Skip to main content

Category: Phishing & Social Engineering

QR code phishing (quishing) in the browser

QR code phishing (“quishing”) uses a QR code to hide a malicious URL that opens a browser link on a phone or workstation.

Quick answer

QR codes bypass many traditional link previews and filters, pushing users straight into a browser flow where they’re less likely to inspect the destination.

For risky links and login flows, isolation keeps the page off the endpoint by running it in a disposable container and streaming only the rendered output to the user.

When you need this

  • You’ve seen indicators of this threat in your environment.
  • Users frequently click unknown links as part of daily work.
  • You need a control that reduces risk without relying on perfect user judgment.

Last updated

2026-01-29

How it usually happens in the browser

  • The attacker places a QR code in an email, PDF, poster, package insert, or fake “security update” notice.
  • The user scans it and lands on a shortened URL or a redirect chain that hides the final domain.
  • The destination is often a fake login page or a payment capture form.
  • Victims may complete the flow on mobile where security controls and URL visibility are weaker.

What traditional defenses miss

  • Email gateways can’t always safely “detonate” a QR code without image analysis.
  • Users treat QR codes as physical-world trusted objects (posters, lobbies, shipping labels).
  • On mobile, full domains are truncated and security cues are subtle.

How isolation changes the game

  • Isolation helps by making untrusted browsing disposable and policy-controlled when QR links are opened in managed browsers.
  • When sessions are isolated and deleted, risky link explorations don’t leave long-lived browser artifacts behind.
  • Admins can enforce stricter policies for URL shorteners and newly registered domains where QR codes often point.
See Legba for Chrome

Operational checklist

  • Block or warn on URL shorteners and unknown redirectors; force them into isolation.
  • Use device management to ensure work browsing stays within managed browsers on mobile.
  • Create a safe internal workflow: “verify QR destination” for HR/IT notices and physical signage.
  • Require step-up auth on sensitive actions if the user arrived via an external link.
  • Run periodic quishing simulations and measure click-to-credential-entry rate (not just click rate).

FAQs

Are QR codes inherently unsafe?

The QR itself is just a carrier. The risk is that it hides the URL, which reduces user scrutiny and can bypass some scanning.

Can I preview a QR code safely?

Use a scanner that shows the full URL before opening it, and prefer opening unknown QR destinations in an isolated session or on a sacrificial device.

Why does this work better on phones?

Mobile browsers hide more of the URL and make security cues less obvious, which increases conversion for attackers.

Does isolation help on mobile?

If your environment supports managed mobile browsing, isolating untrusted destinations still reduces endpoint exposure and makes sessions disposable.

References

Keep exploring

All guides
Threats, secure apps, and AI security pages.
All browser threats
Browse threats by category and intent.
Secure apps directory
Secure browsing guides for top SaaS apps.
AI security guides
Prevent AI prompt leakage and prompt injection.