Quishing (QR Code Phishing): What It Is and How SMBs Defend Against It
KVKK & Compliance Last month a client’s accounting lead called in a panic: an email with a “pending e-invoice” subject, corporate-looking, with a “scan the QR with your phone to view the document” instruction. They called us before they scanned. Behind that QR was a pixel-perfect clone of the Microsoft 365 sign-in page. This attack pattern is called quishing and in 2026 it has become the fastest-growing cyber threat against SMBs in our market. In 20 years of field work I’ve rarely seen a technique spread this fast.
What is quishing?
Quishing is “QR” + “phishing”. In classic phishing the malicious URL is embedded as a text link. In quishing the URL is encoded into a QR code image. The victim opens the email on their desktop but reaches for their phone to scan the code. That single hop bypasses every defensive layer the company invested in: the phone is usually outside corporate security policy, the fake URL is hard to spot on a small screen, and attention is split.
Why did quishing explode in 2026?
The numbers tell the story. Per Microsoft’s Q1 2026 threat report, the company analysed 8.3 billion email-based phishing threats, with QR phishing rising 146% in three months. About 12% of all phishing emails in 2025 included a QR code. Palo Alto Unit 42 detects more than 11,000 malicious QR codes per day.
Why do attackers love QR codes? Because they work. C-level executives were 40× more likely to fall for QR phishing in 2025 than rank-and-file staff. In the UK 784 quishing incidents were reported between April 2024 and April 2025, with losses approaching £3.5 million.
How the attack works, step by step
- Bait: the employee receives an urgent-sounding email — “pending e-invoice,” “delivery confirmation,” “HR document ready,” “your Microsoft 365 password is expiring.”
- QR code: the email contains a QR code to “view the document/page”. Because the URL is an image, not text, it sails through filters.
- Pivot: the employee scans the QR with their phone. The phone is outside corporate filtering and DNS protection.
- Harvest: the fake Microsoft 365 page collects the username and password. The attacker is in.
Why traditional email filters miss this
Because most email security filters scan text, not images. The same malicious link as plain text would be flagged; embedded inside a QR image it looks like “an innocent picture”. The brilliance of the attack is exactly in this blind spot. Quishing defence cannot be a single layer; you must combine technology and human awareness.
Classic phishing vs. quishing
| Property | Classic phishing | Quishing (QR) |
|---|---|---|
| Malicious link form | Text / link | QR image |
| Caught by email filter? | Usually yes | Usually no |
| Device used | Desktop (protected) | Phone (unprotected) |
| Hard for victim to spot | Medium | High (small screen) |
Action plan for SMBs
The good news: with the right layers, quishing is largely stoppable. The control set we deploy at clients:
- Advanced email protection: Microsoft Defender for Office 365 with Safe Links rewrites every URL to be checked at click time. In May 2026 Microsoft extended Safe Links coverage beyond Business Premium — now reachable for smaller plans too.
- MFA and passkey: even if the password is stolen, the second factor stops the attacker. Where possible accelerate the move to passwordless passkeys.
- Sensitivity-aware mobile management: Intune App Protection isolates corporate data on personal phones. If a phishing site is opened in the personal browser tab, the corporate context is not available.
- User awareness training: quarterly 20-minute scenarios with real screenshots beat once-a-year compliance slides.
- Reporting button: “Report Phish” in Outlook — without it nothing learns. The first 30 days of a deployment usually surfaces patterns specific to your industry.
Frequently asked questions
Should we ban QR codes entirely? Impractical — QR codes are now common in legitimate workflows (e-invoices, parking, restaurant menus). The fight is at the email layer, not the QR-code layer.
Is the answer expensive? Microsoft 365 Business Premium already includes Defender for Office 365, Intune App Protection and Conditional Access — the foundation. Add quarterly awareness training (~2–3 USD/user/month) and you have most of the defence.
Will Defender catch every quishing attempt? No solution catches 100%. The objective is to compress the attack surface and shorten the time-to-detect. Healthy organisations operate at roughly 95% catch + 100% report culture.
Bottom line
Quishing isn’t a 2027 problem — it’s already the dominant entry vector at the small and mid-market. If your only email protection is what shipped with the mailbox, you’re exposed. To map your current control set against the realistic 2026 threat profile, get in touch for a free assessment.
Related Posts
KVKK & Compliance Microsoft Intune BYOD Management: A Practical Guide
An IT lead at an accounting firm called: 'An employee left, they were using their personal iPhone for company email and downloaded customer files to OneDrive. The phone isn't ours. What can we do?' The answer was painful: 'Nothing — it wasn't your device.' The fix is Intune.
Read more
KVKK & Compliance Passkey & Passwordless Sign-in: The 2026 Guide
World Passkey Day was marked globally on 7 May. Microsoft Entra ID is rolling out Passkey Profiles to corporate accounts this month, and Windows passwordless sign-in goes generally available in mid-June. Why 2026 is the inflection point, what it costs SMBs, and where to start.
Read more
KVKK & Compliance Email Security 2026: DMARC, DKIM, SPF — The Practical Guide
An accounting firm called us last month. An email that looked like it came from the CEO told the finance manager: 'Urgent payment, the IBAN changed, send to the supplier's new account.' The money left. The sender wasn't the CEO — there was no DMARC, no DKIM, no SPF.
Read more