IT EN
Client Portal →
sales@10punto10.eu · 02 87176855
· 10punto10

QR Codes? Watch What You Scan!

cybersecurityPhishing / Quishingcodephishing
QR Codes? Watch What You Scan!

What is quishing and why your business should care

QR codes are everywhere. Restaurant menus, parking meters, business cards, invoices — they have become a seamless part of daily operations for companies across Europe. But this convenience has a dark side. Cybercriminals are now exploiting QR codes to launch phishing attacks, a technique known as quishing (QR code phishing), and small and medium businesses are squarely in the crosshairs.

Unlike traditional phishing emails that contain suspicious links you can hover over and inspect, QR codes hide their destination entirely. You scan, you land somewhere, and by then it may already be too late. For Italian and European SMBs that have rapidly adopted QR-based workflows — especially since the pandemic — this represents a growing and largely underestimated threat.

How quishing attacks work in practice

The mechanics of a quishing attack are deceptively simple. An attacker generates a malicious QR code that redirects to a fake login page, a malware download, or a credential-harvesting site. That code is then delivered through channels your employees already trust.

Common delivery methods

  • Email attachments: A PDF invoice or delivery notice contains a QR code instead of a clickable link. Because the malicious URL is embedded in an image, most email security filters cannot detect it.
  • Physical placement: Stickers placed over legitimate QR codes on parking meters, restaurant tables, or office equipment. In Italy, police have reported cases of fraudulent QR codes applied over legitimate ones at public charging stations.
  • Internal documents: Fake HR communications, Wi-Fi setup instructions, or multi-factor authentication prompts that ask employees to scan a code with their personal phone.

The shift to mobile is the key here. When an employee scans a QR code with their smartphone, they leave the relative safety of the corporate network and its security tools. Personal phones typically lack endpoint protection, web filtering, and the IT oversight that company laptops have. The attacker knows this.

Why email filters miss it

Traditional email security solutions scan text and URLs for known threats. A QR code is just an image — a grid of black and white squares. Unless your security stack includes optical character recognition or QR-specific scanning capabilities, the malicious payload passes through undetected. According to research from HP Wolf Security, QR code phishing attacks increased by over 400% between 2023 and 2024, precisely because attackers discovered this blind spot.

The real cost for European SMBs

The financial and operational impact of a successful quishing attack on a small business can be severe. Credential theft can lead to business email compromise, where attackers impersonate executives to authorise fraudulent wire transfers. In the EU, the average cost of a data breach for SMBs reached approximately €120,000 in 2024, according to ENISA’s threat landscape report. For many small companies, that is not a recoverable expense.

Beyond direct financial loss, European businesses face regulatory consequences under the GDPR. If employee or customer data is compromised through a quishing attack, the company is still responsible for reporting the breach within 72 hours and may face fines of up to 4% of annual turnover. The Italian Garante per la protezione dei dati personali has been increasingly active in enforcing these obligations, even against smaller organisations.

There is also the reputational damage. An Italian SMB that falls victim to a QR code scam targeting its own customers — for example, through compromised payment QR codes — risks losing the trust that took years to build.

How to protect your business from QR code phishing

The good news is that defending against quishing does not require a massive budget. It requires awareness, a few technical adjustments, and clear internal policies.

Train your employees to question QR codes

Security awareness training should now explicitly cover QR code threats. Employees need to understand that scanning an unknown QR code carries the same risk as clicking an unknown link. Teach them to check the URL preview before opening it — most modern smartphone cameras display the destination URL briefly before navigating. If the domain looks unfamiliar or uses a URL shortener, they should stop.

Implement mobile device management

If your employees use personal phones for work tasks, a basic mobile device management (MDM) solution can enforce web filtering and threat detection on those devices. This closes the gap that attackers exploit when moving the attack vector from the corporate laptop to the personal smartphone.

Update your email security

Ask your IT provider whether your current email filtering solution can detect QR codes embedded in attachments and analyse the URLs they contain. Several next-generation email security platforms, including tools from Barracuda and Abnormal Security, now offer this capability. For Italian SMBs working with managed service providers, this should be a specific question in your next security review.

Establish a verification protocol

Create a simple internal rule: if any communication — whether from HR, IT, a supplier, or a bank — asks you to scan a QR code to verify your identity, reset a password, or make a payment, verify it through a second channel before acting. A quick phone call can prevent a costly breach.

The EU regulatory landscape is catching up

The European Union’s NIS2 Directive, which came into effect in October 2024, expands cybersecurity obligations to a broader range of businesses, including many SMBs in critical supply chains. While quishing is not specifically named, the directive’s requirements for incident reporting, risk management, and supply chain security mean that businesses must account for emerging attack vectors like QR code phishing in their security posture.

Italy’s national cybersecurity agency, the ACN (Agenzia per la Cybersicurezza Nazionale), has issued guidance urging businesses to treat QR code-based social engineering with the same seriousness as traditional phishing. This is not a peripheral threat — it is part of the evolving landscape that regulators expect you to manage.

A simple threat that demands a simple response

Quishing works because it exploits trust and convenience — two things that make QR codes useful in the first place. The attack is low-tech, cheap to execute, and highly effective against organisations that have not updated their security awareness to include this vector.

For European SMBs, especially those operating in Italy’s dense network of small businesses and supply chains, the priority is straightforward: make sure your people know this threat exists, verify before you scan, and ensure your technical defences have not left a QR-shaped gap in your security perimeter.

Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.

Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.

💬

Need support on this topic?

Let’s assess your company’s situation together. First consultation is free.

Contact us
📩

Stay updated every week

Cybersecurity, AI and technology for SMBs. No spam, only useful content.

Subscribe to newsletter