**Quishing: The QR Code Phishing Threat Bypassing MFA**
By Zak Smith
Follow ZDNET: Add us as a preferred source on Google.

*Credit: BlackJack3D/ iStock / Getty Images Plus via Getty Images*
**ZDNET’s key takeaways**
* The QR code in your email or attachment could be a scam.
* QR code phishing bypasses MFA, leading to data theft.
* How quishing attacks work, and what you can do to stay safe.
Ever had a QR code land in your inbox and curiosity get the better of you?
When we think of phishing and scams, many of the oldest tricks are those we still encounter daily — emails claiming we have long-lost relatives who’ve left us an inheritance; ‘Facebook’ warning that our accounts will be frozen unless we reply promptly; fake lottery wins; and unwanted solicitations from so-called investors willing to transfer us millions of dollars.
**Also: Mobile phishing is a bigger threat than email now**
However, times are changing. Recruitment scams are becoming sophisticated enough to convince job seekers to engage; AI is being used to humanize and improve phishing attempts and even automate entire attack chains; and now, an attack vector is emerging that weaponizes QR codes to bypass multi-factor authentication (MFA), steal our data, and hijack our accounts.
**Quishing: QR fraud on the rise**
Quishing, or QR code-based phishing, embeds malicious links in QR codes to bypass traditional phishing filters and slip through security nets. The lure is the same: create a sense of urgency, appeal to our greed, instill fear and panic, or promise rewards for scanning the QR code with our phones and clicking the embedded link to visit an online page or platform.
**Also: Microsoft goes all in on new AI-powered Windows security strategy**
A QR code phishing scheme can take many forms. A fake message from your bank, an email congratulating you on a lottery win, or an urgent message from your social media provider. Once you’ve scanned the code and clicked the link, you could end up in a domain designed to steal your data or compromise an account you own.
According to Hoxhunt’s 2026 Phishing Trends Report, basic QR-code phishing messages via email are on the decline, but they are re-emerging as an attack vector hidden in scam email attachments, such as in malicious PDFs.
Overall, QR code phishing attacks increased by 25% year-over-year. It’s not just digital spaces, either, as QR codes have also been spotted in physical spaces, embedded in posters or emblazoned on fake business cards, according to the report.
**How attackers dodge MFA defenses**
Hothunt’s research is supported by a June notice from Google’s Trust & Safety team warning that traditional email attack vectors are being replaced by adversary-in-the-middle (AITM) and quishing attacks.
Quishing pairs with AITM by disguising malicious links in a format that’s hard to read or detect by security filters. According to both Google and Microsoft, this is how it works: You receive a quishing email, and curiosity lures you into scanning the code. You are then sent to a cloned website that appears to be the domain of a trusted service, such as a bank, financial services provider, or even a work platform.
**Also: How to make a QR code for free**
You then submit your credentials, allowing the attacker to bypass existing multi-factor authentication (MFA) protections because you believe you are logging into a trusted website. They can then capture your password and session token, leading to data theft, account compromise, and more.
What makes this tactic more dangerous than traditional phishing, especially for businesses, is that victims use their handsets to scan a QR code, bypassing network-based security and safety nets, such as phishing detection.
The Microsoft Defender team has observed QR code-based cybercriminal campaigns growing from 10% to 30% of total phishing campaigns in recent months.
**How to avoid falling for QR-code phishing**
As QR codes hide destinations, links, and content in an image-like format, we can’t see what is in them or verify their origins easily — which is why blindly scanning and following a QR code is risky.
QR codes, especially those you aren’t expecting, should be treated with the same suspicion as emailed links or attachments. Just because the format is different, the phishing angle remains the same: to coerce or exploit a victim’s curiosity and lure them into clicking and visiting a malicious online resource. The only difference here is the delivery mechanism — instead of a straightforward link or file, a victim uses a camera to scan.
**Also: The best malware removal software: Expert tested and reviewed**
The best advice here is to stay cautious. If you receive an email containing a QR code that appears to be from your bank, visit your bank’s official website in a separate tab or open your bank’s mobile app. Even if a message seems legitimate, for safety and security, you should not click links, open attachments, or scan QR codes unless you are completely sure the source is legitimate and the message’s contents are safe.
Keep in mind, too, that QR code threats aren’t limited to emails. See that QR code sticker slapped on a lamp post near your favorite store? Even physical QR code stickers can harbor a serious threat to your privacy and security.
### FAQ
**What is Quishing?**
Quishing is a type of phishing attack that uses QR codes to deliver malicious links. Instead of clicking a link in an email, the victim scans a QR code with their phone, which directs them to a fraudulent website designed to steal credentials or personal information.
**Why are QR codes becoming a popular phishing method?**
QR codes can bypass traditional email security filters and multi-factor authentication (MFA) systems. Because they are image-based, they are harder to detect as malicious. They also leverage curiosity and urgency, tricking users into scanning without thinking.
**How can I protect myself from QR code phishing?**
Always be cautious with unexpected QR codes. Do not scan QR codes from unknown or suspicious sources. If a QR code arrives in an email or message claiming to be from a legitimate organization, manually visit the official website or use the official app instead of scanning the code.
**Can QR code phishing bypass MFA?**
Yes, QR code phishing is particularly dangerous because it can bypass MFA. When users scan a malicious QR code and enter their credentials on a fake site, attackers can capture both the password and the session token, gaining full access without needing to bypass the second authentication factor.
**Are QR code phishing attacks increasing?**
Yes, QR code phishing attacks have increased by 25% year-over-year and are being used more frequently in email attachments, such as malicious PDFs, as well as in physical public spaces.
### Conclusion
QR codes offer convenience in our daily lives, but they also open the door to sophisticated phishing attacks known as “quishing.” As cybercriminals evolve their tactics to bypass traditional security measures like MFA, users and organizations must remain vigilant. Treating QR codes with the same caution as email links, verifying sources before scanning, and staying informed about emerging threats are essential steps in protecting sensitive data and digital identities. The rise of QR-based phishing is a reminder that even simple technology can be weaponized in the wrong hands—awareness and caution are our best defenses.



