Email Click Rates are Dead - Redefining Human Risk Management for the AI Era. Watch the Webinar. (opens in new tab)
Customers
Resources
Blog
Book a Demo
General

What Is Quishing? QR Code Phishing Explained

Quishing uses QR codes to route victims into phishing and fraud flows. Learn tactics, detection, and how to disrupt campaigns.

Doppel TeamSecurity Experts
January 26, 2026
5 min read

Quishing is QR code phishing. It uses a QR code to redirect a victim to an attacker-controlled destination that steals credentials, diverts payments, captures one-time codes, or initiates a fake support interaction. The QR code is the delivery method, and the scam flow behind it is the actual attack.

Quishing matters because QR scanning is now normal in work and daily life. That normalcy creates a fast, low-friction path into impersonation and social engineering campaigns, especially on mobile, where domain cues are harder to verify. External monitoring and campaign mapping can help teams identify the cloned pages, lookalike domains, redirectors, and impersonation accounts behind quishing campaigns, then prioritize disruption through coordinated takedowns and response workflows.

Summary

Quishing is QR-based phishing that uses a scannable code to move victims, often on mobile, into attacker-controlled infrastructure for credential theft, OTP harvesting, payment diversion, or fake support. It outperforms link phishing because the decision point shifts to the scan, URLs are hidden, mobile cues are weaker, and redirect chains let attackers rotate destinations without changing the code. Effective defense treats quishing as a campaign problem: monitor external surfaces for lookalike domains, cloned pages, redirectors, and fake accounts; integrate support and fraud signals; and prioritize coordinated takedowns and process hardening. Simulation and threat-informed training help, but impact comes from early detection and dismantling of infrastructure, where Doppel’s monitoring, mapping, and disruption workflows fit.

Quishing changes the risk calculus because the victim often commits to the scan before fully evaluating the destination. Many QR scanners show only a partial preview, making it easy to miss the full domain context. With link phishing, the decision point is usually the click. With quishing, the decision point is the scan, and scanning feels like a neutral utility action rather than a security decision. That shift matters operationally. QR codes are often presented as images (so there is no obvious URL to inspect in the message body), they push victims onto mobile browsers where the full domain is easy to miss, and they frequently route through redirect chains that can be swapped without changing the QR code itself. The end result is a campaign that scales faster, is harder to spot at a glance, and is easier for attackers to keep alive even after single-page takedowns.

What Does a Quishing Attack Typically Look Like?

The QR code is rarely the “clever” part. The persuasion and the infrastructure are. Most quishing attacks follow a predictable arc:

  1. A believable prompt appears in a channel where scanning feels normal: email, SMS, social, printed mail, a poster, a package insert, a support chat, or an internal notice.
  2. A QR code is presented as the next step: verify identity, unlock an account, confirm a payment, review a document, or contact support.
  3. The scan lands on attacker infrastructure: a cloned login page, a fake support portal, a payment page, or a redirect chain that fingerprints the device before routing to the final lure.
  4. The flow escalates: credential entry, MFA fatigue prompts, OTP harvesting, remote access tool installation, or a “verified callback” that routes to the attacker instead of the real brand.

Why QR Codes Change Victim Behavior

A clickable link gives a split second to hover, inspect, and second-guess. A QR code removes that pause. The scan action feels mechanical, and the victim often expects the phone to open a legitimate item. That expectation becomes leverage, especially when the lure is wrapped in brand language and a familiar process.

What Are the Primary Quishing Goals?

Quishing goals map cleanly to the outcomes fraud and security leaders see:

  • Account takeover: capture credentials and MFA tokens, then abuse password resets and recovery workflows.
  • Payment theft: redirect invoice payments, collect “verification fees,” or push gift card and wallet transfers.
  • Refund and loyalty abuse: compromise accounts tied to stored value, rewards, and refund eligibility.
  • Support channel manipulation: reroute customers into fake support, callback scams, or remote access sessions that lead to data theft and further fraud.

Why Do Attackers Use Quishing in Brand Impersonation Campaigns?

Attackers use quishing because it improves conversion and fits cleanly into the exact impersonation playbooks that already work on customers and employees. The QR code is not the “hack.” It is the fastest handoff from a believable brand moment to attacker-controlled infrastructure, usually on a mobile device, where verification signals are weak. That handoff helps attackers move victims into credential theft, payment diversion, and fake support flows before the victim or the brand can slow the interaction down.

Quishing Turns Brand Familiarity Into a Shortcut

Brand impersonation relies on recognition. QR codes amplify that effect because scanning is now a normal behavior. People scan to check menus, track packages, access tickets, log into apps, and pull up support content. Attackers copy that normal pattern and attach it to a fake prompt that feels routine.

Common brand-wrapped prompts include:

  • “Scan to verify your account to prevent a lockout.”
  • “Scan to confirm a delivery issue or address update.”
  • “Scan to access secure support chat.”
  • “Scan to review a document or updated policy.”

In each case, the brand context supplies legitimacy. The QR code supplies speed. The victim supplies the rest.

Phishing links often fail because the URL is visible. People hover, security tools rewrite links, and suspicious domains can stand out in the message. Quishing reduces those points of failure:

  • Since the QR code is an image, the URL is not visible in the message body.
  • The scan often happens on a phone, not on a managed workstation.
  • Mobile browsers truncate domains and hide full paths, which makes “close enough” domains more effective.
  • The victim is more likely to complete the action quickly because scanning feels like a utility step.
  • Defenders can still extract and analyze QR destinations, but the attacker benefits when the human recipient never sees a plain-text URL, and the risky step moves to a less controlled device.

This is why quishing is showing up in flows where the attacker needs momentum, such as MFA capture, payment approvals, and support impersonation.

Quishing Makes Multi-Channel Scam Flows Easier to Run

Modern brand scams are rarely single-channel. Quishing is a clean connector across channels because it moves the victim from whatever channel the attacker controls into a web experience that the attacker fully controls.

Common multi-channel flows include:

  • SMS to QR to fake login: A “delivery problem” text pushes a QR code. The scan lands on a cloned portal that collects credentials and one-time codes.
  • Social DM to QR to fake support: A fake support account “helps” the victim, then sends a QR code to “verify the case.” The landing page routes to a callback scam or collects identity data.
  • Email to QR to mobile: An email that might be scrutinized on desktop uses a QR to push the risky step onto a phone, outside many enterprise controls.
  • QR-to-voice escalation: The QR landing page displays a “verified support number.” The number is attacker-controlled. That is where deepfake or scripted vishing can close the deal.

This is also why quishing increases contact center volume. Victims get pulled into fake support first, then show up at real support confused and angry when money is gone, or access is lost.

Redirect Chains Let Attackers Rotate Infrastructure without Reprinting Codes

Attackers like anything that keeps campaigns alive after takedowns. Quishing supports that through redirect chains and modular hosting.

A single QR code can point to a redirector. The redirector can route to different final pages based on time, location, device type, or whether the victim has already visited. If a landing page is removed, the attacker swaps the destination behind the redirector and continues. Physical QR stickers and widely shared QR images become durable assets for the attacker because the code does not need to change as the campaign evolves.

For defenders, this is the difference between removing one URL and dismantling a kit. It pushes brands toward campaign mapping and infrastructure clustering, which is a core reason external monitoring matters in Doppel’s world.

Quishing Aligns With the Highest-ROI Brand Abuse Outcomes

Attackers choose tactics that monetize quickly and repeatedly. Quishing routes victims into the outcomes that produce immediate financial and operational impact:

  • Account takeover tied to brand trust: Captured credentials and OTPs lead to fraud, stored value theft, and identity takeover.
  • Refund and chargeback abuse: Fake “refund verification” pages collect data that enables account access and refund manipulation.
  • Loyalty and rewards theft: QR lures that promise rewards or warn about expiring points push victims into credential capture.
  • Support channel abuse: Fake support portals and callback scams harvest identity details, then drive unauthorized actions through real support processes.

Each outcome ties back to metrics leaders actually feel. More ATO tickets. Higher fraud losses. Higher chargebacks. Higher support volume. Longer time spent handling escalations and reputational cleanup.

Quishing Exploits Gaps in Process Design, not Just User Judgment

Quishing campaigns often work because business processes are easy to abuse once a victim is in the wrong place:

  • Account recovery flows that rely on weak identity proofing.
  • Refund processes that can be manipulated with partial PII.
  • Loyalty transfers that lack strong step-up verification.
  • Support channels that accept inbound requests without verified callbacks.

Attackers use QR codes to get victims to self-initiate these processes from attacker-controlled pages. That makes it harder for the victim to realize they are off the real path.

This is where Doppel-aligned defenses show up as more than “training.” Programs that connect external threat intelligence to internal process hardening tend to reduce repeat abuse.

Quishing Benefits from AI-Assisted Persuasion and Realistic Branding

Attackers can now generate brand-consistent language and visuals fast. That matters because QR lures succeed when they feel like the brand. It also matters because attackers can A/B test. They can iterate on the copy, page layout, and escalation prompts until conversion improves.

Some campaigns add convincing “support chat” experiences, scripted agents, or spoofed voice prompts that push urgency. The QR code becomes the first clean handoff into that controlled environment.

How Doppel Fits This Threat Model

In a quishing context, the defensive advantage comes from seeing and disrupting the external campaign components early. That means identifying the cloned pages, lookalike domains, fake support portals, and impersonation accounts that drive scanning behavior. Doppel supports social engineering defense and digital risk protection by mapping campaign infrastructure, prioritizing the components most likely to scale, and helping teams run disruption workflows that reduce time-to-takedown and repeat victimization.

Why Quishing Performs Well on Mobile

Mobile is a structural advantage for attackers:

  • Address bars truncate URLs and hide full paths.
  • Many scans happen on unmanaged devices outside corporate browser controls.
  • Victims multitask while scanning, reducing the likelihood of verification.
  • A realistic clone page looks more convincing on a small screen because visual cues dominate over technical cues.

This is why quishing shows up in campaigns that rely on speed. The goal is to keep the victim moving before doubt kicks in.

How Quishing Enables Multi-Channel Scam Flows

Quishing rarely exists alone. It often connects channels:

  • SMS or messaging apps deliver the initial prompt, QR code routes to the scam site.
  • Social media impersonation starts the conversation, QR code “verifies” the next step.
  • Email delivers a “secure” QR to bypass filters that focus on URLs.
  • Voice closes the deal when the destination page triggers a callback scam or a fake support session.

A common pattern is “scan to verify, then call.” Another is “scan to confirm, then log in.” These are not random. They are optimized for the brand processes victims already recognize.

How AI-Assisted Social Engineering Makes Quishing Feel Legitimate

Generative tooling helps attackers quickly tailor lures that match a brand’s tone, product names, and customer workflows. QR-based lures benefit from that polish because the victim is already primed to believe the code is a legitimate shortcut.

How Do Quishing Campaigns Work End-to-End?

Quishing campaigns work end-to-end as repeatable, modular scam systems, not one-off QR codes. The QR code is just the handoff mechanism that moves the victim from a channel the attacker can easily seed, such as email, SMS, social DMs, or physical placement, into an attacker-controlled web experience where the real theft occurs. From there, attackers rely on three things to scale. Distribution, infrastructure that can rotate quickly, and a script that reliably pushes victims into high-value actions like credential entry, one-time code submission, account recovery, or a “verified” callback. The strongest campaigns are built like kits. The same QR image can stay in circulation while the destination changes behind redirectors, the same cloned page template can be reused across brands, and the same fake support playbook can be adapted across channels. That is why defending against quishing requires campaign-level thinking. It is about mapping and disrupting the infrastructure and distribution nodes, not only removing a single landing page after victims have already scanned.

How Do Attackers Distribute QR Codes at Scale?

Distribution falls into two buckets.

Digital distribution often includes email, SMS, messaging apps, and social DMs. The QR code is embedded as an image, so basic URL scanning tools have less to work with.

Physical distribution often includes posters, stickers, table tents, package inserts, and “official-looking” internal notices. Sticker overlays are common. Attackers place a malicious QR code over a legitimate one in a high-trust location, then wait for routine scanning to complete the attack.

How Do Redirect Chains Support Quishing?

Many campaigns use redirect chains to increase resilience:

  • A first hop that looks benign.
  • A tracking hop that fingerprints the device and locale.
  • A brand-selection hop that personalizes the lure.
  • A final landing page that clones login, support, or payment.

This chain lets attackers swap the final destination without replacing the QR code. That matters when physical codes are already deployed or when an image is circulating widely.

What Do Quishing Landing Pages Typically Do?

The most common landing behaviors are:

  • Credential capture: a clone of consumer login, SSO, HR portals, or payment accounts.
  • OTP and MFA capture: prompt for a one-time code “to verify,” then reuse it immediately.
  • Fake support escalation: a support portal that pushes a callback, chat, or tool installation.
  • Malicious downloads: a “security update” app, a profile install, or a remote access tool disguised as support software.

Where Does Quishing Show Up in the Real World?

Quishing shows up wherever scanning already feels normal, and that is the point. Attackers do not need to convince someone to do a weird thing. They just need to place a QR code inside a routine moment where speed and convenience win, then steer the victim into an impersonation flow that feels like the legitimate brand. In practice, that means quishing appears across both digital and physical surfaces. It shows up in customer-facing channels like SMS, email, and social support threads, and in the physical world through posters, stickers, package inserts, and signage, where victims assume the code was placed there by a trusted organization.

The most reliable indicator is the context. Quishing is usually tied to a process that already has urgency or consequences, like delivery issues, refunds, account security, payroll, or IT access. That context creates compliance, and the QR scan becomes the frictionless bridge into an attacker infrastructure that can rotate faster than most brands can respond.

What Are Common Customer-Facing Quishing Lures?

  • Delivery and order issues: “problem with delivery,” “confirm address,” “reschedule drop-off.”
  • Refund and billing prompts: “refund pending,” “payment method expired,” “charge reversal confirmation.”
  • Support escalation: “scan to open a secure support session,” “scan to verify account ownership.”
  • Loyalty program hooks: “points expiring,” “reward redemption requires verification.”

These lures often redirect to lookalike domains, fake support portals, or cloned login pages that capture credentials and OTPs.

What Are Common Employee-Facing Quishing Lures?

  • HR and payroll changes: “update direct deposit,” “review benefits enrollment,” “scan to sign policy update.”
  • IT and access prompts: “reset MFA,” “re-verify device,” “scan to restore access.”
  • Finance and vendor flows: “review invoice,” “scan to approve payment,” “scan to validate bank details.”

These often target teams with authority over money, credentials, or identity verification.

What Are the Best Ways to Detect Quishing before It Harms Customers?

The best detection happens before the first customer complaint, which means looking for attacker infrastructure and distribution signals, not waiting for victims to self-report. Quishing is usually just one entry point into a broader impersonation campaign. The same operators often reuse cloned site templates, lookalike domains, redirector services, and fake support accounts across multiple runs. That creates patterns defenders can spot early if they are monitoring the right external surfaces. Effective detection combines three inputs. Early warning from external monitoring that flags new brand-aligned scam assets, operational signals that show scam pressure building (like spikes in “is this real” contacts or unusual account recovery activity), and fast validation workflows that can confirm whether a QR destination is legitimate or part of a rotating redirect chain. Done well, this shifts the organization from reactive cleanup to proactive disruption. It reduces time-to-identify, time-to-takedown, and repeat victimization by removing the infrastructure that enables quishing to scale.

What Signals Indicate a Quishing Campaign Is Active?

Useful signals tend to cluster:

  • A spike in customer complaints about “verification QR codes” that the brand did not issue.
  • Increased contact center volume tied to account lockouts, refund confusion, and “support” experiences gone wrong.
  • A new wave of lookalike domains and cloned pages matching current promotions, seasonal themes, or trending support issues.
  • Fake social accounts are pushing victims to “scan to resolve” issues.

This is where social engineering defense framing matters. It focuses on the full campaign. It includes the fake website, the fake accounts, and the scripts that push victims into harmful actions.

How Can External Monitoring Surface QR Destinations Early?

Quishing destinations often use the same infrastructure as broader impersonation campaigns. Monitoring should look for:

  • Newly registered lookalike domains and reused hosting patterns.
  • Cloned login, support, and payment templates that match the brand’s UX.
  • Redirector hubs that repeatedly route to short-lived landing pages.
  • Fake support portals that reference brand-specific workflows.

Doppel's Brand Protection services actively monitor and mitigate risks associated with domain impersonation. Its external website monitoring focuses on seeing campaigns and kits rather than isolated URLs, which better matches how quishing operators reuse redirectors, templates, and distribution accounts.

What Role Does Domain Risk Play in Quishing?

Quishing frequently depends on domains that look “close enough” on mobile. That includes typos, subtle character swaps, and misleading subdomains. Domain risk is rarely the only signal, but it is a reliable early warning when combined with cloned content and distribution patterns.

How Should Organizations Respond When Quishing Is Reported?

Response should assume the reported QR code is the tip of a campaign, not a single bad link. If the organization treats quishing as a one-off, it will end up in a whack-a-mole cycle where the same operator rotates domains, pages, phone numbers, and fake accounts faster than the brand can remove them.

Capture the QR destination chain safely, identify what the attacker is trying to monetize (credentials, OTPs, payments, support access), and immediately pivot from the single report to related infrastructure and distribution nodes that indicate scale. At the same time, response needs to route through the business teams that feel the impact first, especially customer support and fraud operations, because they will see volume spikes, repeated victim stories, and the exact scam scripts being used. A strong response closes two loops at once. External disruption to reduce new victims, and internal hardening to reduce fraud outcomes when victims land on attacker assets. That is how brands reduce fraud loss, contain support load, and prevent the same campaign from reappearing next week.

What Should Be Collected During Triage?

High-signal collection includes:

  • The QR code image itself and where it appeared.
  • The full redirect chain, captured from a safe environment.
  • Screenshots and page source for the landing experience.
  • Any phone numbers, chat handles, or social accounts referenced.
  • Brand assets used: logos, product names, and support language.

This evidence helps identify related infrastructure and accelerates takedown workflows.

How Can Teams Disrupt the Campaign Instead of Chasing One Page?

Disruption should target the campaign components that enable reuse:

  • Cluster related domains by hosting, templates, and redirector relationships.
  • Identify associated fake accounts distributing the QR codes.
  • Track repeated lures and scripts tied to refunds, support, or account recovery.
  • Coordinate takedowns across domains, pages, and social properties, not only the final landing URL.

This approach aligns with social engineering defense and brand impersonation protection programs. It focuses on fake accounts, cloned sites, and repeatable infrastructure patterns.

How Should Customer Support Be Integrated into Response?

Quishing becomes visible in support first. Support teams should have:

  • A clear, repeatable intake path for QR-related reports.
  • A way to validate official brand QR codes versus fraudulent ones.
  • Verified callback and trusted-channel policies that prevent rerouting to attacker phone lines.
  • A feedback loop to security, so scams driving contacts are mapped and dismantled.

This is also where smishing (SMS phishing) overlaps, since many quishing campaigns start with SMS prompts.

What Are Common Mistakes to Avoid?

The biggest mistake is treating quishing as a single bad QR code rather than a repeatable impersonation campaign. Teams often chase the final landing page, measure vanity metrics, or push generic “be careful” guidance while the attacker rotates redirectors, lookalike domains, and fake support accounts. Another common miss is ignoring the business processes that are abused, like account recovery, refunds, loyalty, and callbacks, where real losses and support volume spike. Quishing becomes easier for attackers when responses are siloed, support reports are not structured into intelligence, and takedowns are executed one asset at a time rather than dismantling the kit.

Treating Quishing as a Training-Only Problem

Training helps, but quishing is powered by external infrastructure. Defense needs monitoring, takedowns, and process hardening. Behavior change works best when it is tied to the real campaigns hitting the brand, not generic “spot the phish” content.

Measuring Vanity Metrics Instead of Operational Outcomes

Scan rates and click rates are weak proxies. Better measures include:

  • Scam-driven contact center volume tied to QR lures.
  • Account recovery requests correlated with impersonation campaigns.
  • Fraud loss and chargebacks linked to fake support and payment diversion.
  • Time to identify, cluster, and remove related attacker infrastructure.
  • Repeat victimization rates after takedown actions.

These metrics connect directly to business impact and show whether defenses are actually changing outcomes.

Blocking Only One Domain or One Page

Attackers rotate. Redirect chains and disposable landing pages are designed to survive basic blocking. Successful programs map and remove the kit components that keep campaigns alive.

How Can Simulation Reduce Quishing Risk Over Time?

Simulation reduces the risk of quishing by testing the real decision points attackers exploit, then feeding the results back into controls and processes. Quishing is not just “did someone scan a QR code.” It is whether people recognize a suspicious prompt in context, verify the destination on mobile, follow trusted-channel rules for support and callbacks, and report quickly enough to disrupt the campaign before it spreads. Simulation improves readiness. It does not remove the external infrastructure driving the campaign, so it works best paired with monitoring and disruption.

Good programs also stop treating results as a click-rate leaderboard. They use simulations to identify where the organization is operationally fragile, like payroll changes, account recovery approvals, refund handling, and high-pressure support escalations, then harden those automation workflows. Over time, simulation works best when it is informed by external attack reality. The scenarios should mirror the lures and multi-channel handoffs currently affecting the brand, so behavior change and process fixes directly track to fewer successful takeovers, less refund abuse, and lower scam-driven support volume.

What Should Realistic Quishing Simulations Test?

High-value scenarios test:

  • Whether employees recognize suspicious “scan to verify” prompts.
  • Whether reporting happens fast enough to prevent scale.
  • Whether teams follow secure callback and trusted-channel policies.
  • Whether high-risk departments respond differently based on role and access.

This is where human risk management fits as an overlay discipline. It connects live external attacker behavior to internal behavior change and process improvement, then measures the result over time.

How Does Doppel Fit Into Quishing Readiness?

Doppel connects external detection and campaign mapping with simulation and resilience testing. That linkage matters because quishing is not a single-channel event. It is an external impersonation campaign that becomes an internal incident when victims act.

Key Takeaways

  • Quishing uses QR codes to route victims into phishing, fraud, and fake support flows, often on mobile, where verification cues are weaker.
  • The QR code is a delivery mechanism. The real threat is the external impersonation infrastructure and the multi-step scam flow.
  • Effective defense focuses on early detection and disruption of campaigns, including lookalike domains, cloned pages, redirect chains, and fake accounts.
  • The outcomes that matter are measurable: fewer impersonation-linked account takeovers, lower refund and chargeback losses, and reduced scam-driven support volume.
  • Doppel’s approach ties monitoring, campaign mapping, takedowns, and threat-informed simulation into a unified social engineering defense program.

Reducing Quishing Risk at Scale

Reducing quishing risk requires a campaign-level approach. It includes identifying where malicious QR destinations are being hosted, how victims are being routed, and which scripts are driving harmful actions. Quishing declines when the infrastructure is dismantled quickly, trusted channel policies prevent callback rerouting, and simulations reflect the actual tactics attackers use against the brand.

Frequently Asked Questions

Is Quishing the Same as Smishing?

Quishing and smishing often overlap, but they are not the same. Smishing is SMS-based phishing. Quishing uses QR codes as the handoff into the scam flow, sometimes delivered via SMS, email, social media, or physical placement.

QR codes hide the destination until after the scan, reducing the pause that often triggers skepticism. They also shift victims to mobile devices, where URL inspection is harder, and controls may be weaker.

What Is the Most Common Quishing Payload?

Credential theft and fake support escalation are common outcomes. Many campaigns aim to capture logins plus one-time codes, then immediately attempt account takeover or abuse account recovery.

Can Quishing Bypass Email Security Tools?

Many tools focus on URLs and known malicious domains. QR codes embedded as images reduce the visible URL surface area and can shift the dangerous interaction to a separate device. This does not make QR codes invisible, but it changes what needs to be inspected.

What Should Customers Be Told When Quishing Targets a Brand?

Customers should be directed to trusted channels the brand controls, such as official support URLs and verified phone numbers. Messaging should focus on concrete behaviors, such as verifying the domain after a scan and avoiding QR codes that demand credentials, OTPs, or payments outside normal workflows.

How Can Brands Reduce Quishing-Driven Support Load?

Brands reduce support load by quickly dismantling campaign infrastructure and hardening support flows. Verified callbacks, trusted-channel guidance, and rapid takedowns reduce repeat victimization and the downstream flood of “is this real” contacts.

Last updated: January 26, 2026

Related Articles

More insights on related topics.

View All Articles

Learn how Doppel can protect your business

Join hundreds of companies already using our platform to protect their brand and people from social engineering attacks.

Request a Demo