QR-Code Quishing at the Station — Attack Patterns and Practical Defenses

A few weeks ago I walked through the apparatus bay of a volunteer station in the Midwest and noticed a sticker on the side of the air compressor. It had a QR code that said "Scan for service history and manuals." The sticker looked official. It was laminated and placed at eye level, and nobody knew who put it there. The captain just shrugged and said it was probably the maintenance vendor.

That sticker is a quishing attack waiting to happen. It routes to a credential harvester or a malware download, placed inside a physically secure building where people trust anything that looks official. The attack surface this creates is something most station security assessments never account for.

The Three Attack Patterns Hitting Stations Right Now

Quishing turns a physical space into an attack vector. The QR code bypasses your email gateway entirely because it never arrives over the network. It arrives on a piece of paper. There are three patterns I am seeing in public safety right now.

Fake training sign-in posters. An attacker prints a poster that looks like a mandated training notification, puts it on the bulletin board in the dayroom, and waits. A crew member scans the code with their personal phone to log in for the shift briefing. The code goes to a fake Microsoft 365 login page, and the credentials are harvested before the user realizes the page is wrong.

Spoofed vendor service-request stickers. This is the one I saw in the apparatus bay. Equipment maintenance stickers with QR codes claiming to link to manuals or service portals. Station personnel are trained to report equipment issues, so scanning a code on a broken appliance is a natural response. The attacker counts on that.

Fake parking and visitor QR codes. Stickers placed on parking lot signs or near the station entrance that offer updated parking permit registration or visitor check-in. These target the administrative friction points in a first responder's day. Nobody wants a parking citation and nobody wants to do visitor paperwork the long way.

All three patterns share the same architecture: an attacker puts the code in a physical location where trust runs high and scrutiny runs low. The user scans with a personal device, and the attack route never touches a managed endpoint.

Why Mobile Security Tools Miss QR Phishing Links

The standard security stack in most agencies covers the workstation. EDR agents, DNS filtering, web proxies, email gateway scanning. None of those protect a personal phone scanning a QR code in a breakroom.

The tools miss it for three reasons. Email gateways scan text for known malicious URLs, but QR codes are images. Most email security products do not decode QR codes from attached images in real time, especially when the code is part of a larger graphic or slightly distorted. The scanning happens at the wrong layer.

The device doing the scanning is a personal phone running the default mobile browser. No corporate DNS filter, no managed browser with URL reputation checking. The user hits the phishing page on an unmanaged device with zero visibility for the agency.

And many quishing campaigns use short links and multi-hop redirects to hide the final destination. Even when a QR scanner app shows a URL preview, the preview is often the intermediate short link and not the final landing page. The user sees something innocuous and clicks through.

Crew Phones and Social Media at the Scene: A HIPAA Framework Built for Reality covers some of the same device boundary problems from a regulatory angle. The technical gap is the same. Personal phones sit outside the managed perimeter. You cannot protect what you do not manage, and you cannot manage what you do not own.

Preventing QR Code Phishing in Fire Stations

The fix is not a product. It is procedure and awareness training that matches how station staff actually operate.

The verification rule. If a QR code appears on a poster or sticker inside the station, the person scanning it verifies through an out-of-band channel before following the link. Call the training officer about training posters. Call the vendor directly about equipment stickers, using the phone number you already have rather than one printed on the sticker.

The URL preview habit. Every modern smartphone camera shows a URL preview after scanning a QR code and before following the link. Teach staff to read that URL and ask one question. Does this domain match the organization it claims to be? A fake M365 login page will show a domain like microsoft-verify-login.xyz. That is not Microsoft.

Physical inspection as a shift task. Station captains should walk the common areas periodically and ask whether every sticker makes sense and who put it there. If nobody can answer, the sticker comes down. This is the same discipline as checking the locks on the apparatus bay doors. It is operational awareness, not IT policy.

> He that hath no rule over his own spirit is like a city that is broken down, and without walls. (Proverbs 25:28)

Awareness training that actually works for this audience is scenario based. Put a test QR code in the breakroom that routes to a landing page that says "You just scanned a simulated phishing code. This is how an attacker would have captured your credentials." The visceral lesson of having been tricked in a safe environment sticks longer than any slide deck.

Quishing Attack Patterns for Emergency Services

The thing that makes quishing dangerous in public safety is the same thing that makes stations effective. High trust. Low administrative overhead. People trained to move fast and not second-guess every piece of paper in the building.

An attacker does not need to compromise a network and they do not need a zero-day exploit. They need a color printer and five minutes alone in a hallway.

The managed versus unmanaged device gap is the technical root of the problem. First responder agencies spend heavily on CAD security and ePCR access controls, plus network segmentation All of that investment is irrelevant when an attacker walks past it through a personal phone that was never part of the security model.

Frequently Asked Questions

What is quishing and how is it different from regular phishing

Quishing is QR code phishing. The malicious link is encoded in a QR image instead of a text URL, which lets it bypass email filters because the code arrives as an image rather than as a clickable link with a detectable domain.

Why are fire stations especially vulnerable to QR code attacks

Fire stations have a high-trust culture and lots of physical signage for training and maintenance operations Attackers exploit that by placing fake posters or stickers that look official. Personnel are conditioned to comply with posted instructions and less likely to question something that appears physically inside the station.

How do I check if a QR code is safe before scanning it

The safest approach is to verify the source through an out-of-band channel. If a poster claims to be from training, call the training officer. If a sticker claims to be from a vendor, call the vendor using the number on file rather than one on the sticker. If you do scan, check the URL preview before tapping through, looking for misspelled domain names, unusual TLDs, or long random strings.

What should I do if I suspect a QR code in my station is malicious

Remove the sticker or poster immediately, tell the station captain and the IT contact, and do not scan it. If someone already scanned it, have them report what URL they visited and whether they entered any credentials.

Can mobile security apps protect against quishing

Some mobile threat defense products can detect malicious URLs when the device is enrolled and the browser routes through a security proxy. Most personal phones in stations are not enrolled in anything. The protection gap is not a tool problem. It is an ownership problem.

That sticker is still sitting on the compressor at that Midwest station. I asked the captain if I could take it down, and he said he would check with maintenance first. That is exactly the attack surface quishing exploits, and it is a social vulnerability rather than a technical one. A person who wants to do the right thing, in an environment where the culture says trust what is inside the building, faced with a code that promises to solve a problem faster.

The fix is straightforward and does not require a purchase order. Verify the source before scanning, read the URL before tapping through, and take down any sticker you cannot explain. Those habits close the gap that a QR code creates, and they do not require a budget line item.

-- Steven