TL;DR: QR code phishing, or "quishing," surged 146% in the first quarter of 2026, climbing from 7.6 million blocked attempts in January to 18.7 million in March, according to Microsoft's Q1 2026 email threat analysis of 8.3 billion phishing threats. Quishing works because the malicious link is hidden inside an image that text-based email filters cannot parse, and because it pushes the victim from a managed desktop onto an unmanaged personal phone. With 73% of users scanning QR codes without verifying the destination, North Carolina small businesses need image-aware email filtering, phishing-resistant MFA, and targeted awareness training, not just a spam filter.
Key takeaway: Your existing spam filter was built to read text links. Quishing hides the link inside a picture and moves the click to a phone your IT team does not control. Closing that gap takes layered email security plus MFA, not a single product.
Worried a fake QR code could drain a business account? Preferred Data Corporation runs a 30-minute email and identity exposure check for North Carolina businesses. Call (336) 886-3282 or request a security review. Serving NC since 1987.
What is quishing and why is it surging in 2026?
Quishing is a phishing attack that delivers a malicious URL encoded inside a QR code image instead of a clickable text link. According to Microsoft's Q1 2026 analysis reported by TechRadar, the company detected and analyzed 8.3 billion email phishing threats in the first quarter alone, and QR-based attacks rose 146% across the quarter, from roughly 7.6 million in January to 18.7 million in March.
The technique is surging for three reasons:
- Filter evasion. Traditional secure email gateways parse the text body of a message and extract hyperlinks to scan them. A QR code is an image, so the payload is invisible to text-only inspection.
- Device hopping. Scanning a code moves the victim from a corporate laptop, with endpoint protection, DNS filtering, and a web proxy, onto a personal phone with none of those controls.
- Trust conditioning. Years of restaurant menus, parking meters, and payment apps have trained employees to scan first and think later. Keepnet research found 73% of users scan QR codes without verifying where they lead.
How does quishing actually target a North Carolina small business?
Answer capsule: A typical 2026 quishing attack arrives as a PDF or image claiming to be a payroll update, MFA re-enrollment, voicemail, or DocuSign request. The QR code routes to a credential-harvesting page that mimics Microsoft 365, and the stolen login fuels business email compromise and wire fraud.
The common lures hitting Piedmont Triad and Research Triangle businesses include:
- "Your Microsoft 365 password expires today, scan to keep access"
- "New MFA enrollment required, scan with your phone"
- "You have a secure voicemail, scan to listen"
- "Updated direct deposit form, scan to confirm"
- Fake DocuSign, Adobe, or QuickBooks approval requests
Because the landing page is opened on a phone, the employee sees a small browser bar, no hover preview, and a convincing Microsoft login clone. Once credentials are entered, attackers log in, register their own MFA method, and begin reading email to plan a business email compromise wire-fraud attack. This pattern aligns with the broader 2026 IBM X-Force finding that stolen credentials and identity remain a primary entry path for SMB breaches.
How bad is the quishing problem by the numbers?
| Metric | 2025-2026 value |
|---|---|
| Email phishing threats Microsoft analyzed in Q1 2026 | 8.3 billion |
| QR phishing volume, January 2026 | ~7.6 million |
| QR phishing volume, March 2026 | ~18.7 million |
| Quarter-over-quarter quishing increase | 146% |
| Share of all phishing using image-based payloads | ~12% |
| Users who scan QR codes without verifying destination | 73% |
| SMB share of all cyberattacks in 2025 | 43% |
| Small businesses closing within 6 months of a major attack | 60% |
Sources: TechRadar / Microsoft Q1 2026, Keepnet, Astra Security SMB statistics.
Ready to close the QR phishing gap? Preferred Data hardens Microsoft 365 and Google Workspace email against image-based attacks. Call (336) 886-3282 or book an email security review.
How can NC small businesses defend against quishing?
Defense capsule: Layer image-aware email filtering on top of the native Microsoft 365 or Google Workspace controls, enforce phishing-resistant MFA so a stolen password is not enough, run QR-specific awareness training, and add 24/7 monitoring that catches the post-compromise login, not just the email.
1. Deploy image-aware, link-detonating email security
Native Microsoft 365 and Google Workspace filtering catches a large volume of text-based phishing but is weaker against codes embedded in images and attachments. Modern email security that performs optical analysis of images, decodes embedded QR codes, and detonates the destination URL in a sandbox closes the primary gap. This is the single highest-leverage control because it removes reliance on the employee spotting the attack.
2. Enforce phishing-resistant MFA
The end goal of most quishing is a working Microsoft 365 or Google login. Phishing-resistant MFA, passkeys or FIDO2 security keys, defeats the credential-replay step even if the employee enters their password on the fake page. Where passkeys are not yet practical, app-based number-matching MFA is the minimum standard. Microsoft has long reported that MFA blocks the overwhelming majority of automated account-takeover attempts, the exact follow-on step in a quishing chain. Pair this with our multi-factor authentication business guide.
3. Train for the specific scenario, not generic phishing
Generic "don't click links" training does not cover an attack with no link to click. Effective 2026 training teaches staff to:
- Treat any QR code in an email, PDF, or unexpected letter as untrusted
- Never scan a work-related code with a personal phone
- Reach login pages by typing the known address, never via a scanned code
- Report suspected quishing the same way they report phishing
Simulated quishing campaigns measure real behavior and reduce scan rates over time.
4. Add 24/7 monitoring for the post-compromise login
Because quishing moves the click to an unmanaged phone, the first event your controls can reliably see is the attacker's login: impossible travel, a new MFA method registered, unusual mailbox rules, or mass forwarding. A managed 24/7 SOC watching identity logs can disable the account before wire fraud occurs. This is why outsourced security monitoring is the practical model for businesses without a security team.
Comparison: typical SMB email security vs. quishing-resistant posture
| Control | Typical SMB default | Quishing-resistant posture |
|---|---|---|
| Email filtering | Text-link scanning only | Image OCR + QR decode + URL detonation |
| MFA | SMS or password only | Passkeys / FIDO2 or number-matching |
| Mobile devices | Personal phones, unmanaged | Policy: no work codes on personal phones |
| Awareness training | Annual generic phishing | Quarterly, quishing-specific simulations |
| Detection | Inbox only | Identity log monitoring, 24/7 SOC |
| Response | Hours to days | Account disabled in minutes |
What Preferred Data Corporation does to stop quishing
Preferred Data Corporation has protected North Carolina small business email and identity for 37+ years. Our quishing-specific services include:
- Email security hardening: Image-aware filtering and URL detonation layered on Microsoft 365 or Google Workspace
- Identity hardening: Phishing-resistant MFA, conditional access, and legacy-auth lockdown
- Security awareness program: Quishing-specific training and simulated campaigns with reporting
- 24/7 SOC monitoring: Identity and mailbox monitoring that catches the post-compromise login
- Incident response: Rapid account lockdown, mailbox rule cleanup, and BEC investigation
Learn more about our managed cybersecurity services.
Key takeaway: Quishing is not a new idea; it is an old idea wrapped in a picture to dodge your filters and a phone to dodge your endpoint controls. NC small businesses defeat it with layered email security, phishing-resistant MFA, targeted training, and monitoring that watches the login, not just the inbox.
About Preferred Data Corporation
Preferred Data Corporation provides managed IT, cybersecurity, cloud solutions, and network infrastructure for small and mid-sized businesses across the Piedmont Triad, Research Triangle, and broader North Carolina market. Headquartered in High Point, NC since 1987, with a 20+ year average client retention, BBB A+ rating, and on-site coverage within 200 miles, we are the trusted security partner for NC manufacturers, construction firms, healthcare practices, and professional services.
Stop quishing before it reaches an inbox:
- Call (336) 886-3282
- Visit preferreddata.com/contact
- Email [email protected]
- Address: 1208 Eastchester Drive, Suite 131, High Point, NC 27265
Frequently Asked Questions
What is quishing in simple terms?
Quishing is phishing that hides the malicious web address inside a QR code image. Because the link is a picture rather than text, many email filters cannot read it, and because people scan codes with their phones, the attack lands on a device with no corporate security controls. According to Microsoft's Q1 2026 data, these attacks rose 146% in a single quarter.
Will Microsoft 365 or Google Workspace stop quishing on their own?
They block a meaningful share but were primarily built to scan text links, so image-embedded QR payloads frequently slip through. Layering email security that performs image analysis, decodes embedded codes, and detonates the destination URL is what closes the gap for most NC small businesses.
Why is a stolen Microsoft 365 password so dangerous?
A working login lets attackers read email, register their own MFA, set hidden forwarding rules, and impersonate executives to redirect customer or payroll payments. This business email compromise pattern is one of the costliest fraud types for small businesses, which is why phishing-resistant MFA matters even more than the email filter.
How much does layered email and identity protection cost?
Comprehensive managed email security, MFA enforcement, awareness training, and 24/7 monitoring for a typical 50-person NC business runs in the low thousands per month, a fraction of the average SMB breach cost of $254,445 and far below wire-fraud losses that routinely reach six figures.
Can awareness training alone solve quishing?
No. With 73% of users scanning codes without checking the destination, training reduces but does not eliminate risk. Training works best as one layer alongside image-aware filtering and phishing-resistant MFA so that a single human mistake does not become a breach.
Should we ban QR codes entirely?
A blanket ban is impractical because legitimate vendors use them. The workable policy is: never scan a work-related QR code from email or unexpected mail, and always reach login pages by typing the known address. Combine that policy with technical controls rather than relying on it alone.
Related Resources
- Cybersecurity Services for NC Small Businesses
- Managed IT Services
- Microsoft 365 Security Settings for Business
- Multi-Factor Authentication Business Guide
- Business Email Compromise and Wire Fraud Defense
- AI Phishing and 73% of Breaches
- IT Services in Raleigh
- IT Services in Greensboro
- IT Services in Charlotte
References
- TechRadar. (2026). QR code phishing surges 146% as Microsoft detects and analyzes 8.3 billion phishing threats in Q1 2026. https://www.techradar.com/pro/security/qr-code-phishing-surges-146-percent-as-microsoft-detects-and-analyzes-8-3-billion-phishing-threats-in-q1-2026-attackers-are-changing-tactics-to-bypass-security
- Keepnet Labs. (2026). QR Code Phishing Trends: In-Depth Analysis of Rising Quishing Statistics. https://keepnetlabs.com/blog/qr-code-phishing-trends-in-depth-analysis-of-rising-quishing-statistics
- Acronis. (2026). Why QR Code Phishing Is the New 2026 Security Blind Spot. https://www.acronis.com/en/blog/posts/qr-code-phishing-evasive-threats-2026/
- IBM. (2026). IBM 2026 X-Force Threat Index: AI-Driven Attacks are Escalating. https://newsroom.ibm.com/2026-02-25-ibm-2026-x-force-threat-index-ai-driven-attacks-are-escalating-as-basic-security-gaps-leave-enterprises-exposed
- Astra Security. (2026). Small Business Cyber Attack Statistics 2026. https://www.getastra.com/blog/security-audit/small-business-cyber-attack-statistics/