Quishing — QR-code phishing — was a curiosity two years ago and is now the dominant initial vector in many of the campaigns we instrument. The shift is faster than most awareness programmes have caught up to, and the mitigation requires more than email-layer work.
The mechanism is simple. The phishing message contains a QR code rather than a clickable URL. The user scans it on a personal mobile device, leaving the corporate proxy and email-security perimeter entirely. Detection moves from corporate infrastructure to whatever mobile-threat tooling the device happens to have running — usually nothing.
This is not a fixable problem in the email layer alone. Image-OCR scanning catches some of the volume but adds latency, and adversaries are using techniques (image embedding within PDFs, dynamic QR generation, QR codes embedded in image-based signatures) that defeat naïve OCR.
Mobile device management posture, mobile threat detection capability, and explicit awareness training around mobile click-out are now load-bearing parts of an awareness programme. Most of our customers are still reasoning about "click the link" as the moment of compromise. The reality is that the moment of compromise increasingly happens on a device the corporate environment has no telemetry on.
For awareness training, the message has to evolve. The default training narrative — hover over the link to check the URL — is irrelevant in a quishing scenario; there is no URL to hover over. The new narrative is about context: should this email be asking me to scan a QR code? Why is this code being delivered by email rather than presented in a context where scanning would be expected (a printed flyer, a physical sign)?
We have added quishing-specific modules to our standard awareness curriculum and run quishing-vector campaigns as part of every simulation programme. The early data from clients running both email and quishing simulation suggests that quishing-resilience develops independently from email-resilience — the underlying behavioural mechanism is genuinely different.
Operational implications: review your MDM posture for personal-device scenarios; add QR-code awareness to your curriculum; include quishing campaigns in your simulation library; instrument the mobile click-out where you can.