Quishing attacks: How QR codes steal credentials

QR codes have been around for a while, but they became far more widespread in daily life after the COVID-19 pandemic. What started as contactless menus became boarding passes, payment systems, and authentication gateways. But this ubiquity created a perfect storm for cybercriminals who’ve turned these pixelated squares into sophisticated credential harvesting tools.

Welcome to the world of quishing: QR code phishing attacks that are redefining how threat actors compromise user authentication and steal passwords.

The rise of QR code phishing

According to research by NordVPN, 73% of Americans scan QR codes without verification, and more than 26 million have already been directed to malicious sites. This lack of verification creates massive opportunities for attackers who understand that QR codes are essentially invisible URLs that users can’t inspect before clicking.

Another study this year found that 26% of all malicious links are now sent via QR code. The shift isn’t coincidental – it’s strategic. As email security filters become more sophisticated at catching traditional phishing attempts, attackers are pivoting to methods that bypass these protections entirely.

The appeal for cybercriminals is obvious: print a malicious QR code, stick it over a legitimate one, and wait for victims to scan. Unlike suspicious emails that might trigger security awareness training memories, QR codes feel safe and official, especially when they appear in expected locations like parking meters, restaurant tables, or office building directories.

How quishing attacks target authentication systems

QR code phishing attacks typically follow predictable patterns that directly threaten organizational password security and authentication systems:

• Credential harvesting: The most common quishing attack redirects users to convincing replicas of login pages. An employee scans what appears to be a QR code for accessing building WiFi and lands on a fake Microsoft 365 login page. They enter their credentials, unknowingly handing them directly to attackers who can then access corporate systems.
• Multi-factor authentication bypass: Sophisticated quishing campaigns don’t just collect passwords – they harvest MFA codes too. Attackers create real-time proxy sites that capture credentials and immediately use them to trigger legitimate MFA prompts. When victims enter their authentication codes thinking they’re logging into a genuine service, attackers capture those codes and gain full account access.
• Service desk impersonation: QR codes on fake IT support flyers or “urgent system update” notices lead employees to forms requesting their current passwords “for verification purposes.” This information then gets used for credential-based attacks across multiple systems.
• Mobile device compromise: Since QR codes are primarily scanned with mobile devices, successful attacks often install malware that can intercept SMS-based authentication codes, capture stored passwords, or monitor future login attempts.

Why quishing succeeds where other attacks fail

Traditional phishing campaigns face multiple security layers: email filters, security awareness training, and users who’ve learned to scrutinize suspicious messages. QR code phishing attacks sidestep many of these defenses:

• Invisibility: Users can’t preview QR code destinations the way they can hover over email links. This blind trust creates perfect conditions for successful social engineering.
• Physical presence: Malicious QR codes placed in legitimate locations inherit credibility from their environment. A QR code on an official-looking flyer in the office lobby feels more trustworthy than an email from an unknown sender.
• Mobile vulnerability: QR codes are primarily scanned with personal mobile devices, which often have fewer security controls than corporate laptops. Many organizations that deploy robust endpoint protection on computers leave mobile devices largely unprotected.
• Urgency exploitation: Attackers place QR codes in situations where users feel pressured to act quickly—expired parking meters, urgent building evacuations, or “system maintenance” notices that threaten account suspension.

Real-world quishing attack scenarios

Understanding how these attacks unfold in practice helps illustrate why they’re so effective against authentication systems:

• The parking meter scam: Attackers place fraudulent QR codes on parking meters directing drivers to fake payment sites. Users enter credit card information and often create accounts with passwords they reuse across other services, giving attackers potential access to corporate systems.
• Fake WiFi access: Malicious QR codes appear on “Guest Network Access” signs in coffee shops or conference centers. Scanning leads to credential harvesting pages designed to look like legitimate captive portals, collecting corporate email addresses and passwords.
• Invoice payment fraud: Finance departments receive physical invoices with QR codes for “convenient online payment.” These codes lead to sites that harvest banking credentials and often request additional “verification” information that can be used for further attacks.
• Building access deception: Fake QR codes on office building signs claim to provide “contactless visitor registration” but actually collect employee credentials for later use in sim swap fraud or other targeted attacks.

Defending against QR code phishing attacks

Protecting your organization from quishing requires a multi-layered approach that addresses both technical vulnerabilities and human behavior:

User education and awareness

Train employees to verify QR code sources before scanning. Legitimate QR codes should include clear information about their destination and purpose. If a QR code appears without context or in an unexpected location, employees should report it to IT security teams.

Establish policies around QR code usage in corporate environments. Define when and where QR codes are acceptable for business purposes, and create reporting procedures for suspicious codes.

Technical controls

Deploy mobile device management (MDM) solutions that can detect and block access to known malicious domains, even when accessed via QR codes. This provides a safety net when users encounter sophisticated attacks.

Implement network-level filtering that inspects all traffic, regardless of how users access malicious sites. Many organizations have strong web filtering on corporate networks but leave guest networks largely unmonitored.

Authentication hardening

The most effective defense against successful quishing attacks is ensuring that even compromised credentials can’t provide meaningful access to attackers. This is where robust password policies and authentication systems become critical.

Strong password policies that prevent credential reuse across systems limit the damage when employees’ personal accounts are compromised through QR code phishing. If an employee uses the same password for a fake parking payment site and their corporate account, attackers gain access to business systems.

Modern authentication frameworks that rely less on traditional passwords reduce the impact of credential theft. Even if attackers harvest login information through quishing campaigns, properly implemented multi-factor authentication creates additional barriers to system access.

Service desk protection

Help desk operations face particular risk from quishing-enabled social engineering. Attackers who’ve gathered employee information through QR code phishing can use that data to impersonate users when calling for password resets or account access.

Protecting service desk operations requires authentication processes that go beyond information attackers might have gathered through quishing campaigns. Simply knowing someone’s name, employee ID, or recent login history isn’t sufficient verification for sensitive account changes.

Solutions like Specops Secure Service Desk enforce caller verification through methods that remove opportunities for impersonation, requiring verification via phishing resistant factors rather than just information an attacker might have collected through social engineering.

The future of QR code security

As QR code usage continues expanding, organizations need proactive approaches to security rather than reactive responses to successful attacks. This means treating QR codes as potential attack vectors in security planning and ensuring that authentication systems can withstand credential compromise from any source.

The goal isn’t eliminating QR codes from business operations – they provide genuine convenience and efficiency benefits. Instead, organizations should build security frameworks that assume credential compromise will occur and focus on limiting the damage when it does.

QR codes aren’t going away, but neither are the attackers who exploit them. The organizations that get ahead of quishing attacks are those that assume credential compromise is inevitable and build their security accordingly. For organizations looking to strengthen their overall authentication posture against social engineering attacks like quishing, evaluating current password policies and service desk procedures provides a solid foundation for defense against evolving threats.

Consider implementing Specops Password Policy to enforce strong, unique passwords and continuously scan your Active Directory for over 4 billion compromised passwords. When employees encounter sophisticated quishing attacks, robust password policies ensure that compromised credentials can’t be leveraged across multiple systems. Book a Specops Password Policy live demo today.