Detecting Quishing Attacks with Machine Learning Techniques Through QR Code Analysis

TL;DR

This paper introduces a novel machine learning framework that detects QR code-based phishing attacks by analyzing QR code structures directly, without extracting embedded content, achieving high accuracy.

Contribution

It is the first to propose QR code structural analysis for quishing detection, moving beyond URL-based methods and demonstrating effective machine learning models.

Findings

XGBoost model achieves an AUC of 0.9106

Feature importance analysis identifies key visual patterns

Refined features improve AUC to 0.9133

Abstract

The rise of QR code-based phishing ("Quishing") poses a growing cybersecurity threat, as attackers increasingly exploit QR codes to bypass traditional phishing defenses. Existing detection methods predominantly focus on URL analysis, which requires the extraction of the QR code payload, and may inadvertently expose users to malicious content. Moreover, QR codes can encode various types of data beyond URLs, such as Wi-Fi credentials and payment information, making URL-based detection insufficient for broader security concerns. To address these gaps, we propose the first framework for quishing detection that directly analyzes QR code structure and pixel patterns without extracting the embedded content. We generated a dataset of phishing and benign QR codes and we used it to train and evaluate multiple machine learning models, including Logistic Regression, Decision Trees, Random Forest, Na\"ive Bayes, LightGBM, and XGBoost. Our best-performing model (XGBoost) achieves an AUC of 0.9106, demonstrating the feasibility of QR-centric detection. Through feature importance analysis, we identify key visual patterns correlated with phishing labels and refine our feature set by removing non-informative pixels, improving performance to an AUC of 0.9133 with a reduced feature space. Our findings reveal that the structural features of QR code correlate strongly with phishing risk. This work establishes a foundation for quishing mitigation and highlights the potential of direct QR analysis as a critical layer in modern phishing defenses.