A recent Unit 42threat analysis highlights a significant and growing threat vector: QR codes weaponized for phishing and malware delivery. While QR codes were originally introduced as a simple way to encode and share URLs or other data, attackers have learned to exploit their ubiquity and inherent trust to lure users into malicious interactions. Because QR codes embed encoded URLs that traditional security tools often cannot inspect, they allow attackers to bypass standard email and URL filters and redirect victims directly to credential-harvesting pages or malicious downloads. In the aforementioned report, daily detections of QR codes include tens of thousands of instances —with an estimated 15% of scanned QR pages leading to malicious destinations —underscoring the scale and persistence of this threat. This is aligned withZimperium telemetry, where we see a steady flow of phishing threats coming fromQR code scans.
This type of attack, commonly referred to as quishing (QR-phishing), thrives on several factors that make it especially effective against mobile users. First, many mobile users instinctively trust QR codes because they are used widely in retail, logistics, payments, and customer engagements; this lowers user vigilance when scanning codes on mobile devices.Second, QR codes often incorporate shortened URLs, in-app deep links, or multi-stage redirect chains that conceal the true destination until after the scan, making it difficult for on-network or email-based security controls to catch them before the user’s device makes the connection. These evasion techniques — hiding malicious endpoints behind benign-looking URLs or leveraging app-specific deep links — allow attackers to trigger credential captures or malware installations that appear legitimate to end users and evade many conventional defenses.
The consequences of quishing are broad, ranging from credential theft to unauthorized access, and potentially to malware deploy mentor drive-by exploit scenarios. Attackers can embed codes in emails, documents, flyers, or even replace legitimate codes on signs or packaging to lure victims into scanning them. Once scanned, victims may be redirected to a convincing login page for email, cloud, or corporate services, inadvertently handing over credentials or session tokens that enable account takeover or further compromise. This threat extends beyond consumer risk: as evidenced in recent FBI advisories on Kimsuky’s use of malicious QR codes to target enterprise credentials, attackers are increasingly focusing their efforts on mobile-centric delivery and identity intrusion vectors outside the reach of traditional perimeter defenses.
For enterprises, defending against quishing requires mobility-aware security controls that extend beyond email and network filtering. Because QR-embedded links can evade email gateways and URL reputation systems, organizations need web content analysis and filtering that specifically covers mobile-initiated traffic — including real-time inspection of QR-scanned URLs, behavioral evaluation of web sessions on devices, and dynamic exploration of deep link behaviors. On-device threat detection is particularly valuable because it can intercept malicious redirects or credential prompts as they occur, even on unmanaged devices where enterpriseEDR or network inspection leaves gaps.
Zimperium’s Mobile Threat Defense(MTD) delivers this level of insight by analyzing malicious content through all attack mobile vectors (SMS, QR Codes, PDFs, etc.). With these capabilities, organizations can identify and block quishing attempts before they lead to credential compromise or malware execution. This approach helps close a critical blind spot in mobile security: the point at which a trusted interaction (scanning a QR code) is transformed by attackers into a breach vector. In a world where mobile devices are a primary access method for corporate services, extending phishing protection — traditionally focused on email URLs — to include QR-initiated and mobile-driven web content filtering is essential for reducing enterprise risk.