, and QR codes, not just email. Effective programs use real examples, train URL checking on smartphones, and explain common social-engineering patterns such as urgency and authority. For exposed groups like finance, executive assistants, and executives, a dedicated track with realistic scenarios and clear reporting paths is worthwhile.
Define a simple process to report suspicious letters, inserts, and posters, ideally by sending a photo or scan to a security mailbox or creating a ticket. The process should clearly state that QR codes must not be scanned “just to test.” A short checklist of scam indicators and a clear escalation path help when a person or department is directly targeted.
Report the incident immediately to security or IT. Close the page, and if necessary disconnect briefly. Change passwords using a known safe route. Have active sessions and tokens reset if possible. If MFA codes were entered, urgency is especially high. For wallet-related incidents, a disclosed recovery phrase must be treated as compromised and requires immediate protective actions.
For many wallets, the recovery phrase is the central key. Anyone who obtains it can import the wallet and initiate transactions. Quishing campaigns delivered via postal mail therefore often aim to capture the recovery phrase through fake “update” or “verification” pages. The most important rule is that the recovery phrase must never be shared and must not be entered into websites.
Document QR-code-based attacks as a distinct phishing channel in threat models and security policies. Map controls clearly, for example identity controls, mobile controls, awareness, and incident response. Define higher-risk target groups such as finance, executives, assistant functions, and people with access to payment processes or wallets. Regularly check whether simulations, reporting rates, and response times match the real attack path.
