Every week, security teams deal with a threat most of their tools were not built to handle. Someone sends a QR code by email or prints it on a flyer. A colleague scans it on their phone. The URL hidden inside the image leads somewhere dangerous. No alert fires. No gateway intercepts it. The damage is done before anyone realizes what happened.
This is quishing: QR-code phishing. It now accounts for roughly 12% of all phishing incidents globally, up from a low single-digit baseline just a year ago. The reason it keeps working is structural. The solution, equally, is structural. And it starts with the trusted-domain QR codes.
What is quishing and why does it bypass enterprise security?
Quishing combines QR and phishing into a single word and a particularly effective attack. An attacker encodes a malicious URL inside a QR image and delivers it wherever people will scan it: emails, printed signs, shared documents, even physical stickers placed over legitimate codes in cafes or parking meters.
Three things make it hard to stop. First, the URL exists as pixels, not text. Traditional secure email gateways (SEGs) parse links in message bodies and attachments. An image containing a URL is invisible to them. Second, the scan happens on a personal mobile device that sits outside the corporate endpoint perimeter. Whatever protection lives on the company laptop does not follow the user’s phone. Third, mobile browsers truncate long URLs in the address bar, so the spoofed domain is rarely visible before the user is already on the malicious page.
In January 2026, an FBI advisory documented North Korean Kimsuky operators using exactly this pattern against think tanks and government targets. The technique is not experimental. It is operational and widely deployed.
How big is the quishing problem in 2026?
Independent telemetry from Keepnet, Acronis, and Abnormal places QR-borne phishing at roughly 12% of all phishing incidents tracked in early 2026. For context, QR phishing emails climbed from approximately 47,000 in August 2025 to over 249,000 in November of the same year. That is a fivefold increase in four months.
Consumer behavior compounds the exposure. Surveys consistently show that more than 70% of users scan QR codes without checking where the code will take them. There is no friction between seeing a code and acting on it. That absence of friction, which makes QR codes genuinely useful, is exactly what attackers exploit.
Why generic shorteners make the problem worse
A QR code that resolves through a shared shortener is, from a security perspective, indistinguishable from an attacker-controlled code. Domain reputation is pooled across every customer of that platform, including bad actors. A security team cannot whitelist the shortener domain without effectively whitelisting every malicious link hosted there.
The problem is that many platforms in this space were built as link-shortening services for marketing virality. Enterprise identity assurance was not part of the original design. It shows.
When the infrastructure was designed for volume and click-through rates, security properties require retrofitting. Retrofitting is never as solid as original design.
The trusted-domain QR principle
A trusted-domain QR code resolves to a domain that the issuing organization owns, controls, and can authenticate. Three properties make the difference between a code that builds trust and one that merely looks legitimate.
The first is cryptographic ownership. The domain is registered to the enterprise. DNSSEC and CAA records are configurable. TLS certificates are issued to the organization directly, not to a third-party shortener acting as an intermediary.
The second is visible verification. At the moment of scanning, the domain string itself communicates identity. A URL like scan.acme.com/p/123 is readable and parseable by a human in the browser preview. A URL like xyz.io/abc4f is not. That difference matters when you are asking staff to develop habits around URL verification.
The third is an inspectable destination. When the resolved URL belongs to a known, owned domain, security tooling can apply allowlists, pre-render the target, and gate the redirect behind policy. None of this is possible when the intermediary is a shared shortener with pooled reputation.
Where QRCodeKIT fits in the enterprise security picture
QRCodeKIT invented dynamic QR codes in 2009. The requirement for owned-domain redirects was part of the architecture from the start, not a feature added later in response to enterprise demand.
Custom domain support, programmable redirects, audit logging, SSO, and access controls are part of the core platform. Every QR code created on QRCodeKIT is dynamic, meaning the destination can be updated at any time without reprinting the physical code. That also means that if a campaign URL needs to change, or if a redirect needs to be disabled immediately, the change takes effect across all existing codes instantly.
This matters for security response as much as it matters for marketing flexibility. The ability to revoke a QR code without destroying the physical asset is a meaningful operational control.
A practical quishing defense checklist
These controls are ordered by impact. The first two address the structural problem. The rest add layers of operational resilience.
- Mandate that every externally distributed QR code resolves to an enterprise-owned subdomain. Something like qr.yourbrand.com or scan.yourbrand.com. Generic shorteners should not appear in any externally facing QR code.
- Disable automatic redirect following for third-party shortener domains inside your email security policy. If the destination domain is not on an approved list, the redirect should require confirmation.
- Add a redirect-time allowlist at the QR platform level. Dynamic QR destinations should only be able to point to pre-approved domains. This limits blast radius if a code is compromised.
- Log every scan with IP address, user agent, and geolocation. Set alerts for anomalous geographic patterns, particularly for codes printed in fixed physical locations.
- Use a QR platform that shows users an interstitial preview of the destination domain before the redirect completes. Train staff to read that domain before proceeding.
- For regulated assets, GS1 Digital Link, or EU Digital Product Passport implementations, sign destination payloads so the scanned page can be cryptographically verified against the issuing organization.
Why architecture matters more than features
There is a difference between a platform that offers trusted-domain QR codes as a feature and one that was built around that principle from the start. The distinction is not cosmetic.
When domain isolation is designed in from the beginning, every other part of the system reflects it: how redirects are stored, how scan data is attributed, how access controls are scoped, how audit logs are structured. Security becomes a consequence of the architecture, not a layer added on top.
When it is added later, the seams show. Redirect logic built for pooled, anonymous shortening does not naturally produce per-tenant audit trails. Access controls retrofitted onto a consumer-grade system tend to have gaps. The enterprise pricing tier may include the branded domain, but the underlying infrastructure still handles reputation the same way it always did.
QRCodeKIT has operated on a per-tenant model since 2009. Every scan, every redirect, every data point belongs to the account that generated the code. There is no shared pool. The domain your code resolves to is your domain, with your reputation, inspectable only by your security tools.
That is not a feature introduced in response to a threat report. It is a design decision made seventeen years ago that happens to be exactly what enterprise quishing defense requires today.
What is the difference between quishing and regular phishing?
Regular phishing delivers a malicious URL as text, either in the message body or as a visible hyperlink. Secure email gateways can parse, inspect, and block these links. Quishing encodes the same URL inside a QR image. Because the URL is rendered as pixels rather than text, the same gateway tools that catch conventional phishing cannot see it. The result is that quishing bypasses a layer of security that organizations have spent years building and trusting.
Does using a custom domain on a QR platform fully solve the quishing problem?
It solves the structural problem that makes most enterprise quishing attacks possible: it ensures your codes resolve to a domain with isolated reputation that your security tools can inspect and allowlist. It does not eliminate the risk of an attacker creating a separate malicious QR code and presenting it as if it came from your organization. That residual risk is addressed through user training, physical code integrity checks (looking for stickers placed over legitimate codes), and scan-time interstitial previews. Custom domains are the most important single control, but defense requires layers.
How does this relate to the EU Digital Product Passport?
The EU Digital Product Passport registry launches on July 19, 2026. DPP regulations require that QR codes on regulated products resolve to signed, authoritative destinations that can be verified against the issuing organization. This is precisely the trusted-domain model. Organizations preparing for DPP compliance that also implement trusted-domain QR codes for general use are effectively building the same infrastructure once for two purposes.
Is this only relevant for large enterprises?
No. Any organization that uses QR codes in customer-facing contexts, whether a mid-size retailer, a hospitality group, or a professional services firm, faces the same structural exposure. The attack is not targeted at enterprise size. It targets the gap between the QR image and the destination URL. That gap exists regardless of organization scale. The controls described here are available on paid QRCodeKIT plans starting at accessible price points and require no developer involvement to implement.
All images and visual content in this article were created using RealityMAX.
