Quishing: Behind Every QR Code Lies a Decision

In summary: - Quishing uses fake QR codes to steal your credentials — it bypasses all anti-spam filters because a QR code is treated as a harmless image. - Campaigns have jumped by +331% in one year (Cofense, 2025); SME executives and managers are 42 times more targeted than other employees. - Three simple steps are enough to thwart the majority of attacks: verify the URL before opening, never enter your credentials after a scan, and enable 2FA. - A successful compromise can engage your company's liability under the Swiss nLPD.

Since the pandemic, QR codes have become part of everyday life. We scan them in restaurants to view the menu, at the airport to board, and on invoices to access a payment portal. This small square of pixels has become a reflex, a natural convenience that no one questions. And that's precisely what cybercriminals have understood.

Quishing — a portmanteau of QR and phishing — is an attack technique that involves embedding a malicious URL in a QR code to deceive its victims. It is progressing rapidly: quishing campaigns have jumped by 331% in one year according to Cofense (2025), and QR codes now represent 26% of all malicious links distributed in professional messaging. In this article, we explain how this threat works, why it particularly affects Swiss SMEs, and above all, how to protect yourself from it in concrete terms.

QR Codes: A New Blind Spot for Security Filters

For a classic anti-phishing filter, a QR code is just another image: no visible link, no analyzable text, nothing suspicious. The message passes unhindered into inboxes.

For years, messaging security solutions have learned to analyze text and hyperlinks in emails. They recognize suspicious URLs, unknown senders, and the characteristic phrasing of fraudulent emails. A QR code completely bypasses these defenses. Once the user scans it with their smartphone — often a personal device, outside of any corporate protection system —, they are redirected to a malicious web page before they even realize what is happening. That's the subtlety of this attack: it exploits both a technological gap and an automated human behavior.

Why are Swiss SMEs Particularly Exposed?

SMEs combine several vulnerability factors that make them prime targets — and cybercriminals know it.

They rarely have a dedicated IT team. Messaging management, workstation security, and employee training often rely on a single person, or even no one. In this context, new threats like quishing take time to be recognized and addressed. A network security audit helps to identify these blind spots before an attack exploits them.

SMEs also trust their partners and suppliers. An email that appears to come from a regular provider, with a QR code asking to confirm a delivery or view an invoice, is likely to be scanned without suspicion. It is this trust that attackers systematically exploit.

Finally, there is a statistical detail that deserves attention: executives and managers are 42 times more targeted by QR code attacks than ordinary employees (WatchGuard, 2024). In other words, the people who have access to the most sensitive information — accounting, customer data, system access — are precisely the ones that attackers target as a priority. In an SME, this is often the manager themselves, who combines several critical accesses.

In addition, there is the question of nLPD compliance: a compromise of customer or employee data via a quishing attack can engage the company's liability and require notification to the Federal Data Protection and Information Commissioner, with the legal and reputational consequences that this implies.

The Most Common Forms of Quishing Attacks

In Professional Messaging

This is the most frequent vector. You receive an email that looks like a notification from your cloud storage tool, your HR provider, or your payment service. The body of the message is sober, reassuring, and contains a QR code accompanied by a simple instruction: "Scan to access your document" or "Confirm your identity to continue." The page that appears after the scan is a near-perfect copy of the Microsoft 365, Google Workspace, or e-banking login portal. You enter your credentials, and they are captured instantly. Nearly 90% of these attacks aim to steal professional login credentials — a figure confirmed by Barracuda Networks across all campaigns analyzed in 2025.

In Printed Documents and Physical Spaces

Attacks are not limited to the digital world. Fake paper invoices with fraudulent QR codes have been slipped into company packages. Malicious stickers have been pasted over legitimate QR codes in restaurants, hotels, or conference rooms. In these cases, even a vigilant employee can be trapped, because nothing in the physical environment betrays the deception.

In SMS and Delivery Notifications

The undelivered package notification with a QR code to scan to "reschedule delivery" has become a very common scam. It targets both personal and professional smartphones indiscriminately, and works all the better because deliveries have become a daily reality for many teams.

A Scenario That Could Affect Your SME

Imagine that Sophie, the finance manager in an SME of twenty people, receives an email one morning that appears to come from her accounting software. The subject: "Your monthly report is available." The message contains a QR code, which she scans with her phone during her coffee break. She enters her credentials on the page that appears, thinking she is accessing her usual data.

Two hours later, the attackers use these credentials to log into the company's messaging system, extract customer bank details, and send fake invoices impersonating the company.

This scenario is not fiction. Similar situations are documented every week in Europe. And in the vast majority of cases, the victim has not made any gross errors: they have simply trusted an email that seemed perfectly normal. The real problem is that no one had explained to them what quishing is.

What You Can Do Concretely to Protect Your SME

Protecting yourself from quishing requires neither an astronomical budget nor advanced technical expertise. At Bexxo, we regularly observe this in the field: the SMEs that resist best are not those with the best tools, but those whose employees have been educated. Technology alone is not enough — and this conviction is at the heart of our approach.

Educating Your Teams — This is the Most Effective Measure

An employee who knows that QR codes can be fraudulent will take the time to think before scanning. This awareness can be raised during a team meeting, through an internal newsletter, or through simulated attacks. The goal is not to create generalized distrust, but to develop a reflex: "Where did this QR code come from? Was I expecting this message?"

Bexxo offers phishing and quishing simulations with PhishTrainer, designed for Swiss SMEs. In ten minutes, your employees learn to identify these attacks in real-world conditions, without risk.

Verify the URL Before Opening

Most modern smartphones display a preview of the destination URL when you scan a QR code, before opening the browser. This step takes two seconds and can prevent many mishaps. Teach your employees to read this URL: is it consistent with the presumed sender? Does it contain suspicious characters or spelling variations? If in doubt, it is better not to open it.

Never Enter Your Credentials After a Scan

This rule is simple and absolute: if a page asks for a username and password after scanning a QR code received by email or SMS, stop. Open your browser and access the service directly by typing the address you know. This is the only way to ensure that you are on the real site.

Enable Two-Factor Authentication (2FA)

Even if credentials are stolen, two-factor authentication is a valuable safety net. Without the second factor — code sent via an authentication app, physical key —, the cybercriminal cannot access the account. This is an essential protection for all critical services of your SME: messaging, accounting, CRM, cloud storage.

Choose Messaging Tools with Advanced Filtering

Professional messaging systems based in Switzerland such as Infomaniak Mail or Proton Mail integrate robust security mechanisms: SPF, DKIM and DMARC authentication, automatic marking of suspicious external emails, and detection of malicious links. By opting for these nLPD-compliant solutions hosted on Swiss soil, you benefit from a solid first line of defense — without depending on foreign infrastructures.

Define a Clear Policy for Personal Devices

If your employees use their personal smartphones to scan work-related QR codes — which is common —, define simple rules: never enter professional credentials on an unsecured device, and immediately report any suspicious behavior to the person responsible for IT. A clear BYOD policy is an essential complement to any cybersecurity strategy.

Conclusion

Quishing perfectly illustrates a reality that SMEs must integrate: cyberattacks are constantly evolving to bypass existing defenses. Where anti-spam filters block suspicious links, attackers use images. Where employees are wary of attachments, scammers use physical QR codes.

Faced with this evolution, two things remain true: employee awareness is always the most profitable investment, and simple actions — verifying the URL, not entering credentials after a scan, enabling 2FA — are enough to thwart the vast majority of attempts.

Do you want to concretely assess the resistance of your employees to these new forms of attacks? Contact Bexxo to discover our simulations adapted to Swiss SMEs. You can also start with a security audit to quickly identify your points of exposure.

Frequently Asked Questions

What is quishing and how is it different from classic phishing? Quishing is a form of phishing that uses a QR code instead of a clickable link. Its particularity: where an anti-spam filter can analyze and block a suspicious link, a QR code is treated as a simple image. It therefore passes without any control in messaging systems, which makes it much more difficult to detect automatically.

How to recognize a potentially fraudulent QR code before scanning it? The main precaution is to ask yourself where this QR code comes from. If it is sent to you by email or SMS without you requesting it, be careful. After scanning, always check the URL displayed by your smartphone before opening the page: a legitimate URL from a known service does not contain strange characters or an unusual domain.

What to do if an employee has scanned a suspicious QR code and entered their credentials? Act immediately: change the password of the account in question from a secure device, enable 2FA if it is not already done, and notify the person responsible for IT. If personal data of customers or employees may have been exposed, check with your lawyer whether a notification to the Federal Data Protection and Information Commissioner (FDPIC) is necessary according to the nLPD.

Can a Swiss SME without a dedicated IT team really protect itself from quishing? Yes, and it is even one of the threats for which human protection is more effective than technical protection. Training your employees to recognize this attack — in one hour of awareness — drastically reduces the risk. Tools like Bexxo's PhishTrainer are precisely designed for SMEs without an IT department.

Can quishing expose our company to sanctions related to the nLPD? If an attack is successful and personal data of customers or employees is compromised, yes. The Swiss nLPD requires companies to notify the FDPIC in the event of a data breach with a high risk. An SME that has not taken reasonable protection measures may see its civil and criminal liability engaged.

Are our professional mobile devices better protected than personal smartphones? In principle, yes — if your company has implemented a mobile device management (MDM) solution and a professional VPN. In the reality of many Swiss SMEs, employees use their personal smartphones, which are not subject to any security policy. This is precisely why a clear BYOD policy is as important as technical tools.

Sources: Cofense, 2025 · Barracuda Networks, 2025 · QR Code Tiger, 2025 · WatchGuard