What is quishing? The QR code phishing scam explained

Quishing, also known as QR (quick response) code phishing, is a phishing technique that involves QR codes to trick potential victims.

Similar to other types of phishing attacks, the purpose is to steal sensitive information, install malware on your device, or make you visit a website.

What is a QR code?

A QR code is a “square barcode-like image” that can be scanned using a smartphone or other QR code reader apps. A QR code “serves a number of legitimate purposes, allowing quick access to internet-based resources such as websites, product or event information and payment facilities.” They are commonly used for various legitimate purposes, such as linking to websites, making payments, or providing contact information. However, malicious actors have found ways to abuse QR codes for fraudulent activities.

How does quishing work?

According to IBM, in a quishing attack, attackers “create malicious QR codes that appear legitimate” but contain links to harmful websites or files. These codes can be distributed in many ways, such as embedded in phishing emails, text messages, or “placed deceptively in public places,” such as on flyers, menus, or even pasted over genuine QR codes, so people scan them without thinking. Because users cannot see the actual web address before scanning, they can be easily redirected to a fake login page that asks them to enter sensitive information or to download software that compromises their device.

IBM explains that this works because QR codes “hide the destination link in plain sight,” which makes quishing effective at tricking users into giving up credentials, financial details, or allowing malware onto their device.

Go deeper: Five common QR code scams—Microsoft 365

How does quishing impact HIPAA compliance?

According to Paubox’s 2025 healthcare email security report, phishing, including quishing, is the leading cause of healthcare data breaches, serving as the primary entry point for cybercriminals to compromise sensitive information. As of 2024, over 70% of healthcare data breaches originated from phishing attacks. The impact of these attacks is widespread, affecting financial stability, patient privacy, and clinical operations.

Unauthorized access to patient data

In a healthcare setting, QR codes are sometimes used to access medical records or other sensitive patient information. If an attacker successfully tricks a healthcare worker or patient into scanning a malicious QR code, it could result in unauthorized access to patient data, potentially violating HIPAA rules.

Data breaches

QR code phishing can result in data breaches if sensitive patient information is exposed, stolen, or misused. HIPAA mandates that covered entities and their business associates take appropriate measures to safeguard protected health information (PHI) and report breaches promptly.

Patient privacy violations

QR code phishing can compromise patient privacy and confidentiality as attackers gain access to patient records and other healthcare-related information.

Legal and financial consequences

HIPAA violations can lead to significant legal and financial penalties for covered entities and their business associates. This includes fines, legal actions, and potential damage to an organization's reputation.

See also: QR Code-Based Phishing (Quishing) as a Threat to the Health Sector

In the news

According to a CNBC news report, hackers have turned a common everyday tool, QR codes, into a new type of scam called “quishing,” using them to trick people into sharing personal information or visiting dangerous websites.

According to cybersecurity experts, the effectiveness of these scams is due to their simplicity and ubiquity. “Because they are everywhere — from gas pumps and yard signs to television commercials — they’re simultaneously useful and dangerous,” said Dustin Brewer, senior director of proactive cybersecurity services at BlueVoyant.

Another specialist noted that scammers don’t need sophisticated tools; they can simply print a fake QR code sticker and place it over a legitimate one to lure users into harmful websites or fake payment portals. “The crooks are relying on you being in a hurry and you needing to do something,” the expert told CNBC.

With QR codes being easily accessible, experts warn that users should stay vigilant before scanning, because convenience can quickly become a trap.

How to mitigate the risk of QR code phishing

To protect against quishing, the FTC recommends the following:

• If you come across a QR code in an unusual location, be sure to check the URL before opening it. Even if it appears familiar, confirm that it's not spoofed by carefully examining it for misspellings or swapped letters.
• Avoid scanning a QR code in an unexpected email or text message, especially if it pressures you to take immediate action. If you believe the message might be genuine, contact the company using a phone number or website that you know is authentic.
• Safeguard your phone and online accounts by keeping your operating system updated to defend against hackers. Enhance the security of your online accounts with strong passwords and multi-factor authentication.

Read also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

Are QR codes themselves dangerous?

QR codes are not inherently malicious. They are simply a method of encoding information. The risk arises when attackers embed harmful links inside them. As IBM explains, the danger lies in how QR codes conceal the destination URL until after scanning.

Why are QR codes effective for cybercriminals?

According to IBM, QR codes “hide the destination link in plain sight,” making it difficult for users to verify where the code leads before scanning. This lack of transparency increases the likelihood that users will trust and scan the code.

Can quishing bypass email security systems?

Yes. Since the malicious link is embedded within a QR code image instead of being displayed as clickable text, it may bypass detection by some traditional email security tools. This tactic enables attackers to evade filters meant to block suspicious URLs.