Quishing: Why the Most Innocent Scan of Your Day Could Compromise Your Network

Quishing: QR Code Phishing Attacks – Access Granted

01 // The Story

Hannover, November 2024. Someone sticks a sticker on a parking meter. What followed is now happening across Germany — and in your inbox.

Professionally designed. EasyPark logo, pink border, correct brand colours. Anyone who parks their car and scans the QR code lands on easypark.live — a page described by the LKA Lower Saxony as "designed to be nearly identical to the original site." Parking zone, number plate, duration — all as expected. Then: enter your card details. What the user gets: nothing. What the attacker gets: card number, expiry date, CVV.

Sticking the label on takes 30 seconds. Prep time for the attack: an afternoon for design and printing. Manipulated meters in Hannover numbered in the low double digits before the city began searching systematically — by mid-2025, Cologne, Dortmund, Berlin, Goslar, and Braunschweig were also affected. So were EV charging stations.

That's the consumer version of the attack. The one everyone understands because everyone has used a parking meter. What far fewer people realise: the same technique — QR code as a deception vector — is already inside corporate infrastructure. In the PDF attachment of an HR email. On the conference room sign for guest Wi-Fi. In a spoofed Teams invitation. And in the hands of a North Korean intelligence operation targeting think tanks and government agencies.

Quishing — QR code phishing — is not a fringe concern. It is the phishing attack that email security filters are structurally unable to detect: no clickable link, no suspicious attachment, no payload in the email body. Just an image.

25%

Year-over-year increase in quishing attacks (Hoxhunt, 2025)

500k+

Phishing emails with QR codes in PDFs in 3 months (Barracuda, 2024)

42×

More likely C-suite receives QR code attacks vs. non-executive employees (Abnormal Security)

64%

Of quishing attacks go undetected or unreported (Keepnet, 2024)

02 // What Quishing Is — and Why It Works Where Phishing Fails

The attack your email filter can't see

Quishing is phishing with QR codes. The goal is the same: get the target to a fake site to steal credentials, payment data, or other sensitive information. What differs is the channel. And that difference is security-architecturally fundamental.

A classic phishing link in an email can be filtered. Email security gateways scan URLs, check domains, sandbox suspicious links, and rewrite hyperlinks for downstream inspection. That's the state of the art — and it works increasingly well. Quishing bypasses all of it for one simple reason: a QR code is an image, not a link. There's no URL in the email body. No executable in the attachment. Nothing for a classical filter to catch.

A second structural advantage for attackers: the device switch. A phishing link in an email opens on the corporate device — the laptop with EDR, network filter, proxy, and web filtering. A QR code gets scanned with a smartphone. In most organisations, that smartphone is a personal device: no MDM, no web filter, no EDR integration, no network monitoring. The URL opens in a browser with zero corporate controls.

Classic Phishing

Link in Email

URL · Desktop · Corporate Device

→

Email filter can inspect and block URL directly

→

Sandbox can pre-load and analyse destination

→

URL rewriting enables downstream inspection on click

→

Opens on corporate device → EDR + web filter active

→

Hover effect: user can preview URL before clicking

Quishing

QR Code as Image

Image · Smartphone · Personal Device

→

Email filter sees only an image — no URL to inspect

→

Sandbox would need to decode the QR — rarely implemented

→

No rewriting possible: URL is inside the code, not the text

→

Opens on personal phone → outside all corporate controls

→

URL on phone display: truncated, barely readable, no hover

The FBI states it plainly: quishing is an MFA-resilient identity intrusion vector. Not because MFA doesn't work — but because the smartphone on which the code is scanned sits outside the MFA-protected perimeter. Session tokens can be stolen in the mobile browser before MFA even comes into play.

03 // The Three Attack Surfaces

Physical, digital, hybrid: where QR codes become weapons

Physical: The sticker

The EasyPark scenario is the most visible — but not the only physical quishing scenario. Anywhere QR codes are physically displayed and scanned by people, a sticker with a fake code can be placed on top: EV charging stations, restaurant tables, hotel check-in points, museum guides, event signage. The attack surface is every public QR code.

In the corporate context, that means: conference room signs for guest Wi-Fi, printer instruction panels, reception areas with visitor registration QR codes, whiteboards with meeting links. Anyone who briefly enters a building — as a maintenance technician, delivery person, or visitor — and places a sticker has launched a physical quishing attack that may go undetected for weeks.

Documented Case // Hannover & other cities, Germany, Nov. 2024 – Jun. 2025

EasyPark quishing on parking meters: professional, scalable, nationwide

Since November 2024, the LKA Lower Saxony and the cities of Hannover, Berlin, Goslar, Bad Harzburg, Celle, Braunschweig, Cologne, and Dortmund have warned of fake QR code stickers on parking meters. The stickers professionally imitate EasyPark branding with logo and brand colours. The target site easypark.live was described by the LKA as "designed to be nearly identical to the original" and requested credit card details. Those affected are advised to block their cards immediately and file a police report. Identical attacks were documented at EV charging stations and in summer 2023 at ParkNYC meters in New York City.

Sources: LKA Lower Saxony · polizei-praevention.de · ADAC · City of Hannover · geblitzt.de

Digital: The QR code in a PDF attachment

The most digital form of quishing is also the most underestimated in corporate environments. Barracuda researchers detected over half a million phishing emails in a three-month window in which QR codes were embedded in PDF documents — not in the email itself, but in the attachment. The reason: a PDF attachment feels less suspicious than an embedded image, and the URL inside the QR code isn't automatically extracted and checked by any email gateway.

The social engineering pretexts are always the same, because they always work: payslip, open benefits enrolment form, tax documents, password security notices, compliance confirmations, meeting invitations. Sophos was itself targeted by such campaigns — with subject lines including "2024 financial plans," "benefits open enrollment," and "dividend payout."

Hybrid: Physical sticker meets corporate target

The most dangerous combination: a physical QR code in a corporate context that leads to a credential harvesting page for corporate logins. Example: a sticker in a conference room reading "Microsoft 365 login for guest access — scan QR code." The page behind it looks like the Microsoft login. Anyone who enters their corporate credentials has just compromised their account — on their personal smartphone, outside any corporate monitoring, without triggering a single alert.

Attack Surface	Context	Goal	Recognisability for User	Risk
Sticker on physical devices	Parking meters, chargers, conference rooms	Payment data, credentials	Low — professionally designed	HIGH
QR code in email (direct)	Spoofed HR, IT, compliance emails	Corporate credentials, MFA bypass	Low — no hover effect possible	HIGH
QR code in PDF attachment	Payslips, tax documents, forms	Credentials, payment data	Very low — PDF appears trustworthy	CRITICAL
Physical code inside company premises	Conference Wi-Fi, reception, printers	Corporate credentials, network access	Very low — expected and trusted	CRITICAL
Spear-quishing against leadership	Personalised emails to C-suite	High-value credentials, M365, VPN	Very low — highly personalised	CRITICAL

04 // The State-Level Attacker

When quishing becomes an intelligence weapon: Kimsuky and the FBI alert

Quishing is not just a tool for credit card fraud. In January 2026, the FBI published a flash alert documenting quishing as an active attack technique of a North Korean state threat actor: Kimsuky — also known as APT43, Velvet Chollima, Emerald Sleet — one of North Korea's most active intelligence operations.

Documented Case // FBI Flash Alert, January 2026

Kimsuky uses quishing against think tanks, universities, and government agencies

In May and June 2025, Kimsuky sent spear-phishing emails to employees of a strategic advisory firm — purported invitations to a non-existent conference on Korean Peninsula geopolitics. The emails contained a QR code leading to a spoofed Google login page to harvest credentials. In other cases, fake Microsoft 365, Okta, and VPN login pages were impersonated. The FBI explicitly classifies quishing as an "MFA-resilient identity intrusion vector" — because the attack takes place on the mobile device, outside EDR and network monitoring. The conclusion: when an intelligence service adopts quishing, it's no longer a niche attack.

Source: FBI Flash Alert IC3, 08/01/2026 · SecurityWeek · SC Media

The reason state-level actors use quishing is the same as for criminals — with higher-value targets: the attack takes place outside every known line of defence. No URL filter, no sandbox, no EDR telemetry. The FBI writes that quishing "forces victims to pivot from their corporate endpoint to a mobile device — exiting the boundaries of Endpoint Detection and network monitoring."

For most organisations, Kimsuky is not a direct threat scenario. But the technique is identical — whether the attacker wants credit card data or the Microsoft 365 credentials of a department head. Quishing is democratised: the infrastructure for a convincing quishing attack costs under €50 and requires no technical expertise to assemble.

05 // The Scan-to-Compromise Chain

What happens between the scan and the damage

Delivery

Email with QR code (direct or in PDF) or physical sticker. No URL in body → email filter blind.

Device Switch

User scans with smartphone. Exits EDR, proxy, web filter, MDM — if personal device.

Redirect

QR code goes via shortlink or direct to phishing page. URL on phone display truncated, barely readable.

Harvesting

Fake login page (M365, Okta, VPN, payment portal). Credentials or card data entered.

Pivot

Stolen credentials used for account takeover. From there: lateral movement, data access, persistence.

No Alert

No EDR event. No network anomaly. No SIEM trigger. Login with stolen credentials looks normal.

06 // Excursus: The Other Direction

QR codes not as an entry point — but as an exit channel: line-of-sight data exfiltration

Excursus // For High-Security Environments & Red Teams

When the monitor becomes a data port

Security researcher Brian Harris of Covert Access Team describes in a recent post a scenario that inverts the logic of quishing entirely: QR codes not as an attack path into the organisation, but as a covert exfiltration channel out of it.

The concept: a file is split into chunks, each chunk encoded as a QR code, the codes are displayed in sequence on a screen. An observer outside — from the hotel room across the street, via telephoto lens, or on the other end of a Teams call — films the screen and subsequently reassembles the original file. No USB event. No network transfer. No cloud upload. The monitor becomes a data port, without anyone transmitting anything — at least not in any way a traditional security tool monitors.

This is particularly relevant for air-gapped environments: systems physically isolated from the network and treated as secure because no external connection exists. Harris makes the point directly: "Air-gapped systems are often treated as if isolation solves the exfiltration problem. It does not. It reduces the number of paths." A monitor displaying QR codes is not a classical data transmission channel — and most air-gap security concepts simply don't address it. Public tools such as QRExfil (encoder) and piratesbooty (reassembler) make this attack practically executable.

For most organisations, this scenario is not a primary threat model. For those operating under genuine air-gap requirements — critical infrastructure, defence, pharmaceutical research, government — it is a blind spot worth addressing. And it underlines the broader point: QR codes are a transmission medium, not a marketing tool. And transmission media always have two directions.

Source: Brian Harris, Covert Access Team — "Line Of Sight Data Exfiltration" & "Reassembling Line-of-Sight Exfiltration" (June 2026) · covertaccessteam.substack.com

07 // Detection & Countermeasures

What helps — and what doesn't

Honest starting point: QR codes are structurally harder to inspect than links. No hover. No URL preview on desktop. On mobile, often just a shortlink whose destination isn't immediately visible. What still works:

Email security with QR code detection: Modern email gateways can now extract QR codes from images and PDFs, decode the URL, and check it against blocklists. This isn't standard — but it's available. Any organisation running email security without QR scanning has a structural blind spot.
MDM policy for QR scans on corporate devices: Mobile Device Management can restrict QR scanning to authorised apps that inspect URLs before opening. This assumes corporate devices are mandatory for email use — which many organisations don't enforce under BYOD policies.
Physical inspection routine for all public QR codes: Every QR code in reception areas, conference rooms, and publicly accessible company areas is checked regularly. Stickers placed over originals are detectable by touch — an overlaid code has a palpable edge.
Security awareness that explicitly covers quishing: "Don't click suspicious links" does not protect against QR codes. Training must show concrete quishing scenarios: what the attack looks like, how to read a URL on a phone screen, which pretexts are typical.
Phishing simulation with quishing component: Anyone who wants to know whether their organisation is vulnerable needs to test it. A quishing simulation — fake HR email with QR code pointing to a harmless landing page — shows the actual click rate more reliably than any theoretical risk assessment.
Inventory and marking of legitimate corporate QR codes: Which QR codes officially exist within the company? Who created them? Where do they lead? Without this inventory, there's no way to tell which code is legitimate and which is a sticker.

The most effective protection against physical quishing in corporate spaces is the same as against physical pretexting: controlled access to areas where someone could place a sticker. Anyone entering a building to overlay a QR code uses the same entry point as any other physical attacker. A physical pentest combining these vectors tests how far someone gets — and what they can leave behind.

08 // Conclusion

Conclusion: The QR code is neutral. The question is who created it.

QR codes are everywhere because they're convenient. That's exactly the problem. People scan them reflexively — at parking meters, in restaurants, in emails, on conference room signs. The habit formed in an era when QR codes mostly led to menus. That era is over.

What makes quishing so hard to counter: it exploits trust in a medium that feels neutral. A link in an email can look suspicious. A QR code always looks the same. It has no face, no sender, no recognisable origin. It's just there — and most people don't ask who put it there.

Further reading: how physical pretexting works and its role in placing fake QR codes is covered in the post on the Legend. How social engineering is constructed more broadly is shown in the post on the MGM Hack. And what physical attack vectors mean in a corporate context is explored in the series on Physical Security.

Would someone in your organisation scan the code?

We simulate quishing attacks against your employees — via email, PDF, and physical stickers in your premises — and show you where the real vulnerability lies.

Request Phishing Simulation →