QR codes are now part of everyday life , from accessing Wi-Fi and authenticating into systems, to attending virtual meetings and completing compliance checklists. Their convenience is undeniable. But with convenience comes complacency.

In recent months, a new variant of phishing has emerged that’s slipping under the radar of even the most security-conscious organisations. It’s called Quishing, and it’s exploiting something most of us don’t even think twice about , a simple scan.

The New Face of Phishing

Unlike traditional phishing, where users are baited with suspicious emails and dodgy links, Quishing operates in silence. A malicious QR code is planted , sometimes digitally in an email, sometimes physically in the workplace , and the user does the rest. One scan on a mobile device, and the attacker is in.

The QR code leads to a spoofed login page, typically mimicking a known platform like Microsoft 365 or a company’s internal system. The employee, believing the environment is secure, enters their credentials. In that moment, access is handed over to the attacker , often without triggering any alarms.

What makes this attack so effective is its ability to bypass the standard security stack. Email filters don’t scan QR codes embedded in images. Mobile devices , especially personal ones , don’t always run endpoint protection. And most organisations haven’t extended their awareness training to include QR-based threats.

Why It’s Gaining Traction in South Africa

At SS-Consulting, we’re seeing increased use of QR codes in operational environments, particularly where digital transformation and hybrid work models intersect. More companies are embracing paperless workflows and mobile-first solutions, using QR codes to facilitate tasks like timesheet submissions, asset tracking, system access, and digital attendance.

It’s efficient but also opens up new vulnerabilities. In BYOD (Bring Your Own Device) environments , where personal phones and tablets are used to complete work-related tasks , the organisation has limited visibility and control over how users interact with QR content.

The attacker doesn’t need to compromise your systems. They only need one employee to scan the wrong code.

This Isn’t a Future Threat, It’s Already Here

We often talk about cyber threats in the abstract , ransomware, data breaches, zero-days. But Quishing is different. It feels low-tech. It’s physically embedded in the work environment. And because it doesn’t rely on malware, it often flies under the radar during incident reviews.

The attack surface has changed. What used to come in via email now comes in through the office door, the staff kitchen, the weekly all-hands poster. We’ve even seen fake QR codes pop up on printed conference materials and vendor invoices.

It’s a quiet intrusion. And that’s exactly why it works.

What Needs to Change

Organisations must begin by treating QR codes the same way they treat any potential endpoint or external connection. That means educating staff to think critically before scanning. It means reviewing where QR codes are being introduced into internal processes. And it means updating policies to account for the new reality of mobile-first exploitation.

QR codes aren’t inherently dangerous. But the blind trust we place in them , especially in professional environments , is what makes them vulnerable.

This is no longer just a phishing issue. It’s a security culture issue.

Our Take as a Security Partner

At SS-Consulting, we believe that cybersecurity isn’t just about building barriers, it’s about building awareness. Technical controls are critical, but if your people don’t recognise the evolving tactics being used against them, the risk remains.

Quishing is a perfect example of how attack methods evolve with everyday behaviour. It preys on trust, familiarity, and speed. And unless organisations shift their awareness and strategy, it will continue to grow.

The next scan your employee makes could be harmless. Or it could be the start of a breach. It’s time we all started asking: Are we looking closely enough at the codes we trust?