QR code phishing ("quishing") — email instructs victim to scan a QR code with phone camera to "verify identity" or "access a document", bypassing link scanners because the URL is in an image; APWG H2 2023: 587% surge; Cofense 2024: 17% of credential-phishing emails use QR codes

Phishing emails that instruct the recipient to scan a QR code with their phone camera to "verify their identity," "access a shared document," or "complete a required action" — bypassing enterprise email security scanners because the malicious URL is encoded inside an image rather than a clickable link. The QR code directs victims to credential-harvesting pages mimicking Microsoft, Google, DocuSign, or banking portals. Key facts: (1) APWG H2 2023 report: QR code phishing ("quishing") volumes surged 587% in the second half of 2023, emerging from near-zero to a mainstream attack vector in 18 months; Cofense 2024: 17% of credential-phishing emails now embed QR codes; (2) QR phishing is particularly effective against organizations with email-level URL filtering because image content is not scanned for URLs by most SEGs — victims are pushed to their personal phone where MDM protections are typically absent; (3) Common lures include Microsoft MFA QR codes ("scan to re-authenticate"), document-access QR codes ("scan to view your shared file"), and account-verification QR codes ("scan before your access expires in 24 hours"); (4) No legitimate enterprise service sends QR codes in unsolicited emails to satisfy authentication or document-access requests — genuine MFA uses authenticator apps already installed on the device. Warning signs: QR code in an unsolicited email, instruction to use phone camera, urgency about account suspension or expiry, no clickable link alternative provided.