When a Galway accountancy practice received what appeared to be a Revenue Commissioners notification asking staff to scan a QR code to verify their tax registration details, two employees did exactly that. Within forty minutes, the practice's Microsoft 365 accounts had been accessed using credentials captured through a fake Revenue login page. Client files were visible to an attacker in a different country. The attack had bypassed every email security filter the practice had in place, because QR codes embedded in PDF attachments are not read by most email scanning systems. This type of attack — called quishing — is growing rapidly in Ireland, and most Irish businesses have not yet updated their staff training to cover it.
What Quishing Is and How It Works
Quishing is the combination of QR code and phishing. It works on a simple principle: anyone can create a QR code in seconds that links to any website, and there is no way to tell from looking at a QR code where it will take you.
The attack typically unfolds in one of two ways. The first and most common is the email-based variant. A staff member receives an email that appears to be from a trusted organisation — Revenue, a bank, An Post, a courier service, or even an internal IT department. The email contains a PDF attachment or an embedded image showing a QR code, with instructions to scan it to verify an account, complete a payment, or access a document. The QR code leads to a convincing replica of the genuine organisation's login page. The staff member enters their credentials. The attacker captures them and is into the account within minutes.
The NCSC Ireland published a dedicated Quick Guide to QR Code Phishing Scams in early 2025, identifying this as a growing threat vector for Irish organisations.[^1] The reason quishing has grown so rapidly is precisely that it bypasses the email security controls most businesses have invested in. A suspicious link in an email body will often be flagged by spam filters. A QR code embedded in an image or PDF passes through undetected, because the scanning system never reads the URL encoded inside the code.
The second variant is physical. Criminals place fake QR code stickers over legitimate codes in high-footfall locations — restaurant tables, parking payment machines, public noticeboards, event posters. A staff member or customer scans what they believe is a legitimate payment system and enters card details into a criminal's fake site. An Garda Síochána's National Cyber Crime Bureau has recorded multiple incidents of this type in Irish towns and cities, including in Donegal.[^2]
Have your staff received specific training on how to recognise a quishing attack, and do they know what to do if they think they have been caught out? Book a free 20-minute strategy call — we will help you assess your current awareness training and identify the gaps that leave your team exposed.
Why It Matters for Irish Business
For a small business, the consequences of a successful quishing attack can be severe and move fast. Stolen email credentials give an attacker access to every email, every contact, every document, and every connected system linked to that account. Business email compromise — where the attacker uses the hijacked account to redirect supplier payments or request fraudulent transfers — is a direct financial threat that has cost Irish SMEs hundreds of thousands of euros in documented cases.
The Data Protection Commission in Ireland requires that personal data breaches be reported within 72 hours of discovery.[^3] If an attacker accesses a business email account containing customer data — which is almost every business email account — you have a GDPR notification obligation on top of the immediate security response. The speed required to comply with that obligation depends on having an incident response plan ready before you need it.
Staff using personal mobile phones for work — which is common in Irish SMEs, particularly in hospitality, retail, and professional services — face elevated risk. Personal devices typically lack the web filtering, antivirus, and device management controls that properly managed business devices carry. A quishing attack that would be blocked on a managed laptop can succeed on a personal smartphone because no one has deployed the defences.
The Controls That Reduce Your Risk
The primary defence against quishing is staff awareness, because the attack relies on human action rather than technical vulnerability. Every staff member who uses email or a mobile phone for work needs to understand three things. First, before scanning any QR code — whether in an email, on a document, or in a physical location — pause and consider whether you were expecting it, and whether the context makes sense. Second, most QR scanner apps and the built-in camera apps on iPhone and Android show the destination URL before opening it: check that URL before proceeding, just as you would check a link in an email. Third, urgency is a manipulation signal. Messages that demand immediate action — "scan now to avoid a fine", "your account will be suspended" — are designed to override your scepticism. That pressure is the warning sign, not the reason to comply.
For businesses that use QR codes in their own operations — menus, payments, customer check-ins — there are specific physical controls to apply. Use tamper-evident materials for printed codes, or display codes on digital screens where a sticker overlay is obviously out of place. Check all physical QR codes weekly to verify they have not been covered with a fraudulent replacement.
If a member of staff thinks they may have scanned a malicious code and entered their credentials, the response needs to happen quickly. Change the password on the affected account immediately. Enable multi-factor authentication if it was not already on. Contact your IT provider or security adviser to audit for unauthorised access. Report the incident to An Garda Síochána and, if business data may have been accessed, to the NCSC Ireland at [email protected].
Three Actions to Take This Week
There are three steps that every Irish business should take now in response to the quishing threat.
1. Add quishing to your next staff briefing. You do not need a formal training programme to cover this. A five-minute conversation at your next team meeting, showing staff what a quishing email looks like and explaining the "pause before you scan" habit, will make a meaningful difference. The NCSC Ireland provides free visual guides that you can use directly.
2. Enable multi-factor authentication on every business email account. MFA does not prevent credential theft — an attacker can still capture a username and password through a quishing attack. But it prevents the attacker from using those credentials to access your account, because they cannot satisfy the second factor. For Microsoft 365 and Google Workspace, enabling MFA takes less than twenty minutes and is the single highest-impact control you can deploy.
3. Check your QR codes if you use them in your business. Inspect each one physically to confirm it has not been tampered with. Scan it yourself to verify it leads where it is supposed to lead. If you are using printed sticker codes, consider moving to digital displays.
Quishing is growing because awareness has not kept pace with the attack. Addressing it is straightforward, fast, and inexpensive.
Related Reading
- AI-Powered Phishing: Why Your Employees Can No Longer Spot the Fakes
- Building a Human Firewall: Security Awareness Training That Works
- Setup MFA on Microsoft 365 in 20 Minutes
[^1]: NCSC Ireland, Quick Guide to QR Code Phishing Scams and general advice for organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána, National Cyber Crime Bureau cybercrime resources: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission, guidance on data breach notification obligations: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.