Our Q1 2026 platform-wide simulation telemetry crossed an inflection point we have been watching for a while: QR-code phishing (quishing) campaigns now exceed pure-email campaigns in click-through across our customer base. Aggregated across 240 customers and 2.4M simulation deliveries, quishing campaigns landed at a 22% engagement rate against pure email at 18%.
The shift has been visible in quarterly trends for over a year. What changed in Q1 2026 was the magnitude — quishing went from a notable secondary vector to the primary initial vector for the active campaign volume.
There are three drivers worth flagging.
First, the mechanism's structural advantage. QR codes route the click through a personal mobile device, bypassing the corporate email proxy and most email-security perimeter controls. From the moment the user scans the code, detection responsibility moves to the mobile device — which most corporate environments do not instrument.
Second, the social pattern. QR codes are normalised in post-pandemic Europe in a way they were not pre-2020. Restaurants, conferences, public-transit ticketing, government services — the QR code has become a familiar interaction pattern. The friction barrier to scanning a code from an unsolicited email is lower than it was three years ago.
Third, the lure design. Email-only campaigns suffer from URL inspection — the user sees the URL, hovers over it, identifies the suspicious domain. QR codes route around URL inspection entirely. By the time the user has scanned the code and landed on the destination, they have already invested behaviour into the interaction and are less likely to back out.
Operationally, the shift implies three things. (a) Email-security layer investment alone is no longer the right defensive priority; mobile-device telemetry and MDM posture matter more than they used to. (b) Awareness training has to evolve from "check the URL" toward "expect, recognise, and report unusual scan requests". (c) Simulation programmes that have not included quishing campaigns are measuring an increasingly unrepresentative threat picture.
We have moved quishing campaigns into the default rotation for new customer onboarding and have expanded the QR-vector library aggressively in the last two quarters. The full library now covers 380 quishing templates across the 14 supported languages.
Our quarterly behavioural benchmark for Q2 2026 will publish quishing-specific cohort data alongside the headline metrics. The full anonymised dataset will be on the resources page from early July.