{"id":2086,"date":"2026-02-15T10:10:57","date_gmt":"2026-02-15T09:10:57","guid":{"rendered":"https:\/\/ilja-schlak.de\/?p=2086"},"modified":"2026-02-15T10:10:57","modified_gmt":"2026-02-15T09:10:57","slug":"quishing-qr-code-phishing-awareness","status":"publish","type":"post","link":"https:\/\/ilja-schlak.de\/en\/quishing-qr-code-phishing-awareness\/","title":{"rendered":"Quishing (QR Code Phishing) &#8211; How to Recognize It and Stop QR-Based Attacks"},"content":{"rendered":"<section class=\"l-section wpb_row height_medium\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_flex valign_top type_default stacking_default\"><div class=\"vc_col-sm-12 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Quishing is no longer just an email problem. Attacks are shifting the \u201cclick\u201d to QR codes, postal mail, and smartphones. That changes what effective security awareness must cover.<\/p>\n<h2>QR codes are becoming the new phishing standard<\/h2>\n<p>QR codes are considered convenient because they \u201conly\u201d need to be scanned. That very convenience is increasingly being exploited as an entry point. The key difference from classic phishing is not the look and feel, but the channel shift. The scan often happens on a smartphone, while security controls on the corporate endpoint and in email gateways are bypassed.<\/p>\n<p>A recent note in the <a href=\"https:\/\/www.ic3.gov\/CSA\/2026\/260108.pdf\" target=\"_blank\" rel=\"noopener nofollow\">FBI\/IC3 flash on Quishing<\/a> describes this mechanism explicitly. Attackers embed a malicious URL in a QR code, force a switch from the corporate device to a mobile device, and thereby circumvent common email protection mechanisms. Particularly relevant is that quishing campaigns often lead to credential harvesting and then to session token theft, enabling identity takeover in cloud environments.<\/p>\n<h2>When \u201csupport mail\u201d arrives, it\u2019s no longer an edge case<\/h2>\n<p>Awareness programs are often optimized for email. That makes sense, but it is now incomplete. In practice, there are increasing scenarios where physical letters, printed notices, or inserts in packages provide the initial foothold. Typical is a staged narrative with urgency, an alleged required action, and a QR code positioned as the \u201cfastest way\u201d to resolve the issue.<\/p>\n<p>Wallet manufacturers now explicitly warn that they do not request seed phrases or backups and that postal contact should also be treated as an indicator of fraud. In the <a href=\"https:\/\/www.ledger.com\/phishing-campaigns-status\" target=\"_blank\" rel=\"noopener nofollow\">Ledger guidance on ongoing phishing campaigns<\/a>, it is emphasized that the recovery phrase must never be shared or entered anywhere and should only ever be used directly on the device. The <a href=\"https:\/\/trezor.io\/learn\/security-privacy\/personal-security-standards\/scams-and-phishing\" target=\"_blank\" rel=\"noopener nofollow\">Trezor guide on scams and phishing<\/a> is equally clear: unsolicited contact via messenger, phone, and even postal mail should be treated as phishing.<\/p>\n<h2>Why finance, executives, and wallet users are especially affected<\/h2>\n<p>Attackers care about two things. They want either immediate monetization or to compromise identities that grant access to money flows and sensitive systems in the next stage.<\/p>\n<ul>\n<li>For wallet users, the recovery phrase is effectively the key. Anyone who gets it can import wallets and move assets.<\/li>\n<li>For finance and executive target profiles, the combination of authority, time pressure, and proximity to business processes is attractive. QR codes in letters or supposed \u201ccompliance\u201d notices can feel more credible than mass phishing emails.<\/li>\n<li>Scanning on a smartphone is a strategic advantage for attackers because it often bypasses the organization\u2019s security infrastructure and shifts the attack toward identity compromise.<\/li>\n<\/ul>\n<h2>The second attack vector many overlook<\/h2>\n<p>It\u2019s not only letters that matter. Unexpected packages can also act as social-engineering carriers. The <a href=\"https:\/\/consumer.ftc.gov\/consumer-alerts\/2025\/01\/scam-alert-qr-code-unexpected-package\" target=\"_blank\" rel=\"noopener nofollow\">FTC warning about QR codes on packages<\/a> explains that QR codes on inserts can lead to phishing sites that steal payment data or access credentials. It also notes that this path can be used to trigger malware downloads or device access.<\/p>\n<h2>What security awareness must deliver now<\/h2>\n<p>The key adjustment is not \u201cmore training,\u201d but \u201ccover different attack surfaces.\u201d Awareness must treat physical mail and QR codes as first-class phishing channels and prioritize the groups where impact is greatest.<\/p>\n<h3>Practical checks for employees<\/h3>\n<ul>\n<li>Treat QR codes like links. Check context first, then scan.<\/li>\n<li>Before opening, verify the destination URL in the preview if the device provides that feature.<\/li>\n<li>Do not enter secrets that would fully compromise accounts. For wallets, never disclose the recovery phrase.<\/li>\n<li>For letters and packages containing QR codes, always use the internal reporting route instead of \u201cquickly testing it.\u201d<\/li>\n<\/ul>\n<h3>Controls for organizations<\/h3>\n<ul>\n<li>Integrate the mailroom, reception, and executive assistants into the security reporting process, including simple photo or scan forwarding for triage.<\/li>\n<li>Treat mobile security as part of phishing defense because the attack path often starts outside classic EDR and network-inspection boundaries.<\/li>\n<li>Extend awareness simulations with QR scenarios, including printed artifacts for particularly exposed groups.<\/li>\n<\/ul>\n<h2>A sentence that belongs in every training<\/h2>\n<p>If a message, letter, or package pressures you to scan a QR code immediately and then enter credentials or wallet backups, it is almost always a scam.<\/p>\n<h2>FAQ &#8211; Quishing (QR Code Phishing)<\/h2>\n<\/div><\/div><div class=\"w-tabs style_default switch_click accordion has_scrolling\" style=\"--sections-title-size:inherit\"><div class=\"w-tabs-sections titles-align_none icon_chevron cpos_right\"><div class=\"w-tabs-section\" id=\"jff8\"><button class=\"w-tabs-section-header\" aria-controls=\"content-jff8\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">What does quishing mean?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-jff8\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Quishing is phishing via QR codes. The QR code typically leads to a fake login or payment page that steals credentials, MFA codes, payment data, or other sensitive information. The scan is often deliberately shifted to a smartphone to bypass security controls on the corporate device.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"u1b1\"><button class=\"w-tabs-section-header\" aria-controls=\"content-u1b1\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">Is quishing the same as QR code phishing?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-u1b1\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>In everyday usage, the terms are often used interchangeably. Quishing usually emphasizes the phishing method, while QR code phishing describes the technical carrier. In both cases, the QR code is only the transport mechanism; the attack happens via the destination the code points to.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"o359\"><button class=\"w-tabs-section-header\" aria-controls=\"content-o359\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">How does quishing differ from smishing and vishing?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-o359\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Smishing is phishing via SMS or messenger apps. Vishing is phishing via phone calls. Quishing uses QR codes in emails, postal mail, posters, packages, or on devices such as parking meters. The common denominator is social engineering; the difference is the channel and therefore which technical controls apply or can be bypassed.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"b4fc\"><button class=\"w-tabs-section-header\" aria-controls=\"content-b4fc\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">Why is quishing so effective?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-b4fc\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>QR codes reduce the friction of clicking. Many people don\u2019t check the destination URL because they can\u2019t see it in full before opening it. In addition, quishing often shifts the attack to mobile devices, which are not always monitored as strictly as laptops or desktops in corporate environments. As a result, classic email and web controls can be partially bypassed.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"k6a0\"><button class=\"w-tabs-section-header\" aria-controls=\"content-k6a0\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">Can a QR code itself contain malware?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-k6a0\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>A QR code is essentially just data, such as a URL or text. The risk comes from what happens after scanning. That can be a link to a malware download site, a link to install an app, a deep link into an app, or a page that requests access credentials. The QR code is not the malware; it is the entry point.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"h848\"><button class=\"w-tabs-section-header\" aria-controls=\"content-h848\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">What are typical quishing scenarios?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-h848\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Common examples include fake Microsoft or cloud login pages, supposed MFA resets, package notifications, parking or charging-station payments, internal posters like \u201cWi-Fi update\u201d or \u201csecurity update,\u201d and postal mail posing as support or compliance notices. Almost always there is an urgency cue and an instruction to scan and act quickly.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"va16\"><button class=\"w-tabs-section-header\" aria-controls=\"content-va16\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">How can I recognize quishing in emails, letters, or posters?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-va16\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Typical signs include unusual time pressure, threats of account suspension, strong calls to action, unexpected \u201cverification,\u201d and QR codes used instead of normal links. With physical media, additional indicators include tampering signs such as overlaid QR code stickers, crooked labels, or damaged surfaces. A QR code is not proof of legitimacy; it is merely a transport channel.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"lbbe\"><button class=\"w-tabs-section-header\" aria-controls=\"content-lbbe\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">How do I safely verify the destination URL of a QR code?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-lbbe\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Use a scanning function that shows a link preview before opening. Check the domain and subdomain carefully, including typos, unusual TLDs, and extra words. Don\u2019t open links that are shortened, look random, or don\u2019t fit the situation. When in doubt, don\u2019t open the QR link at all; use a known official path such as the app or a manually typed web address.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"bd62\"><button class=\"w-tabs-section-header\" aria-controls=\"content-bd62\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">What are the most important countermeasures for employees?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-bd62\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Treat QR codes like links. Scan only when the source and context are plausible. Open only after checking the URL. Never enter credentials, MFA codes, or wallet recovery phrases on pages reached via a QR code. Use internal reporting channels immediately if a message or postal item seems suspicious, especially when it involves payment or login prompts.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"gf09\"><button class=\"w-tabs-section-header\" aria-controls=\"content-gf09\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">Which technical measures help organizations against quishing?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-gf09\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Strong identity controls matter most because quishing often targets account takeover. This includes phishing-resistant MFA such as FIDO2 or passkeys, conditional access, risk-based sign-in detection, and consistent session\/token invalidation when suspicious activity is detected. On mobile devices, MDM, URL reputation, DNS filtering, browser hardening, and mobile threat defense help. Reporting processes and fast triage for suspicious QR codes are also critical.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"x0b0\"><button class=\"w-tabs-section-header\" aria-controls=\"content-x0b0\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">What must an awareness program include for quishing?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-x0b0\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Awareness must cover physical mail, posters, packages, and QR codes, not just email. Effective programs use real examples, train URL checking on smartphones, and explain common social-engineering patterns such as urgency and authority. For exposed groups like finance, executive assistants, and executives, a dedicated track with realistic scenarios and clear reporting paths is worthwhile.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"r24f\"><button class=\"w-tabs-section-header\" aria-controls=\"content-r24f\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">What are safe processes for the mailroom, reception, and executive assistants?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-r24f\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Define a simple process to report suspicious letters, inserts, and posters, ideally by sending a photo or scan to a security mailbox or creating a ticket. The process should clearly state that QR codes must not be scanned \u201cjust to test.\u201d A short checklist of scam indicators and a clear escalation path help when a person or department is directly targeted.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"z3f3\"><button class=\"w-tabs-section-header\" aria-controls=\"content-z3f3\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">What should I do if I scanned a suspicious QR code or entered data?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-z3f3\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Report the incident immediately to security or IT. Close the page, and if necessary disconnect briefly. Change passwords using a known safe route. Have active sessions and tokens reset if possible. If MFA codes were entered, urgency is especially high. For wallet-related incidents, a disclosed recovery phrase must be treated as compromised and requires immediate protective actions.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"f591\"><button class=\"w-tabs-section-header\" aria-controls=\"content-f591\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">Why are hardware wallet users especially at risk?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-f591\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>For many wallets, the recovery phrase is the central key. Anyone who obtains it can import the wallet and initiate transactions. Quishing campaigns delivered via postal mail therefore often aim to capture the recovery phrase through fake \u201cupdate\u201d or \u201cverification\u201d pages. The most important rule is that the recovery phrase must never be shared and must not be entered into websites.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"n734\"><button class=\"w-tabs-section-header\" aria-controls=\"content-n734\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">How can quishing risks be reflected cleanly in risk management and policies?<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-n734\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Document QR-code-based attacks as a distinct phishing channel in threat models and security policies. Map controls clearly, for example identity controls, mobile controls, awareness, and incident response. Define higher-risk target groups such as finance, executives, assistant functions, and people with access to payment processes or wallets. Regularly check whether simulations, reporting rates, and response times match the real attack path.<\/p>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section>]\n","protected":false},"excerpt":{"rendered":"<p>Quishing is no longer just an email problem. Attacks are shifting the \u201cclick\u201d to QR codes, postal mail, and smartphones. That changes what effective security awareness must cover.<\/p>\n","protected":false},"author":1,"featured_media":2087,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[120],"tags":[],"class_list":["post-2086","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/posts\/2086","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/comments?post=2086"}],"version-history":[{"count":2,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/posts\/2086\/revisions"}],"predecessor-version":[{"id":2089,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/posts\/2086\/revisions\/2089"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/media\/2087"}],"wp:attachment":[{"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/media?parent=2086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/categories?post=2086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/tags?post=2086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}