• •
  • March 12, 2026

QR code phishing is now live on RapidPhish 🚀

We’re excited to announce a major new capability inside RapidPhish, QR code phishing simulations are now available.

As attackers evolve, so must security testing. QR-based phishing — often called “quishing” — has surged over the past two years, bypassing traditional email security controls and shifting attacks onto mobile devices. Now, you can safely test your organisation’s exposure to this growing threat — using the same campaign credits and workflow you already know.

The Rise of QR Code Phishing

QR codes have become normalised.

We scan them to:

  • Log into applications

  • Access restaurant menus

  • Approve Microsoft 365 sessions

  • Download apps

  • Join Wi-Fi networks

They’ve become frictionless and trusted. Attackers have noticed. Instead of embedding a suspicious hyperlink in an email, they include a QR code. The victim scans it with their phone — instantly bypassing:

  • Email link rewriting and sandboxing

  • URL inspection tools

  • Secure email gateways

  • Desktop browser protections

Why Users Are More Likely to Scan

There’s a powerful psychological factor at play. When users see a link in an email, they’ve been trained to hesitate. When they see a QR code, it feels:

  • More physical

  • More “official”

  • More secure

  • Less obviously malicious

QR codes also create urgency:

“Scan to re-authenticate your account.”
“Scan to review your payroll document.”
“Scan to avoid account suspension.”

Users don’t see the destination URL before scanning. There’s no hover preview. No visible red flags. The act of scanning feels intentional — and therefore safe. But it isn’t.

How Modern QR Phishing Works

In real-world attacks, the flow often looks like this:

  1. A user receives an email containing a QR code.

  2. They scan it using their phone.

  3. The QR code directs them to a login page that mirrors Microsoft 365 or Google Workspace.

  4. They enter credentials.

  5. They complete MFA.

  6. The attacker captures the authenticated session token.

This is where modern phishing has evolved. It’s no longer just about stealing usernames and passwords. It’s about intercepting authentication in real time using reverse proxy techniques — often referred to as Adversary-in-the-Middle (AiTM) attacks. Once a session token is captured, the attacker may gain access without needing the password or second factor again. MFA works — but the session is compromised.

Why You Must Test This Scenario

Many organisations run phishing simulations. But most still test:

  • Basic credential harvesting

  • Generic landing pages

  • Desktop-focused attacks

Very few simulate QR-based login flows. Even fewer test how users behave when authentication and MFA are involved. That leaves a gap. If your organisation hasn’t tested QR phishing, you don’t know:

  • How many users would scan

  • How many would enter credentials

  • How many would complete MFA

  • Which departments are highest risk

In 2026, this is no longer optional testing. It’s essential.

QR Code Campaigns — Now Inside RapidPhish

We’ve built QR code phishing simulation directly into RapidPhish.

You can now:

  • Select QR-based templates

  • Embed QR codes within email campaigns

  • Track scans, credential submissions, and engagement

  • Measure behaviour across mobile-driven attack flows

All within the same intuitive campaign builder. No separate pricing. No additional modules. No complexity.

Same Pricing. Same Credits.

QR campaigns are priced exactly the same as standard phishing campaigns.

Your existing campaign credits can be used for:

  • Traditional link-based phishing simulations

  • QR code phishing simulations

This makes it simple to:

  • Rotate between attack styles

  • Run blended campaigns

  • Benchmark QR vs link-based engagement

You decide how to use your credits.

Why This Matters for Security Teams

Security leaders are under pressure to answer harder questions:

  • “Would our users fall for a modern MFA bypass?”

  • “Are we exposed to QR-based attacks?”

  • “How does mobile phishing risk compare to desktop?”

With QR phishing simulation now live, you can move beyond theory. You can measure it. You can identify high-risk users. You can provide targeted training. You can demonstrate proactive risk management to the board.

Why This Matters for MSPs

For managed service providers, QR phishing adds a powerful new capability to your security offering.

You can now:

  • Differentiate from basic awareness platforms

  • Demonstrate testing aligned to current attack trends

  • Deliver more advanced reporting

  • Increase perceived value of managed phishing services

And because it uses the same credit model, packaging it into client engagements is straightforward.

The Future of Phishing Testing

Attackers don’t stand still. They adapt to MFA. They adapt to secure email gateways. They adapt to user awareness. QR phishing is one of the fastest-growing examples of that evolution. By bringing QR code phishing simulation into RapidPhish, we’re ensuring your testing reflects the real-world threat landscape — not last year’s version of it.

Ready to Run Your First QR Campaign?

If you’re already a RapidPhish customer, QR templates are now available inside your dashboard. If you’re new to RapidPhish, now is the perfect time to see how modern phishing simulation should look. Because in today’s threat environment, it’s not enough to ask:

“Do we have MFA enabled?”

You also need to ask:

“Have we tested the ways attackers bypass it?”

QR phishing simulation is now live. Let’s test what actually matters.

Rapidphish logo

RapidPhish

We're building a better phishing simulation experience.

RapidPhish © 2026. All rights reserved.
Built with ❤️ in the 🇬🇧

English