A new variant of phishing is bypassing email filters, evading mobile defenses, and landing in employee inboxes with almost no friction. QR code phishing, known in the security industry as quishing, has grown at a pace that most security awareness training programs have not kept up with. If your team does not know how to recognize a malicious QR code, they are carrying a vulnerability into every meeting room, parking garage, and restaurant they visit.
How Quishing Works and Why It Is Hard to Stop
Traditional email security tools were built to analyze text and embedded URLs. A QR code is an image, not a link, so most filters pass it without inspection. The malicious URL is encoded invisibly inside the graphic, and employees have no way to read it before scanning. When they do scan, the request goes to their personal or corporate mobile device, often outside the reach of corporate web proxies, endpoint detection, or secure web gateways.
Attackers exploit this gap deliberately. A quishing email might impersonate an IT department asking employees to re-verify their Microsoft 365 credentials by scanning a code. It might arrive as a fake parking permit violation notice posted physically on a car windshield. It might appear on a shared document as a “scan to verify” prompt. The delivery vector is limited only by attacker creativity, and QR codes are now so normalized in everyday life that scanning feels instinctive rather than suspicious.
According to Keepnet Labs, quishing attacks increased fivefold in 2025, with over 4.2 million QR code phishing threats identified in the first half of the year alone. Of the incidents that reached employees, only 36 percent were accurately identified and reported. That means nearly two out of three quishing attempts went undetected by the very people they targeted.
Executives Are a Disproportionate Target
One of the most striking findings in recent quishing research is the targeting pattern. C-suite executives and senior leaders are approximately 40 times more likely to receive a malicious QR code than the average employee, according to Keepnet Labs data from 2025. This makes intuitive sense: executives have elevated access to financial systems, strategic information, and approval workflows. A single compromised executive account can unlock a wire transfer, expose a board presentation, or provide lateral movement into sensitive networks.
Despite this, leadership is rarely included in targeted security simulations. Executives often opt out of phishing exercises or receive lighter versions that do not reflect the sophistication of real attacks. Quishing is an area where that gap is actively exploited. The financial stakes are significant: business losses from quishing incidents exceed one million dollars per incident on average, a figure that includes direct fraud losses, incident response costs, downtime, and reputational damage.
Why This Is a Training Problem, Not Just a Technology Problem
Email security vendors are racing to deploy computer vision capable of decoding QR codes before delivery. Some are making real progress. But technology alone will not close this gap quickly, and it will not help employees who encounter malicious QR codes in the physical world, on posters, stickers, or printed materials placed in common areas.
Osterman Research found that 76 percent of organizations experienced image-based and QR code phishing attacks over the past year, yet only 5.5 percent successfully blocked all attempts. The difference between organizations that contained incidents and those that did not often came down to whether employees had been trained to treat unsolicited QR codes with the same skepticism they apply to suspicious email links.
Keepnet’s own data shows that organizations which added QR code scenarios to their phishing simulation programs saw an 87 percent improvement in employee detection and reporting rates within three months. That is a measurable, achievable improvement on a realistic timeline.
What Effective Quishing Training Looks Like
Adding quishing to your security training program does not require a full curriculum overhaul. It requires realistic scenarios and clear behavioral habits that employees can apply in the moment.
Start by including QR codes in your existing phishing simulation cadence. Use scenarios that mirror real attack patterns: an IT notification asking employees to scan a code to reset a password, a vendor invoice with a QR code for payment confirmation, or a benefits enrollment reminder with a code for account verification. These scenarios feel plausible because attackers deliberately model them on real business processes.
Train employees on three habits. First, pause before scanning any QR code that arrived unexpectedly or that creates a sense of urgency. Second, verify the source through a separate channel before proceeding, by calling the sender directly or checking with IT. Third, report the suspicious code using your organization’s reporting process, whether that is a phishing report button, a helpdesk ticket, or a direct message to the security team.
Physical quishing simulations are also worth considering. Placing test QR codes in shared spaces reveals whether employees have internalized verification habits or whether they scan reflexively in real-world contexts, not just in front of a screen.
For teams managing a human risk management program, quishing represents exactly the kind of emerging threat where early training investment pays the highest return. The technology controls are still catching up. Until they do, the most reliable protection is a workforce that has practiced recognizing and reporting this specific attack pattern before it arrives in their inbox or on their car windshield.
