Cybersecurity Alert — Las Vegas, NV
Published by CMIT Solutions of Las Vegas · Local IT · 6 min read
CMIT Solutions of Las Vegas · Cybersecurity · June 28, 2026
You scan the QR code on the table at a Strip restaurant. Or the one on the parking kiosk near your office. Or the “scan to check in” sign at a vendor conference at the Convention Center. In Las Vegas, QR codes are everywhere — and that is exactly why cybercriminals are using them to attack Clark County businesses right now.
The attack is called “quishing” — a portmanteau of QR code and phishing. It works because a QR code is just an image. Your email security gateway scans for malicious links in text. It cannot read what is encoded inside a picture. Attackers figured this out and ran with it: QR code phishing campaigns increased 2,400% between May and August 2023 alone, according to researchers at Malwarebytes — and the numbers have continued climbing every quarter since.
This is not a future threat. It is happening to Las Vegas hospitality vendors, law firms, healthcare practices, and construction companies right now. Here is what the attack looks like, why Las Vegas is a prime target, and three specific steps every Clark County SMB should take this week.
How a Quishing Attack Works — Step by Step
The mechanics are simple, which is why they are so effective. An attacker sends an email — often disguised as an HR benefits update, a Microsoft 365 security alert, or a vendor invoice — with a QR code embedded as an image instead of a clickable link.
Your email security gateway scans the message. It sees no suspicious URLs, no known malware signatures, no dangerous attachments. The email lands in the inbox marked clean. The employee, scanning the QR code with their personal smartphone to “verify their account” or “complete an HR action,” is taken to a credential-harvesting page that looks identical to Microsoft, Google, or your line-of-business application.
Researchers at Cofense documented one campaign targeting a major U.S. energy company in which more than 1,000 malicious emails containing QR codes were sent in a single wave. The financial services sector, manufacturing, insurance, and technology companies have all been hit at scale. Healthcare is increasingly in the crosshairs — and in Las Vegas, so is hospitality.
Why Las Vegas Is Especially Exposed
Most cities have QR codes. Las Vegas has them on everything. Post-pandemic, the hospitality industry adopted QR menus, QR check-in, QR tipping, and QR event registration at a pace unmatched in North America. The Strip and downtown properties run conventions, trade shows, and entertainment events that generate millions of QR scans per year.
This normalized behavior — employees and guests scanning QR codes dozens of times a day without thinking twice — is exactly the cultural condition attackers exploit. When a QR code in an email looks just like the QR code on the conference badge or the hotel room service menu, the psychological guard drops.
►
►
►
►
►
There is an additional compounding factor unique to Las Vegas: the workforce. Many employees in Clark County’s hospitality economy work across multiple properties and vendors, using personal smartphones rather than managed corporate devices. When a quishing attack lands on a personal phone, it bypasses every endpoint protection control your IT team has deployed on company hardware.
Why Your Email Security Gateway Won’t Stop This
Secure email gateways (SEGs) — tools like Microsoft Defender, Proofpoint, and Mimecast — are excellent at scanning links in email bodies. They follow URLs, detonate attachments in sandboxes, and check sender reputation. What they cannot do reliably is decode the content of every QR code image in every email.
Attackers exploit this in layers. First, they encode the malicious URL inside the QR image so there is no text link to scan. Then they wrap the QR image in a PNG or PDF attachment, adding another layer of obfuscation. Finally, they use legitimate redirect services — Bing redirect URLs, Salesforce links, Cloudflare Web3 domains — so even if the gateway does attempt to follow the URL, it hits a trusted domain first before being redirected to the credential harvesting page.
“By concealing the phishing link within the QR image, attackers achieve a higher likelihood of evading email filters and reaching the recipient’s inbox. The QR image is then further embedded within a PNG or PDF attachment, adding an additional layer of deception.”
The result: a technically clean email, delivered to the inbox, with a payload that executes entirely on a personal mobile device that your gateway has never seen and cannot protect. The attack is designed specifically to fall through the gaps in traditional perimeter security.
Three Steps Every Las Vegas Business Should Take This Week
Your current security awareness training almost certainly covers email phishing, password hygiene, and social engineering. It almost certainly does not cover quishing as a named, specific threat. Update your training to include a simple rule: never scan a QR code in an email on a personal device without first confirming the sender through a separate channel. Run a simulated quishing exercise against your team — you will be surprised how many scans it generates. CMIT Solutions includes QR code phishing simulations as part of our managed security awareness training for Las Vegas businesses.
Quishing’s primary goal is credential theft. If an attacker harvests your employee’s Microsoft 365 login, multi-factor authentication (MFA) is the last line of defense that prevents that stolen credential from becoming a full network compromise. Enforce MFA on every user account, every application, every remote access point — with no exceptions for executives or “power users” who find it inconvenient. Phishing-resistant MFA (FIDO2/passkeys) is the gold standard; at minimum, use an authenticator app rather than SMS codes, which are vulnerable to SIM-swap attacks. CMIT Las Vegas can audit and enforce your MFA posture across your entire environment within days.
Quishing attacks land on personal phones. If your employees access company email, Microsoft Teams, or any business application on their personal device — and in Las Vegas hospitality and construction, most of them do — that device is part of your attack surface whether you manage it or not. Deploy a Mobile Device Management (MDM) or Mobile Application Management (MAM) policy that enforces minimum security standards on any device that touches your corporate data. At minimum: conditional access policies that block sign-in from devices that lack a screen lock, encryption, and current OS patches. CMIT Solutions can implement this through Microsoft Intune or your existing MDM platform without requiring a full corporate device enrollment.
How CMIT Solutions of Las Vegas Protects Against Quishing
Quishing requires a layered defense because a single tool cannot stop it. Our managed cybersecurity stack for Clark County businesses addresses every layer of the attack chain:
■
■
■
■
■
The Bottom Line for Las Vegas Businesses
QR codes are not going away in Las Vegas — they are too woven into how hospitality, events, and business operations run here. That means quishing is not a passing threat you can wait out. It is a permanent part of the attack surface every Clark County business needs to manage.
The businesses that get hit are the ones whose employees have never been told that scanning a QR code in an email on a personal phone is a security event — not a routine task. Three controls change that equation: training, MFA enforcement, and mobile device policy. All three can be deployed by a managed IT services provider in days, not months.
CMIT Solutions of Las Vegas offers a free cybersecurity assessment for Clark County SMBs — including an audit of your email security, MFA posture, and mobile device exposure. No commitment. Just honest answers about where you stand.
3111 S. Valley View Blvd., Suite A205, Las Vegas, NV 89102 · LVsupport@cmitsolutions.com