quishing Piergiorgio Venuti

Quishing: the dangerous hybrid between phishing and QR code

Estimated reading time: 5 minutes


The advent of digital technology has brought with it numerous opportunities, but also new threats to cybersecurity. Among these threats, phishing has gained notoriety as one of the most popular methods to obtain sensitive information from users. However, an evolution of this threat has emerged recently, called “quishing”. In this article, we will explore the concept of quishing in detail, comparing it to other forms of cyber attacks such as phishing, smishing and vishing, and analyzing its potential danger. Examples of quishing cases will also be presented and the possible malicious uses of this practice will be described.

What is quishing and how does it work?

Quishing, short for “QR code phishing”, is a sophisticated variant of phishing that uses QR codes to trick users into obtaining personal or financial information. While traditional phishing relies primarily on sending phishing emails, quishing uses malicious QR codes that can be present on flyers, posters, compromised websites or other forms of communication.

The functioning of quishing is based on user trust in the QR code. Users are tricked into acquiring the QR code through a deceptive action, for example through a false promotion or an apparent advantageous offer. Once the user scans the QR code with a QR code application, they are redirected to a counterfeit website that imitates a legitimate page. At this point, the user may be asked to enter their credentials, personal data or financial information, which will later be exploited by cyber criminals for malicious purposes.

Comparison between quishing, phishing, smishing and vishing

To fully understand the danger posed by quishing, it is helpful to compare it to other forms of similar cyber attacks, such as phishing, smishing, and vishing.

Phishing is a form of attack in which attackers send deceptive emails or text messages with the aim of tricking users into revealing personal or financial information. Quishing differs from traditional phishing in the use of QR codes, which adds an element of physical interaction and greater credibility to the attack.

Smishing, on the other hand, focuses on sending malicious text messages that attempt to scam users out of sensitive information. Although quishing could be considered a variant of smishing, the use of QR codes makes it a more sophisticated and difficult to recognize attack.

Finally, vishing is an attack that occurs through telephone calls, in which attackers pose as operators of financial institutions or other reliable organizations in order to obtain confidential information. Although vishing has a different attack mode than quishing, both exploit user trust and psychological manipulation to achieve their goals.

Among these forms of cyber attacks, quishing could be considered the most dangerous as it combines the psychological deception element of traditional phishing with the physical interaction provided by QR codes. This can lead to greater effectiveness in deceiving users and collecting sensitive information.

Examples of quishing cases

To better understand the scope of quishing, here are some examples of known cases of quishing attacks:

Case 1: Fake promotion of a clothing store

A user receives a flyer promoting a great discount at a popular clothing store. The flyer contains a QR code that promises to reveal further details about the offer. Unaware of the danger, the user scans the QR code with their smartphone, which redirects them to a counterfeit website that imitates the store’s official page. The website requires the user to enter their personal information, including credit card information, in order to obtain the discount. However, once the user provides such information, cyber criminals use it for fraudulent purposes, causing serious financial damage.

Case 2: Banking scam via QR code

A user receives an email apparently from their bank, stating that they need to update their account information for security reasons. The email contains a QR code that invites the user to scan to complete the update. Once the user scans the QR code, they are redirected to a counterfeit website that appears authentic. The site requires the user to enter their banking credentials, allowing criminals to gain access to the account and carry out financial fraud.

Case 3: Malicious QR codes on compromised websites

A user browses a legitimate website, but unfortunately compromised by hackers. While browsing the site, the user encounters a QR code that appears to be related to the content of the site. Curious, he scans the QR code with his smartphone, without realizing that it was inserted by the attacker. The QR code redirects him to a malicious web page that attempts to steal his personal or financial information.

Conclusions and precautions

Quishing represents a growing threat in the cybersecurity sphere. Cybercriminals exploit user trust and the widespread use of QR codes to trick people into obtaining sensitive information. To protect yourself from quishing, it is important to take some precautions:

  1. Verify the source: Before scanning a QR code, make sure you know the source it came from. Check the reliability of the issuer and look for any signs of forgery.
  2. Watch out for too-good-to-be-true offers: Be cautious about promotions and extraordinary offers, especially if they require the use of a QR code. Verify the authenticity of the offer through official channels before providing personal or financial information.
  3. Keep your software up to date: Make sure you keep your smartphone, operating system and applications up to date. Updates often include security patches that can protect you from known vulnerabilities used by attackers.
  4. Use reliable security solutions: Install antivirus and anti-malware applications on your mobile device to detect and block any threats.
  5. Education and awareness: Educate yourself and spread awareness about quishing and other forms of cyber attacks among friends, family and colleagues. Share tips and best practices to reduce the risk of falling victim to such attacks.

In conclusion, quishing represents a significant threat to cybersecurity. With the increased use of QR codes in everyday communication, it is crucial to be aware of the associated risks and take appropriate precautions to protect your personal and financial information.

Useful links:



More Articles…

Categories …


RSS darkreading

RSS Full Disclosure

  • Business Logic Flaw and Username Enumeration in spa-cartcmsv1.9.0.6 June 16, 2024
    Posted by Andrey Stoykov on Jun 15# Exploit Title: Business Logic Flaw and Username Enumeration in spa-cartcmsv1.9.0.6 # Date: 6/2024 # Exploit Author: Andrey Stoykov # Version: # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html Description - It was found that the application suffers from business logic flaw - Additionally the application is vulnerable […]
  • APPLE-SA-06-10-2024-1 visionOS 1.2 June 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Jun 11APPLE-SA-06-10-2024-1 visionOS 1.2 visionOS 1.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT214108. Apple maintains a Security Releases page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. CoreMedia Available for: Apple Vision Pro Impact: An app may be […]
  • CyberDanube Security Research 20240604-0 | Multiple Vulnerabilities in utnserver Pro/ProMAX/INU-100 June 9, 2024
    Posted by Thomas Weber via Fulldisclosure on Jun 09CyberDanube Security Research 20240604-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| SEH utnserver Pro/ProMAX / INU-100 vulnerable version| 20.1.22 fixed version| 20.1.28 CVE number| CVE-2024-5420, CVE-2024-5421, CVE-2024-5422 impact| High homepage| https://www.seh-technology.com/...
  • SEC Consult SA-20240606-0 :: Multiple critical vulnerabilities in Kiuwan SAST on-premise (KOP) & cloud/SaaS & Kiuwan Local Analyzer (KLA) June 9, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 09SEC Consult Vulnerability Lab Security Advisory < 20240606-0 > ======================================================================= title: Multiple critical vulnerabilities product: Kiuwan SAST on-premise (KOP) & cloud/SaaS Kiuwan Local Analyzer (KLA) vulnerable version: Kiuwan SAST
  • Blind SQL Injection - fengofficev3.11.1.2 June 9, 2024
    Posted by Andrey Stoykov on Jun 09# Exploit Title: FengOffice - Blind SQL Injection # Date: 06/2024 # Exploit Author: Andrey Stoykov # Version: # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/05/friday-fun-pentest-series-6.html Steps to Reproduce: 1. Login to application 2. Click on "Workspaces" 3. Copy full URL 4. Paste the HTTP GET request into […]
  • Trojan.Win32.DarkGateLoader (multi variants) / Arbitrary Code Execution June 9, 2024
    Posted by malvuln on Jun 09Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/afe012ed0d96abfe869b9e26ea375824.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Trojan.Win32.DarkGateLoader (multi variants) Vulnerability: Arbitrary Code Execution Description: Multiple variants of this malware look for and execute x32-bit "urlmon.dll" PE file in its current directory. Therefore, we can...
  • SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) June 9, 2024
    Posted by InfoSec-DB via Fulldisclosure on Jun 09Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) Google Dork: inurl:"Powered by Boelter Blue" Date: 2024-06-04 Exploit Author: CBKB (DeadlyData, R4d1x) Vendor Homepage: https://www.boelterblue.com Software Link: https://play.google.com/store/apps/details?id=com.anchor5digital.anchor5adminapp&hl=en_US Version: 1.3 Tested on: Linux Debian 9 (stretch), Apache 2.4.25, MySQL >= 5.0.12 CVE:...
  • CyberDanube Security Research 20240528-0 | Multiple Vulnerabilities in ORing IAP-420 May 30, 2024
    Posted by Thomas Weber via Fulldisclosure on May 29CyberDanube Security Research 20240528-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| ORing IAP-420 vulnerable version| 2.01e fixed version| - CVE number| CVE-2024-5410, CVE-2024-5411 impact| High homepage| https://oringnet.com/ found| 2024-01-19 by| T. Weber...
  • HNS-2024-06 - HN Security Advisory - Multiple vulnerabilities in Eclipse ThreadX May 30, 2024
    Posted by Marco Ivaldi on May 29Hi, Please find attached a security advisory that describes multiple vulnerabilities we discovered in Eclipse ThreadX (aka Azure RTOS). * Title: Multiple vulnerabilities in Eclipse ThreadX * OS: Eclipse ThreadX < 6.4.0 * Author: Marco Ivaldi * Date: 2024-05-28 * CVE IDs and severity: * CVE-2024-2214 - High - […]
  • SEC Consult SA-20240527-0 :: Multiple vulnerabilities in HAWKI didactic interface May 28, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on May 27 SEC Consult Vulnerability Lab Security Advisory < 20240527-0 > ======================================================================= title: Multiple vulnerabilities product: HAWKI (Interaction Design Team at the University of Applied Sciences and Arts in Hildesheim/Germany) vulnerable version: 1.0.0-beta.1, versions before commit 146967f     fixed version: Github commit 146967f...