Highlights

*22% of phishing emails use QR codes, bypassing security filters.

*The leading attack is credential theft spoofing 2FA reset emails.

*Multipronged approach of tech and awareness critical for defense.

Overview

As we enter 2025, one cybersecurity threat poised to dominate the landscape is quishing—a tactic that exploits QR codes to steal credentials and sensitive data.

Quishing attacks aren’t new, but their frequency and sophistication spiked dramatically in late 2024 with thousands of email-based attempts reported daily.

In this week’s feature of the VENZA Echo, we examine the rise and evolution of quishing, along with practical steps hoteliers can take to strengthen their defenses in 2025.

Evolving Threat

Quishing has existed since QR codes became widely adopted, with the Chinese government even banning QR payments in 2014 due to widespread fraud. However, as the pandemic propelled QR codes into mainstream use, cybercriminals began leveraging this technology more frequently.

These early attacks largely aimed to infect mobile devices with malware or tracking software. The turning point came in 2023 where quishing incidents surged by 587%.

Attack Vector

Phishing leveraging QR codes now accounts for 22% of all email scams. Why? By embedding malicious domains within codes, emails can evade traditional link threat monitoring and security filters. Additionally, recipients often scan QR codes using their less secure mobile devices, creating another vulnerability even within otherwise fortified organisations.

Credential phishing dominates 89.3% of quishing campaigns, with attackers posing as trusted businesses to deceive users. Notably, 56% of detected quishing emails impersonate Microsoft’s two-factor authentication reset or enablement notifications.

With quishing on the rise and 86% of ransomware attacks stemming from malicious emails, the risk to hoteliers is both immediate and significant.

Hotelier Defense

As it is impossible to determine whether a QR code will download malware or redirect to a malicious site by simply looking at it, hoteliers must adopt a comprehensive, multipronged defense strategy. This approach combines awareness training, technological safeguards, and strict operational protocols to reduce exposure and prevent successful attacks.

Training and Awareness
Effective defense against quishing begins with training.

Employees must be educated on the risks associated with scanning unsolicited QR codes, particularly those received via email. Awareness campaigns should include clear guidance on recognizing suspicious messages and adhering to a “Stop and Verify” policy, where staff validate the source of any QR code before scanning it.

Technological Safeguards

Advanced email security systems play a crucial role in identifying and blocking emails containing suspicious QR codes. Organisations should adopt QR code scanning tools capable of previewing URLs, allowing users to assess links before accessing them. While quishing attacks often attempt to bypass Multifactor Authentication (MFA), ensuring its implementation across all applicable systems remains a critical preventative measure.

Procedural Controls
Establishing clear policies and protocols is essential for minimizing quishing risks. Staff should be explicitly prohibited from scanning QR codes from unsolicited or unverified sources—especially on personal devices. Additionally, access to critical systems should be restricted on mobile devices whenever possible to minimize overall exposure.

Conclusion

As quishing emerges as a predominant cybersecurity threat for 2025, hoteliers must remain vigilant. The escalating complexity of these attacks calls for a strategic, multipronged defense—one that merges employee awareness, technological safeguards, and strict procedural controls to protect both operations and guest trust.

Feeling overwhelmed? Don’t worry. As the leading experts in hospitality cybersecurity and data protection, VENZA offers tailored solutions for defense, ensuring your hotels stay secure, compliant, and ready for the challenges of 2025 and beyond.

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.