QR Code Phishing Is Surging: How Quishing Bypasses Your Email Security
QR code phishing (quishing) surged 587% in 2025. Learn how these attacks bypass email security and what to include in your awareness training.
The Attack Your Email Filter Can't See Your organization probably spent significant budget on email security — secure email gateways, URL rewriting, sandbox detonation, AI-powered threat detection. These tools are effective against traditional phishing attacks that rely on malicious links or attachments. But there's a category of phishing that sails right past all of them: QR code phishing, also known as quishing. The numbers are staggering. According to multiple threat intelligence reports, QR code phishing attacks increased by 587% between 2024 and 2025. And the trend is accelerating — quishing now accounts for approximately 12% of all phishing emails observed in the wild. The reason is elegantly simple: a QR code in an email is just an image. Email security tools can analyze URLs, scan attachments, and flag suspicious domains. But a QR code? It's pixels. And those pixels encode a URL that only becomes visible when an employee scans it with their phone — a device that typically sits outside your corporate security stack. How Quishing Attacks Work A typical quishing attack follows this pattern: The employee receives a legitimate-looking email containing a QR code. Common pretexts
Article details
Category: Phishing & Social Engineering. Published on Apr 8, 2026.