Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
We're exploring how organizations adapt IAM to AI. Take the AI Identity and Risk Readiness Survey by September 5 →

Quishing is Here, and It’s Hiding in Plain Sight

Published 07/31/2025

Home
Industry Insights
Quishing is Here, and It’s Hiding in Plain Sight

Written by David Balaban.

 

I still remember when QR codes were novelty tech – quirky black-and-white boxes printed on event flyers or hidden on product packaging, waiting to be scanned for a quick surprise. These days, though, that innocent square can be a silent predator. Walk into any cafe, and there’s likely a QR code for menus. Parking meters flash them on digital screens. Gym check-ins, contactless payments, even church donations have gone touchless thanks to QR. But behind that promise of convenience, there’s a gaping hole most people don’t even realize: the sheer ease with which those codes can be weaponized.

Hackers don’t need to breach a firewall when they can just tape over a code. And in public spaces where people don’t question signage, that’s frighteningly easy. The result? You scan what looks like a parking invoice and unknowingly open a phishing site. These attacks aren’t flashy. They’re invisible, and that’s exactly what makes them effective.

 

The Rise of Quishing: From Novelty to Nightmare

Quishing, the portmanteau of “QR” and “phishing,” is one the latest evolutionary spinoffs of social engineering. Instead of clicking a link in an email, you’re scanning it from a flyer or a digital screen. What makes this so dangerous is how naturally it blends into our everyday routines. In January 2022, police in Austin, Texas, discovered fake QR codes on parking meters that redirected users to fraudulent payment portals. That incident wasn’t isolated. Similar attacks popped up in San Francisco, New York, and Sydney.

Unlike traditional phishing, which often involves giveaways such as dubious grammar or poorly spoofed websites, quishing sites can be visually flawless. Some even replicate government portals or payment gateways with uncanny accuracy. The difference is, you never typed the URL yourself. You just scanned and trusted.

Security researchers are now flagging this as a major blind spot. Because users initiate the scan, they assume control. But that illusion of control is what makes the tactic so effective. Even seasoned IT professionals have fallen victim.

In response to this growing tactic, it’s becoming increasingly important for the public to learn about quishing – not just as a term, but as a tangible threat lurking behind the most casual digital interactions.

 

Public Spaces: The Ideal Hunting Grounds

Think about the last time you scanned a code in a restaurant. Did you pause to inspect the source? Probably not. Most of us are conditioned to trust what’s in front of us, especially if it’s laminated, mounted, or looks official. Airports, hospitals, gyms, cafes – these are high-traffic zones where QR codes proliferate. And they’re precisely where attackers plant their traps.

 

Low-Security, High-Risk Environments

A 2024 report from a cybersecurity consultancy highlighted an uptick in QR-based scams in libraries and community centers, where printed flyers and public bulletin boards are common. These aren’t high-security environments. Anyone can walk in and swap out a code. In a test conducted by researchers, 61% of people scanned unverified QR codes in under 5 seconds. That statistic alone reveals the low barrier of entry for attackers.

Even marketers have unintentionally expanded the threat surface, especially when relying on widely distributed flyers or promotional materials. Without safeguards, the risks compound. And practices like embedding QR codes safely into direct mail campaigns become critical, particularly in sectors that regularly target large public audiences.

What makes it worse is how ephemeral these attacks are. A malicious QR code can be removed in seconds. By the time someone reports the scam, the attacker has already harvested credentials, tokens, or payments.

 

The Tech Behind the Trick

To understand how quishing works, you have to look beyond the code itself. QR codes are just carriers – they point to URLs, and those URLs can lead anywhere. Once scanned, the link might redirect to a spoofed login page, a malicious file download, or even silently trigger data exfiltration through a script.

 

How Scans Become Scams

Attackers often use URL shorteners to mask the destination. A scan might take you to bit.ly/safe-checkin, but the backend redirects to a credential-harvesting page hosted on an obscure domain. Because most mobile browsers offer limited visibility into the redirect chain, users rarely notice until it’s too late.

Some codes exploit device-level permissions too. On Android, for example, a site can request camera, GPS, or file access once opened. If the user grants those permissions, as many do reflexively, the damage escalates. And while antivirus apps are catching up, many mobile defenses are still tuned for app-based threats, not URL-triggered scripts.

Yet, many of these outcomes could be prevented at the development level by integrating security into custom software design from day one, rather than patching issues after deployment.

 

Fighting Back: Awareness and Verification

The first line of defense is awareness. QR codes should be treated with the same caution we extend to email attachments – with skepticism and intent. Before scanning, take a moment to assess the source. Is it clearly tied to the business it represents? Is the code tamper-proof, part of a digital screen, or printed on trusted signage? Anything that looks unusual or feels out of place deserves a second thought.

 

Defensive Measures at Every Level

Technology is catching up, albeit slowly. Some smartphones and third-party apps now preview full URLs before they open. Others are experimenting with domain whitelisting and warning systems for known phishing sites. Still, without consistent OS-level enforcement, personal skepticism remains the best firewall.

But individual awareness can only go so far. Businesses and institutions must design their QR implementations to be resistant to tampering. Cafes, for instance, should secure physical codes with branding or lamination. Digital kiosks should routinely verify the integrity of the destinations they point to. Public buildings need internal audits of all code placements, because once trust is breached, it’s not just a user who suffers, but the institution itself.

These principles apply just as critically to financial interactions. Whether it’s a tap-to-pay terminal or a QR code linking to a payment page, multi-layered financial security protocols are essential to blocking the chain of compromise before it starts.

That means thinking holistically. For example, businesses that support QR-based payments should ensure that their customer experience aligns with basic safety protocols for mobile transactions, reducing the risk of fraudulent scans.

And on the institutional level, security isn’t complete without a firm grip on the extended network. That includes vetting third-party vendors with comprehensive risk management strategies to close off secondary paths attackers often exploit.

 

Why “Just Scanning” Isn’t Harmless Anymore

There was a time when scanning a QR code was like picking up a penny – low risk, quick payoff. Now, it’s closer to opening a sealed envelope you found on the sidewalk. You just don’t know what’s inside.

We’ve created a culture of scan-first-think-later. And it’s not just tech-savvy users who are at risk. Grandparents, kids, travelers, frontline workers – everyone uses QR codes these days. The attack surface has expanded in every direction. There’s no firewall for human trust, but there can be guardrails.

The next time you reach for your phone to scan, pause. Tilt your head. Look twice. Because the code might not be what it seems.

Top ThreatsVulnerabilities

Share this content on your favorite social network today!

Future Cloud
Related Resources
Certificate of Competence in Zero Trust (CCZT)
The industry's first Zero Trust certificate program.
AI Organizational Responsibilities
A blueprint for enterprises to secure AI development and deployment.
AI Safety Initiative
Addressing present and future challenges of AI safety and security.
Latest from CSA
Register Now for CSA's Virtual AI Summit 2025
Secure IAM for Agentic AI Systems
Participate in the Data Security in AI Environments Peer Review
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Level up with Cloud Infrastructure Security Training
Related Articles:
Vulnerability Management Needs Agentic AI for Scale and Humans for Sense

Published: 08/22/2025

Looking Back on a Successful Social Engineering Attack: Retool 2023

Published: 08/18/2025

Assets Under Attack: Email Threats Targeting Financial Services Jump 25%

Published: 08/14/2025

Inadequate Database Security: A Case Study of the 2023 Darkbeam Incident

Published: 08/04/2025