Today's threat: Quishing - phishing using QR codes. The simple twist that's making it the fastest-growing attack vector of 2026, and why your existing email security probably doesn't catch it. Continues yesterday's Deepfake Voice Call piece.
What is Quishing
"Quishing" = QR code + phishing. Instead of a malicious link in an email body (which most security gateways now scan and block), the attacker embeds the link in a QR code. The QR code is rendered as an image inside the email, or shown on a poster, sticker, or printed flyer. The user scans it with their phone, and the phone's browser opens the malicious URL. From there: same old phishing, same old credential theft.
Why it works in 2026
Three reasons. One: Most email security tools don't OCR images for QR codes by default. The link is invisible to scanners. Two: Phones have weaker phishing-detection layers than corporate laptops - no Cisco Umbrella, no Zscaler, no enterprise browser. The malicious site loads cleanly. Three: Users have been trained to scan QR codes everywhere - menus, parking meters, payment terminals, business cards. Scanning is a "trusted" action.
The three quishing variants you'll see this month
- Email-embedded. An email pretending to be from IT, your bank, or a delivery service contains a QR code "to verify your identity / track your package / reset your password". The image is rendered in the email body. Scanning leads to a credential-harvesting page.
- Physical sticker overlay. Attackers print stickers and place them over legitimate QR codes on parking meters, EV chargers, restaurant tables, or office posters. Anyone scanning sees the malicious site. This is rampant in coastal US cities and starting to appear in Tel Aviv.
- QR code in PDF attachment. A PDF "invoice" or "shipping document" contains a QR code that the recipient is asked to scan. Same logic - the QR bypasses email scanning.
How to spot a quishing attack
- QR code in a "verify your account" or "secure login" email. Banks, IT departments, and authentication services do not ask you to scan QR codes from emails. If you see one - it's almost certainly malicious.
- Mismatch between displayed URL and target. When you scan, your phone usually previews the URL. Read it. If it doesn't match the supposed sender's domain, do not tap.
- QR codes in physical locations that look freshly stuck on top of older signage. Inspect for sticker edges, alignment that's slightly off, or QR codes where the underlying material seems to have been recently touched.
How to defend - personal
- Use a phishing-resistant browser on mobile (Brave, Firefox Focus) for any "I'm about to scan a code" moments.
- Enable Safe Browsing protections in your phone's default browser. iOS Safari and Chrome on Android both have this and it catches most known malicious sites.
- If you must scan a code from any unfamiliar source, copy the URL out of the QR scanner result before opening it. Look at it. If anything seems off - don't open.
- Use a password manager. Even if you fall for the page, the password manager won't auto-fill into a domain it doesn't recognize. That's your last-line defense.
How to defend - organizational
If you run IT or security at a company - here's the short list:
- Configure your email gateway (Mimecast, Proofpoint, Microsoft Defender for O365) to OCR images and extract QR codes for scanning. Most of them have this option, but it's not on by default.
- Train staff specifically on quishing - it's NOT the same training as regular phishing. Show real examples.
- Deploy mobile device management (MDM) with web-content filtering on company-issued phones.
- If you support BYOD, require employees to install a corporate VPN or DNS filter (Cloudflare Gateway, NextDNS) on personal devices used for work.
Tomorrow's threat
Browser-in-the-browser attacks - the latest evolution of credential theft, where the entire "Sign in with Google" or "Sign in with Microsoft" popup is fake, but rendered in a way that even technical users miss it. Same series, weaponized differently.