Phishing has always depended on a victim following a link to a fake page. For two decades, the defenses evolved around that link: email gateways scan URLs, browsers check them against blocklists, and security training drills one habit — hover over a link and read it before you click. Quishing defeats all three by replacing the link with a picture of a link.
A QR code embedded as an image carries no text for a scanner to extract. There is no URL to hover over on a phone camera viewfinder. And the human eye cannot decode a QR code — by definition, you find out where it goes only by going there. The attack is not technically sophisticated. It simply targets a gap that the rest of the security stack left open.
Why Quishing Bypasses Email Filters
Most quishing campaigns arrive by email, and the reason they survive the trip is structural. A traditional phishing email contains a hyperlink — a string a gateway can extract, resolve, and check against threat intelligence. A quishing email contains an image. The malicious URL is encoded in the visual pattern of that image, and a filter that scans text and links sees nothing to flag.
It gets worse. Even a gateway sophisticated enough to render images and decode embedded QR codes faces a second move: attackers nest the code inside a PDF or other attachment, or use a QR code that points to a legitimate redirect service which only later bounces to the malicious site. Each layer is one more step the automated scanner has to take, and many do not.
The other reason quishing works: it moves the victim from a managed computer to a personal phone. Corporate laptops often have endpoint protection, DNS filtering, and locked-down browsers. The phone that scans the code usually has none of that — and a small screen that hides the full URL. The attack deliberately routes you onto the weakest device you own.
What the Codes Are After
Once you scan and tap, a quishing destination behaves like any phishing page. The common goals:
- Credential capture — a convincing clone of a login page for email, a bank, or a workplace single-sign-on portal.
- Multi-factor relay — a real-time proxy that forwards your password and your one-time code to the genuine site, defeating app-based and SMS 2FA. This is why hardware security keys matter — they cannot be relayed.
- Payment fraud — fake parking meters, restaurant menus, and "pay here" stickers that route money to the attacker.
- Malicious app installs — pages that push you to sideload an app or grant a malicious one permissions.
The physical-world variants deserve attention. Because a QR code is just printed squares, an attacker can print a sticker and place it over a legitimate code — on a parking meter, an EV charger, a restaurant table, a public-transit poster. The surrounding context still looks trustworthy. Only the code underneath changed.
Why Codes Are Uniquely Hard to Vet
The defining problem is the absence of a preview. Compare the inspection options:
| Vector | Can you inspect before committing? |
|---|---|
| Link in a desktop email | Yes — hover to read the real URL before clicking |
| Link in a webpage | Yes — status bar shows the destination |
| QR code | Partially — only if your scanner shows the URL and you read it before tapping |
| Shortened / redirect URL | No — the visible link hides the final destination |
A QR code that resolves to a shortened URL combines the worst of two rows: you cannot read the code, and even decoded, the URL hides its real endpoint. This is the same trust-on-first-use problem that runs through homograph phishing and OAuth consent attacks — the surface looks right, and the deception is one layer down.
How to Scan Safely
Quishing is defensible without paranoia. A few habits close most of the gap:
- Always preview the URL. Modern phone cameras and scanner apps show the decoded URL before opening it. Treat that preview as mandatory reading, not a formality. If your scanner does not show it, switch to one that does.
- Read the domain, not the path. The trustworthy part of a URL is the registered domain right before the first single slash. Everything after it can say anything.
your-bank.secure-login.example.comis onexample.com, not your bank. - Distrust QR codes in email entirely. A legitimate organization emailing you almost never needs a QR code — you are already on a device that can take a link. A QR code in an email asking you to "verify" or "re-authenticate" is a strong red flag.
- Inspect physical codes for tampering. A sticker placed over another sticker, a code that looks freshly applied, or one that does not match the surrounding print quality — all reasons to skip it and find an official channel.
- Never enter credentials on a page you reached by QR code. If a scanned code lands on a login screen, stop. Open the site yourself, by typing the address or using a saved bookmark.
- Use phishing-resistant authentication. A passkey or hardware key bound to the real domain will simply not work on a look-alike site, which neutralizes the credential-capture goal entirely.
The single rule that defeats most quishing: a QR code is a navigation shortcut, never an identity. Scanning it should take you somewhere; it should never be the reason you trust where you arrived.
Where Haven Fits
Haven cannot stop a sticker on a parking meter, and we will not claim to. What good architecture does is shrink the payoff of the attacks that land in your inbox. Haven sanitizes inbound email and routes remote images through a proxy, so a quishing email cannot use embedded content to fingerprint or redirect you behind the scenes. And because account access is bound to keys derived on your own device, a credential-capture page has far less to steal — there is no reusable password sitting on a server for an attacker's clone to harvest.
No app substitutes for the habit of reading a URL before you trust it. Quishing works on attention, not on broken cryptography. Haven is one option that defaults to treating inbound content as untrusted — but the decisive defense is the half-second you spend reading the domain before you tap.