Remember when QR codes were just for restaurant menus during COVID? Scammers remember too. And now they’re weaponising them.
If your business uses email (which, let’s face it, you do), you need to know about quishing. It’s the latest phishing tactic that’s slipping past your email security like a greased weasel, and it’s already hit Australian businesses hard.
What Exactly Is Quishing?
Quishing is a mashup of “QR code” and “phishing.” It’s when cybercriminals embed malicious links inside QR codes and send them via email, text, or even physical mail.
The scam is simple but effective. You receive what looks like a legitimate email from Microsoft, your bank, Australia Post, or even your own IT department. There’s a QR code with instructions to scan it for urgent account verification, package tracking, or a security update.
You pull out your phone, scan the code, and boom. You’ve just opened a fake website designed to steal your login credentials, payment details, or install malware on your device.
Why Is Quishing So Effective?
Several factors make quishing particularly dangerous for small businesses:
Trust in QR codes. We’ve been trained to trust QR codes. We used them everywhere during the pandemic. They feel modern, safe, and convenient. Scammers exploit this trust.
Mobile blindness. When you scan a QR code on your phone, you’re probably not scrutinising the URL as carefully as you would on a desktop. The screen is smaller, you’re often in a hurry, and mobile browsers don’t always display the full web address clearly.
Professional appearance. These emails look legitimate. They include company logos, proper formatting, urgent but professional language, and all the visual markers of a real business communication.
Urgency tactics. Quishing emails create artificial urgency. “Your account will be locked in 24 hours.” “Verify now or lose access.” “Action required immediately.” When people feel rushed, they make mistakes.
The Big Problem: Why Your Email Security Doesn’t Catch Them
Here’s the kicker that keeps IT professionals up at night: traditional email security and DNS filters struggle to detect quishing attacks.
DNS filters scan text, not images. Your email security solution reads the text content of emails and checks any URLs against databases of known malicious websites. But a QR code is just an image. It’s a picture of a bunch of black and white squares. There’s no text URL for your filter to analyse until someone actually scans it.
The malicious link only exists after scanning. When the email arrives in your inbox, the dangerous URL is encrypted within the QR code image. Your DNS filter can’t see it, can’t check it, can’t block it. The link only becomes “real” when you point your phone camera at it.
Image scanning has limitations. While some advanced email security solutions can decode QR codes from images, this requires extra processing power and isn’t standard in most small business email setups. Even when they do scan QR codes, attackers can use URL shorteners or freshly created domains that aren’t yet on blocklists.
Clean domains with dirty intentions. Scammers often use legitimate-looking domains or compromised websites that aren’t flagged as malicious yet. By the time security companies identify and blocklist these sites, the damage is already done.
Think of it this way: Your email security is a guard checking everyone’s ID at the door. But quishing is like someone handing you a locked box with a trap inside. The guard can see the box is there, but they can’t see what’s inside until you open it yourself.
Real-World Examples Hitting Australian Businesses
Quishing isn’t theoretical. It’s happening right now.
The Microsoft 365 scam. Businesses across Australia have reported emails claiming to be from Microsoft, requiring MFA verification via QR code. The fake login page looks identical to the real thing. Once employees enter their credentials, attackers have access to your entire Microsoft 365 environment – emails, documents, financial data, customer information, everything.
Fake payment requests. Small businesses have received invoices with QR codes claiming to be from suppliers or service providers. “Scan to pay securely.” The QR code leads to a fake payment portal that captures credit card details or initiates fraudulent bank transfers.
Parcel delivery scams. With Australia Post and other courier companies regularly using QR codes for legitimate tracking, scammers send fake delivery notifications with malicious QR codes. These can lead to credential theft or, worse, malware installation on your device.
Payroll and super scams. Some attacks target payroll officers with emails appearing to be from the ATO or super funds, requiring QR code verification for tax or superannuation matters. These can lead to business email compromise situations where scammers redirect employee payments.
How to Protect Your Business from Quishing
The good news? Quishing is preventable with awareness and the right practices.
1.Establish a no-scan policy. Make it a company rule: Never scan QR codes from unsolicited emails. If an email asks you to scan a QR code for account verification, payment, or urgent action, don’t do it.
2.Manual URL entry for important accounts. If you receive an email about your Microsoft account, banking, or any critical business service, don’t scan any QR codes. Instead, manually type the official website address into your browser or use your saved bookmarks.
3.Implement multi-factor authentication everywhere. While MFA won’t stop quishing attempts, it adds a crucial layer of protection. Even if someone steals your password through a quishing attack, they’ll still need your second factor to access your accounts. Use authenticator apps rather than SMS where possible.
4.Staff training is essential. Your employees are your first line of defence. Regular, practical cybersecurity training that specifically covers quishing helps staff recognise red flags. Include real examples, conduct simulated phishing tests, and create a culture where people feel comfortable reporting suspicious emails.
5.Verify through official channels. If you receive an email with a QR code claiming to be from your bank, a government agency, or a service provider, contact them directly using the phone number on their official website, not any number in the email. Ask if they actually sent the communication.
6.Mobile security matters. Many small businesses focus on securing desktop computers but overlook mobile devices. Consider mobile security solutions that can detect and block malicious websites when QR codes are scanned.
7.Update your incident response plan. Make sure your team knows what to do if they accidentally scan a malicious QR code. Quick action can limit damage – changing passwords immediately, alerting IT, monitoring accounts for suspicious activity.
8.Use preview features cautiously. Some QR code scanner apps show you the URL before opening it. While this is better than nothing, remember that attackers use legitimate-looking URLs or shortened links that don’t reveal their true destination.
What to Do If You’ve Been Hit
If someone in your business has scanned a suspicious QR code:
1.Act immediately. Don’t wait to see if anything bad happens. Assume the worst.
2.Change passwords. Change the password for any account that might have been compromised, starting with email and admin accounts. Use strong, unique passwords for each account.
3.Enable or reset MFA. If MFA wasn’t enabled, enable it now. If it was enabled, reset it in case the attacker captured your second-factor codes.
4.Monitor accounts. Check bank statements, email logs, and system access logs for any unusual activity. Look for unauthorised logins, unexpected transactions, or changes to account settings.
5.Scan devices. Run a full antivirus scan on any device used to scan the QR code or enter credentials. Some quishing attacks install malware.
6.Report it. Report the incident to ReportCyber (the Australian Cyber Security Centre’s reporting platform) and your bank if financial information was compromised. If customer data was accessed, you may have privacy breach notification obligations.
7.Inform affected parties. If the breach could affect customers, suppliers, or partners, you may need to notify them. Transparency is better than trying to hide a breach.
The Bottom Line
Quishing works because it exploits our trust in QR codes and bypasses the email security measures most small businesses rely on. Your DNS filters and spam blockers aren’t designed to catch threats hidden in images.
The most effective defence isn’t technical – it’s human. Awareness, healthy skepticism, and clear policies about handling QR codes in emails will protect your business far better than any single security tool.
Remember this simple rule: Legitimate organisations rarely, if ever, ask you to scan QR codes in emails for account verification or urgent security matters.
If it’s genuinely important, they’ll provide multiple ways to take action, and those ways will be verifiable through official channels you initiate yourself.
One quick scan can compromise your entire business. When in doubt, don’t scan it out.
Need help securing your business against quishing and other cyber threats? Contact Netcomp Solutions for a free security assessment tailored to Australian small businesses. Our team specialises in protecting SMBs from evolving cyber threats.
