“Quishing” Alert: Why QR Codes Are the New Phishing Vector Targeting Las Vegas Businesses


Cybersecurity Alert — Las Vegas, NV
Published by CMIT Solutions of Las Vegas  ·  Local IT  ·  6 min read

CMIT Solutions of Las Vegas  ·  Cybersecurity  ·  June 28, 2026

You scan the QR code on the table at a Strip restaurant. Or the one on the parking kiosk near your office. Or the “scan to check in” sign at a vendor conference at the Convention Center. In Las Vegas, QR codes are everywhere — and that is exactly why cybercriminals are using them to attack Clark County businesses right now.

The attack is called “quishing” — a portmanteau of QR code and phishing. It works because a QR code is just an image. Your email security gateway scans for malicious links in text. It cannot read what is encoded inside a picture. Attackers figured this out and ran with it: QR code phishing campaigns increased 2,400% between May and August 2023 alone, according to researchers at Malwarebytes — and the numbers have continued climbing every quarter since.

This is not a future threat. It is happening to Las Vegas hospitality vendors, law firms, healthcare practices, and construction companies right now. Here is what the attack looks like, why Las Vegas is a prime target, and three specific steps every Clark County SMB should take this week.

How a Quishing Attack Works — Step by Step

The mechanics are simple, which is why they are so effective. An attacker sends an email — often disguised as an HR benefits update, a Microsoft 365 security alert, or a vendor invoice — with a QR code embedded as an image instead of a clickable link.

Your email security gateway scans the message. It sees no suspicious URLs, no known malware signatures, no dangerous attachments. The email lands in the inbox marked clean. The employee, scanning the QR code with their personal smartphone to “verify their account” or “complete an HR action,” is taken to a credential-harvesting page that looks identical to Microsoft, Google, or your line-of-business application.

The Quishing Sequence
1
Attacker crafts a convincing email — an HR notice, a security alert, a vendor invoice — with a QR code image instead of a hyperlink. No malicious text link for your email filter to catch.
2
Email passes all security checks — no suspicious URLs, no known payloads. Arrives in the inbox with a clean bill of health from your gateway.
3
Employee scans the code with their phone — a personal device that has fewer endpoint protections than the company laptop and no VPN.
4
Credential theft complete — employee enters their Microsoft 365, Google Workspace, or banking credentials into a spoofed login page. Attacker now has authenticated access to your environment.

Researchers at Cofense documented one campaign targeting a major U.S. energy company in which more than 1,000 malicious emails containing QR codes were sent in a single wave. The financial services sector, manufacturing, insurance, and technology companies have all been hit at scale. Healthcare is increasingly in the crosshairs — and in Las Vegas, so is hospitality.

Why Las Vegas Is Especially Exposed

Most cities have QR codes. Las Vegas has them on everything. Post-pandemic, the hospitality industry adopted QR menus, QR check-in, QR tipping, and QR event registration at a pace unmatched in North America. The Strip and downtown properties run conventions, trade shows, and entertainment events that generate millions of QR scans per year.

This normalized behavior — employees and guests scanning QR codes dozens of times a day without thinking twice — is exactly the cultural condition attackers exploit. When a QR code in an email looks just like the QR code on the conference badge or the hotel room service menu, the psychological guard drops.

High-Risk Quishing Scenarios for Clark County Businesses

Hospitality & food service vendors — employees who scan QR menus and supplier codes dozens of times a day are conditioned to scan without hesitation. A malicious QR in a vendor email goes unquestioned.

Law firms & professional services — a spoofed court filing notice or bar association renewal with a QR code targets attorneys who handle high-value credentials and client data.

Healthcare practices — fake HIPAA training reminders or benefits enrollment notices with QR codes target staff who handle protected health information and electronic health records.

Construction & real estate companies — subcontractor invoice fraud using QR codes that redirect to spoofed payment portals is a growing vector in high-volume transaction environments.

Convention & event vendors — Las Vegas hosts more trade shows and conventions than any other U.S. city. Fake exhibitor registration and badge collection QR codes are a proven attack surface.

There is an additional compounding factor unique to Las Vegas: the workforce. Many employees in Clark County’s hospitality economy work across multiple properties and vendors, using personal smartphones rather than managed corporate devices. When a quishing attack lands on a personal phone, it bypasses every endpoint protection control your IT team has deployed on company hardware.

Why Your Email Security Gateway Won’t Stop This

Secure email gateways (SEGs) — tools like Microsoft Defender, Proofpoint, and Mimecast — are excellent at scanning links in email bodies. They follow URLs, detonate attachments in sandboxes, and check sender reputation. What they cannot do reliably is decode the content of every QR code image in every email.

Attackers exploit this in layers. First, they encode the malicious URL inside the QR image so there is no text link to scan. Then they wrap the QR image in a PNG or PDF attachment, adding another layer of obfuscation. Finally, they use legitimate redirect services — Bing redirect URLs, Salesforce links, Cloudflare Web3 domains — so even if the gateway does attempt to follow the URL, it hits a trusted domain first before being redirected to the credential harvesting page.

“By concealing the phishing link within the QR image, attackers achieve a higher likelihood of evading email filters and reaching the recipient’s inbox. The QR image is then further embedded within a PNG or PDF attachment, adding an additional layer of deception.”

Cofense Threat Research, 2023

The result: a technically clean email, delivered to the inbox, with a payload that executes entirely on a personal mobile device that your gateway has never seen and cannot protect. The attack is designed specifically to fall through the gaps in traditional perimeter security.

Three Steps Every Las Vegas Business Should Take This Week

1
Add QR Code Awareness to Your Security Training — Today

Your current security awareness training almost certainly covers email phishing, password hygiene, and social engineering. It almost certainly does not cover quishing as a named, specific threat. Update your training to include a simple rule: never scan a QR code in an email on a personal device without first confirming the sender through a separate channel. Run a simulated quishing exercise against your team — you will be surprised how many scans it generates. CMIT Solutions includes QR code phishing simulations as part of our managed security awareness training for Las Vegas businesses.

2
Enforce MFA on Every Account — Especially Microsoft 365 and Google Workspace

Quishing’s primary goal is credential theft. If an attacker harvests your employee’s Microsoft 365 login, multi-factor authentication (MFA) is the last line of defense that prevents that stolen credential from becoming a full network compromise. Enforce MFA on every user account, every application, every remote access point — with no exceptions for executives or “power users” who find it inconvenient. Phishing-resistant MFA (FIDO2/passkeys) is the gold standard; at minimum, use an authenticator app rather than SMS codes, which are vulnerable to SIM-swap attacks. CMIT Las Vegas can audit and enforce your MFA posture across your entire environment within days.

3
Extend Mobile Device Management (MDM) to Cover BYOD Scenarios

Quishing attacks land on personal phones. If your employees access company email, Microsoft Teams, or any business application on their personal device — and in Las Vegas hospitality and construction, most of them do — that device is part of your attack surface whether you manage it or not. Deploy a Mobile Device Management (MDM) or Mobile Application Management (MAM) policy that enforces minimum security standards on any device that touches your corporate data. At minimum: conditional access policies that block sign-in from devices that lack a screen lock, encryption, and current OS patches. CMIT Solutions can implement this through Microsoft Intune or your existing MDM platform without requiring a full corporate device enrollment.

How CMIT Solutions of Las Vegas Protects Against Quishing

Quishing requires a layered defense because a single tool cannot stop it. Our managed cybersecurity stack for Clark County businesses addresses every layer of the attack chain:

Advanced email security with image-scanning — next-generation email security that attempts QR code decoding as part of message analysis, not just link scanning.

Phishing-resistant MFA enforcement — conditional access policies across Microsoft 365, Google Workspace, and all line-of-business applications.

Security awareness training with QR-specific simulations — ongoing, measured training that includes simulated quishing campaigns to condition your team before attackers do.

Mobile Application Management (MAM) — BYOD policies that enforce minimum security standards on personal devices accessing corporate data, without requiring full MDM enrollment.

24×7 dark web monitoring — if a credential is stolen via quishing and surfaces on dark web marketplaces before your team detects the breach, we alert you immediately and force a password reset before the attacker can act.

The Bottom Line for Las Vegas Businesses

QR codes are not going away in Las Vegas — they are too woven into how hospitality, events, and business operations run here. That means quishing is not a passing threat you can wait out. It is a permanent part of the attack surface every Clark County business needs to manage.

The businesses that get hit are the ones whose employees have never been told that scanning a QR code in an email on a personal phone is a security event — not a routine task. Three controls change that equation: training, MFA enforcement, and mobile device policy. All three can be deployed by a managed IT services provider in days, not months.

Is Your Las Vegas Business Protected Against Quishing?

CMIT Solutions of Las Vegas offers a free cybersecurity assessment for Clark County SMBs — including an audit of your email security, MFA posture, and mobile device exposure. No commitment. Just honest answers about where you stand.

3111 S. Valley View Blvd., Suite A205, Las Vegas, NV 89102  ·  LVsupport@cmitsolutions.com

Back to Blog

Share:

Related Posts

Las Vegas skyline — guide to choosing the best managed IT services in Las Vegas

Your 2025 Guide: Best Managed IT Services in Las Vegas | SMB Buyer’s Checklist

Your 2025 Guide: Choosing the Best Managed IT Services in Las Vegas…

Read More
From casino breaches to law firm hacks, here’s what 2025 looks like for Las Vegas cybersecurity — and how local SMBs can defend themselves.

Las Vegas Cybersecurity Threats in 2025

Las Vegas Cybersecurity Threats in 2025: What SMBs Must Know & How…

Read More

How Data Backup Protects You from Ransomware (Las Vegas SMB Guide)

How Data Backup Protects You from Ransomware: A Practical Guide for Las…

Read More