"Quishing" is the latest evolution of email "phishing" that involves sending users a targeted email with the image of a QR code embedded in the email. In this updated form, scammers send emails with QR codes embedded, purporting to be from reputable sources like your university, bank, or a popular online service like DocuSign. Scanning the QR code with your phone allows scammers to bypass filtering, anti-virus, and other prevention technologies. The QR code leads to malicious websites that harvest your personal information or infect your device with malware. For example, you might receive an email that appears to be from Microsoft, asking you to scan a QR code to "verify your account" or "access a secure document." Similarly, you could get an email mimicking a popular shopping site, inviting you to scan a QR code for an exclusive offer. In these quishing scenarios, scammers also try to further evade our protection systems by replacing actual email text with a picture of an email with text.
Unfortunately, many legitimate sites also use QR codes, such as emails delivering sports/event tickets. This means users must always be cautious when scanning QR codes from emails, especially if they did not expect to receive one. Verify the sender's identity and contact the organization if you're uncertain. Remaining diligent and skeptical of unsolicited QR codes in emails will help combat these evolving quishing tactics.