QR Phishing (Quishing) in 2026 — Why a Camera Is Now an Attack Surface

On a Tuesday morning the IT communications team at a 6,000-person Dutch insurer puts up a poster in every lift: 'Mandatory MFA refresh by Friday — scan to begin'. There are three QR codes per lift, all leading to the company's IdP self-service portal. By Thursday afternoon a security analyst notices that the poster in the south-tower main lift has a glossy A4 overlay taped neatly across the bottom third — same colours, same fonts, with the three QR codes replaced. The overlay points to login-insurer.identityaccess.cn, a perfectly cloned IdP login page hosted from a hijacked Chinese cloud tenant. Forty-one employees have already submitted credentials and OTP codes. The attacker has been registering FIDO devices on those accounts in real time using a Evilginx-style reverse-proxy kit. The breach is detected only because the analyst happened to take the south-tower lift and noticed the misalignment of the overlay's edges. Two of the compromised accounts were domain admins. The remediation cost roughly €380,000 and the firm's NIS2-mandated 24-hour notification clock had already started.

QR phishing relies on three structural features the email security stack cannot fix. First, the destination URL is hidden inside the QR image — most mobile camera apps show the destination domain for under two seconds before opening, and most users tap before reading. Second, when the QR arrives inside an email attachment (PDF, PNG, JPG) the security gateway sees an image, not a link, so URL-rewriting and link-detonation controls never run. Third, the same QR can be deployed physically: stickers placed over real QR codes on parking meters, EV chargers, restaurant menus and corporate posters give the attacker a brand-credible delivery channel that no software product can see. The post-scan flow is identical to email phishing — a brand-cloned login page or payment page, optionally backed by an Evilginx-style reverse proxy to capture MFA tokens in real time. MITRE ATT&CK techniques: T1566.002 (Spearphishing Link, delivered out-of-band), T1539 (Steal Web Session Cookie) via reverse-proxy kits, T1192-style phishing applied to non-email channels. The most effective controls are user-side (always check the destination domain before entering credentials, distrust any QR pointing to a non-corporate IdP for work tasks) and physical (periodic walk-throughs to detect overlay stickers on official posters and on public infrastructure where staff use payment QRs).

• QR codes embedded in email attachments — especially PDFs from unknown senders or unexpected internal communications
• Physical QR stickers that look slightly off-axis, glossy when the underlying surface is matte, or covering an existing QR (look for adhesive edges)
• QR posters in lifts, lobbies, parking garages, on restaurant tables, EV chargers, parking meters — anywhere ad-hoc payment or authentication is implied
• QR codes pointing to a domain that is not your normal corporate IdP, your bank's actual domain, or the merchant's verified URL — always read the full URL the camera previews before tapping
• Hand-printed or low-quality QR codes on otherwise professional materials — a mismatch suggests the QR was added later
• QR followed immediately by a login page asking for credentials, OTP, or payment authorisation
• QR-based 'mandatory MFA refresh' or 'mandatory password reset' messages — legitimate enterprise IdPs rarely require a QR-mediated flow

1. Always read the preview URL the camera shows before tapping through — every timeConfirm the domain matches your IdP, your bank, or the merchant. If you cannot read it (URL shortener, IP address, unfamiliar TLD), do not proceed.
2. Never enter credentials, OTPs or payment info on a page reached by scanning a QR — open the official app or type the URL manuallyIf a corporate task is genuinely required, navigate to it from a bookmark or via the company intranet, not via the QR.
3. If you encounter a suspicious physical QR sticker, report itFor office-environment stickers, report to your facilities + security teams so they can be removed and the area swept. For public infrastructure (chargers, parking meters), report to the operator and to your bank if you have already paid.
4. If you scanned and submitted credentials, treat as a compromise immediatelyChange the password from a known-clean device, revoke active sessions, re-enrol MFA, and escalate to security so they can investigate concurrent logins.
5. Inspect QR-bearing emails as suspicious by default — especially attachmentsThe most credible-looking emails (HR forms, signed contracts, MFA-renewal notices) are the prime QR-phishing carriers.

• NCSC-NL — QR-code phishing (quishing)[primary]
• ENISA — Phishing techniques and QR threats[primary]
• MITRE ATT&CK — T1566.002 Spearphishing Link[primary]
• Cofense — QR-in-PDF attack analysis (2023 onwards)[secondary]
• Krebs on Security — QR sticker scam coverage[secondary]

• Smishing in 2026 — SMS Phishing Attacks and How to Stop Them

  7 min read

• Microsoft 365 Phishing in 2026 — AiTM, Token Theft, and the End of TOTP

  10 min read