Click to toggle navigation menu.

Quishing and Cyber Insurance: How QR Code Phishing Works and Where Your Policy Responds

< BACK

By Ryan Windt | Head of Growth Marketing | Updated June 2026


Email security has gotten significantly better at catching phishing links. Secure email gateways scan URLs, sandbox suspicious attachments, and flag known malicious domains before they reach an inbox. Attackers noticed.

Quishing is the response. Instead of embedding a malicious link directly in an email, attackers embed a QR code. The email security gateway sees an image, not a URL. It has nothing to scan. The employee scans the QR code with their phone, which opens the malicious link in a mobile browser, outside the corporate security stack entirely.

The technique works because it routes the attack through a device and a browser that most organizations have not secured to the same standard as their corporate endpoints. Mobile devices often lack EDR. Mobile browsers do not pass through the corporate proxy. And employees have been trained to be suspicious of links in emails, not of QR codes, which still carry an association with convenience rather than threat.

Quishing attacks have grown significantly as a proportion of phishing attempts, and they are appearing in cyber insurance claims. This post explains how these attacks work, what they typically lead to, and how your policy responds when one succeeds.


How Quishing Attacks Work

The mechanics of a quishing attack follow a consistent pattern, with variations in the delivery method and the objective.

The delivery. Most quishing attacks arrive by email, but the technique has expanded to physical environments as well. Attackers have placed fake QR codes over legitimate ones in parking meters, restaurant menus, package delivery notices, and public signage. In corporate environments, malicious QR codes have been placed on printed documents left in common areas, attached to fake IT helpdesk notices, and embedded in DocuSign-style document requests.

The lure. The email or document framing is designed to create urgency. Common lures include multi-factor authentication resets, Microsoft 365 or Google Workspace account verification requests, payroll or HR portal updates, package delivery notifications, and document signature requests. The goal is to give the recipient a reason to scan the code immediately, without pausing to verify it.

The destination. Scanning the QR code opens a URL on the employee’s mobile device. That URL typically leads to one of three destinations: a credential harvesting page designed to look like a Microsoft, Google, or corporate login portal; an adversary-in-the-middle phishing kit that captures credentials and session tokens in real time; or a malware download page targeting mobile operating systems.

The outcome. The most common immediate outcome is credential theft. The attacker captures the employee’s username and password, and in many cases the session token that bypasses MFA. From there, the attack path depends on what the compromised account can access: email, cloud storage, financial systems, or internal applications.

How adversary-in-the-middle phishing defeats MFA and what underwriters are asking about it: AiTM Phishing Is Breaking MFA: What Cyber Insurance Underwriters Now Want to Know


Why Quishing Bypasses Standard Email Security

Understanding why quishing is effective requires understanding what email security tools actually inspect.

Secure email gateways and Microsoft Defender for Office 365 analyze URLs and attachments. They follow links, detonate attachments in sandboxes, and compare content against threat intelligence feeds. These tools have become highly effective at catching traditional phishing emails that contain malicious links or executable attachments.

A QR code embedded in an email is an image file. The gateway sees pixels arranged in a pattern. It does not decode the QR code, resolve the embedded URL, or evaluate the destination. The email passes through inspection cleanly.

The second bypass point is the device. When the employee scans the QR code, the link opens on their personal or corporate mobile device. That device is almost certainly not passing traffic through the corporate proxy or VPN that would apply filtering to a desktop browser. It may not have any mobile endpoint security installed at all. The corporate email security stack, the web proxy, and the endpoint security tool are all bypassed in a single step.

This is why quishing has become an increasingly attractive technique as organizations have invested heavily in email security: the investment is largely irrelevant to the attack vector.

How email security controls interact with cyber insurance underwriting: Email Security Controls and Cyber Insurance: What DMARC, DKIM, and SPF Mean for Your Coverage


What Quishing Attacks Lead To

Quishing is a delivery mechanism, not an end goal. What happens after a successful quishing attack depends on what the attacker was after and what the compromised account can reach.

Account takeover. The most immediate outcome is control of the compromised employee’s account. From a corporate email account, an attacker can monitor communications, intercept financial transactions, impersonate the employee to colleagues or clients, set up forwarding rules to maintain access, and pivot to other accounts the employee has access to.

Business email compromise. A compromised email account is frequently the starting point for a BEC scheme. Attackers use the access to identify pending wire transfers, payment approvals, or vendor relationships, then redirect funds or manipulate payment details. The quishing attack that harvested the credential is the first step; the wire fraud is the financial loss.

Ransomware deployment. In corporate environments, a compromised credential with access to internal systems can be used to move laterally, escalate privileges, and ultimately deploy ransomware. The quishing attack that began with an HR portal lure can end with an encrypted network if the compromised account had sufficient access.

Data exfiltration. Access to cloud storage, SharePoint, or corporate applications can enable data theft without any malware deployment. Attackers exfiltrate client data, financial records, or intellectual property and then threaten to publish it, a pattern increasingly common in double extortion scenarios.

How cyber insurance responds to AI-assisted social engineering and credential attacks: AI-Assisted Social Engineering: How Attackers Use It and Where Your Policy Responds


How Cyber Insurance Responds to a Quishing Attack

Quishing attacks are social engineering attacks that use a novel delivery mechanism. How your policy responds depends on how the attack is classified and what the ultimate loss category is.

Credential Theft Leading to Account Takeover

If a quishing attack results in credential theft and account takeover without a direct financial loss or data breach, the coverage picture depends on what the attacker does with the access. The credential theft itself is not a covered loss. The downstream consequences are.

If the account takeover leads to a data breach, breach response coverage applies: forensic investigation, legal counsel, notification costs, and regulatory defense. If it leads to business interruption, BI coverage responds. The attack vector does not determine coverage; the resulting loss category does.

Business Email Compromise and Wire Fraud

If a quishing attack leads to account takeover that enables a BEC scheme and a fraudulent wire transfer, the relevant coverage is social engineering or funds transfer fraud coverage. This is not universally included in cyber policies and is frequently sublimited.

The coverage analysis turns on whether the policy covers losses arising from social engineering that did not originate from a direct email instruction. Some policies define social engineering coverage narrowly around fraudulent instructions received by the insured, not around credential theft that enabled the attacker to issue those instructions from inside the compromised account. The distinction matters and is worth reviewing with your broker before an incident.

Social engineering and funds transfer fraud coverage explained: Social Engineering and Funds Transfer Fraud Coverage: What Cyber Insurance Pays and What It Doesn’t

Ransomware Deployment

If the quishing-enabled credential theft leads to ransomware, standard ransomware coverage applies: ransom payment (subject to OFAC compliance), IR costs, forensic investigation, and business interruption. The delivery mechanism does not affect ransomware coverage. What matters is whether the policy has adequate limits, whether ransomware sublimits apply, and whether the policy requires specific security controls that the organization can demonstrate were in place.

The MFA Carve-Out Problem

One coverage issue specific to quishing is the MFA carve-out. Some cyber policies include conditions or exclusions that limit coverage for credential-based attacks when MFA was not in place on the compromised account. Quishing attacks specifically target the MFA layer: AiTM-style quishing kits capture the session token that bypasses MFA even when the employee completed the MFA prompt.

An organization that had MFA deployed but lost a session token to a quishing attack may face a carrier argument that the credential compromise occurred despite MFA, raising questions about whether the MFA condition was satisfied. This is an emerging coverage issue that has not been fully resolved across the market. Organizations that have experienced MFA bypass via quishing should document that MFA was in place and functioning and engage legal counsel early in the claims process.

MFA deployment and what underwriters actually verify: MFA and Cyber Insurance: What to Deploy, How to Document It, and What Underwriters Require


Reducing Quishing Risk: What Underwriters Want to See

Underwriters are not yet asking about quishing specifically on most applications. But the controls that reduce quishing risk map directly to controls underwriters already evaluate.

Phishing-resistant MFA. FIDO2 authenticators and hardware security keys are not vulnerable to AiTM-style session token theft the way TOTP codes and push notifications are. Phishing-resistant MFA does not eliminate quishing risk, but it eliminates the MFA bypass problem that makes quishing-enabled credential theft so damaging. Underwriters increasingly favor phishing-resistant MFA for higher limits and are beginning to require it for some coverage categories.

Mobile device management. Quishing attacks route through mobile devices specifically because those devices often lack security controls. MDM enrollment on corporate devices, with conditional access policies that prevent unmanaged personal devices from accessing corporate resources, limits the attack surface. Underwriters are beginning to ask about MDM as part of endpoint security questions.

Security awareness training that includes QR code threats. Most employee phishing training focuses on email links and attachments. Training that specifically addresses QR code risks, including the physical placement scenario, closes a meaningful awareness gap. Documented training programs are a positive signal in underwriting.

Conditional access policies. Requiring device compliance checks before granting access to corporate applications limits what a stolen session token can reach. Even if an attacker captures credentials and a session token via a quishing kit, conditional access policies that require a managed, compliant device add a meaningful barrier.

The full set of controls underwriters evaluate: Cyber Insurance Requirements: What Underwriters Actually Check


Frequently Asked Questions

Is quishing covered under a standard cyber insurance policy?

Yes, in most cases, but coverage is triggered by the resulting loss category rather than the delivery mechanism. A quishing attack that leads to a data breach is covered under breach response. One that leads to a wire transfer loss is covered under social engineering or funds transfer fraud coverage, subject to sublimits and policy conditions. The quishing technique itself is not an exclusion.

Does cyber insurance cover losses from QR codes placed on physical documents or signage?

Coverage depends on the loss that results, not the physical delivery method. A quishing attack via a fake QR code on a printed notice that leads to credential theft and a subsequent data breach would be covered under the same breach response provisions as a quishing attack delivered by email. The physical versus digital delivery distinction does not appear in standard policy exclusions.

What if MFA was bypassed in a quishing attack? Does that affect my coverage?

This is an emerging issue. Policies that condition coverage on MFA being in place should not exclude coverage when MFA was bypassed by a sophisticated attack rather than absent. However, carriers may ask detailed questions about MFA deployment and whether the specific account compromised had MFA enabled. Document your MFA posture thoroughly and engage legal counsel early if this question arises in a claim.

How is a quishing attack different from a standard phishing attack for insurance purposes?

From a coverage perspective, the distinction is minimal. Both are social engineering delivery mechanisms that lead to credential theft or malware installation. The coverage analysis focuses on what the attacker did with access once they had it, not on how they obtained it. The practical difference is in detection and prevention: quishing bypasses email security controls that catch standard phishing, which affects how the incident is identified and how quickly it is contained.

Should I report a quishing attempt that did not result in a credential compromise?

You are not required to report failed phishing attempts under your cyber policy. However, if your organization experiences a pattern of targeted quishing attempts, notifying your carrier proactively is reasonable. Some carriers offer threat intelligence or additional security resources in response to active targeting. A failed quishing attempt that is caught and documented is also useful evidence of your security awareness program in action.



Quishing is a phishing technique designed to bypass the security controls most organizations have invested in. If you want to confirm your policy responds correctly to credential-based attacks and social engineering losses, contact SeedPod Cyber.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.