The current discussion examines the growing trend surrounding quishing (QR code phishing). Why visual attacks bypass conventional filters and provides techniques for mitigating security risks for businesses.

QR code scanning, which was in the past a secondary benefit for activities such as browsing restaurant menus or joining public Wi-Fi networks, has largely been leveraged by malicious actors for stealing sensitive information and malware attacks. This practice, known by the name “quishing” or QR code phishing, has been observed to have gained popularity in 2024 through 2025.

Traditional email security gateways were designed to specifically examine text-based hyperlinks and attachments, but they were not very effective when dealing with visually oriented data. As a result, quishing attacks successfully evade such security mechanisms by directly routing malicious data into the mailboxes of employees as well as customers. In this way, companies now face a new world of social engineering, where attackers take advantage of both human naivety as well as these technological blind spots.

The Invisible Threat to Corporate Gateways

Traditional email protection systems were created in a time where the threats were in the realm of the text. These systems scan the body of an email and look for definite links or language anomalies indicative of phishing and check the files attached to the messages for malware or malicious macros. A QR code is an image and doesn’t contain “clickable” links that a standard scanner is set up to detect.

The data components of a QR code are mostly invisible or opaque to normal security scanning software. Unless the IT infrastructure uses advanced optical character recognition software or image processing capabilities itself, the code itself will be viewed as an image. Thus, the phishing URL is shrouded in a graphical layer until it is scanned with a mobile phone. The segregation of scanning activity from the company security infrastructure is one of the main success drivers in quishing.

The Alarming Statistics of the Quishing Surge

Empirical results from the previous two years indicate that the level of quishing has substantially increased. For example, the quantity of reported quishing incidents rose by 433% between 2023 and 2024, reflecting the short period the attackers take to transition to visual deception techniques.

• Credential Theft: About 90% of all observed quishing attacks in 2025 are aimed at user login credentials.
• Success Rates: The click-through rate associated with AI-powered phishing attacks is now 54%, while it was 12% with the old technique.
• Phishing Volume: More than 22% of all phishing activities involve QR codes.
• Financial Impact: The overall cost per incident caused by phishing has escalated to an average of $1.29 million, an increase of 12% compared to the figures in 2023.

When QR Codes Go Invisible: The Art of Bypassing Security

In particular, there are now sophisticated methods, including making QR code images using ASCII art. Instead of using graphical images, malicious individuals use text or HTML to develop the code to avoid analysis by OCR scanners used to recognize patterns associated with graphical images.  

In addition, an emerging trend includes breaking down an individual malicious QR code into several image files. These individual parts appear harmless and will not be identified as QR code images until they are compiled collectively in the receiver’s email box. The malware action is thus revealed upon compilation of those harmless parts.

Physical Traps: From Parking Meters to Package Surprises

• Parking Meter Impostures: QR codes on top of genuine devices direct users to fraudulent payment interfaces to capture credit card information or facilitate subscription payments.
• ‘You Have a Package’ Scams: ‘Scan to see your gift’ or other similar messages printed on physical objects such as packages with a QR code that leads to phishing sites or downloads of malware.
• Menu Replacements at Restaurants/Cafes: Rogue QR codes are used instead of authentic menus, leading consumers to look-alike sites or even install malicious mobile applications.
• Fake Utility and Fine Notices: The physical letters contain QR codes which point to credential-harvesting domains and/or fake payment portals.
• EV Charging Stations Scams: The stickers on EV charging stations containing a QR scan code direct car owners to scams where card information is harvested.
• Travel Hubs: At airports and railway stations, posters display misleading QR codes that advertise free WiFi or offers or job applications, redirecting users instead to malware or phishing sites.
• IT Support Flyers: Office/housing flyers that contain QR codes advertise tech support/security updates, leading to the installation of remote-access software and/or malware.
• Recruitment Campaigns: These scam job advertisements containing QR codes lead victims to deceptive HR sites intended for harvesting personal as well as monetary data.
• Charitable Appeals: Malicious QR codes created to overlay official charity signs direct donors to fraudulent payment pages, especially in disaster episodes.
• Hospitality Venues: These are the hotel room QR codes that claim to give access to Wi-Fi or hotel services but instead lead users to credential-stealing pages.

Building Resilient Defenses Against Visual Fraud

To combat quishing, security systems must move beyond text analysis and embrace visual AI. Modern platforms now utilize native image processing to decode QR codes in real-time. These systems “look” at the email just as a human would, allowing them to identify ASCII art or split codes. Moreover, this visual analysis is combined with machine learning models that assess the context of the email.   

In addition to technology, building a culture of “Pause-Verify-Report” is essential. Training programs that include quishing simulations can reduce the number of successful attacks by up to 86% within a single year. These programs teach employees to recognize the warning signs of a fraudulent scan, such as unusual locations or misspelled URLs. Therefore, a well-trained workforce remains the most powerful “human firewall” against modern social engineering.

Conclusion: When a Simple Scan Becomes an Attack Vector

Quishing exposes a blind spot many organizations still underestimate. QR codes feel harmless, familiar, and fast. That is exactly why attackers use them. By embedding malicious destinations inside images, quishing bypasses email security, link inspection, and user suspicion in a single step. No attachment is opened. No link is clicked. One scan is enough.

Why This Risk Is Growing Everywhere

QR-based attacks scale easily because they exploit trust and convenience at the same time:

• QR codes are not analyzed like URLs or attachments
• Users cannot preview destinations before scanning
• Mobile devices operate outside most corporate controls
• Attacks move from inbox to browser in seconds
• Credentials are exposed before alerts ever trigger

As QR codes spread across emails, posters, invoices, and public spaces, the attack surface expands far beyond traditional phishing defenses.

Where Xcitium Changes the Outcome

For organizations using Xcitium Cyber Awareness Education and Phishing Simulation, quishing loses its power.

• Employees are trained to recognize QR-based deception and contextual red flags.
• Simulated quishing campaigns build instinctive pause-and-verify behavior.
• Suspicious scans are questioned before credentials are ever entered.
• Code can run without being able to cause damage when the user never completes the attack.

The attacker’s advantage disappears at the human decision point.

Secure the Scan Before It Leads to a Breach

Quishing is not a technical exploit. It is a behavioral one. Organizations that prepare users for modern social engineering stop these attacks before they begin.

Protect your people from what they cannot see coming.
Choose Xcitium Cyber Awareness Education and Phishing Simulation.