Cyber Security Training & Software for Companies | MetaCompliance


Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters



Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 

Financial Services

Creating A First Line Of Defence For Financial Service Organisations


A Go-To Security Awareness Solution For Governments


A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives



From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

MetaCompliance | Cyber Security Training & Software for Employees


With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes


Meet the MetaCompliance Leadership Team


Stay informed about cyber awareness training topics and mitigate risk in your organisation.

What Is Quishing? Prevention And Security Measures

What Is Quishing? Prevention And Security Measures

about the author

Share this post

Quishing is a phishing attack using QR codes to trick people into visiting harmful websites or downloading malware. Cybercriminals exploit the versatility of QR codes, which can contain links, documents, or payment portals, to deceive individuals.

During the Covid-19 pandemic, a small, black-and-white square established itself firmly between vaccine selfies and curfews: the QR code. Not much earlier, it had been presumed dead and hardly worth reaching for the smartphone, but now it quickly turned into a sort of all-purpose tool. Rapid tests, warning apps, vaccination certificates, train tickets, contact-free payments… or in a nutshell: the gateway to normal life. It is a well-known fact that there is no light without shadow. And so, the potential for danger that is contained in this inconspicuous little box is terrifying. 

Quishing: The Calamitous Comeback of the QR Code

QR stands for “quick response code” A two-dimensional barcode, it appears to be the natural and organic result of our desire to access everything as quickly and easily as possible – with everything only one scan away. It allows immediate transfer of large amounts of information. Both its ease of use and the pandemic acted as catalysts for a new kind of phishing attack: so-called quishing, a term combining “QR” and “phishing”. 

In traditional phishing attacks, cybercriminals use dubious emails, instant messages or websites to fish for passwords and other personal data. 

In the case of quishing attacks, criminals take advantage of the above-mentioned characteristics of QR codes to hide deceptive information behind the black and white checks. Quishing emails are usually designed with great care – you could even say, lovingly. They are made to look authentic. Apparently, it is no longer in vogue among cybercriminals to try and woo potential victims with the news of a multi-million dollar inheritance. Even though some of the potential recipients would certainly enjoy an imaginary trip to a dream summer residence in Saint-Tropez, especially during the dark winter months. 

Today’s cybercriminals prefer a subtle approach. They target the weaknesses of the human spirit. The feeling of unbearable torture when you have to deal with troublesome procedures. So they threaten to close a bank account or the user account of a favourite online shop. 

Contactless Conception Followed by the Fall

Conventional security mechanisms only scan standard attachments and URLs. However, those measures tend to fail with QR codes. Among the most popular schemes are requests to accept an updated data policy or prompts to set up a new security procedure. And of course, this is all to be done simply and comfortably by scanning a QR code. The criminal toolbox even contains important documents, to be downloaded effortlessly through a QR code. 

It is understandable that the recipients want to get rid of this unpleasant mixture of emotions as quickly as possible: the impression of being forced to action, combined with the desire to turn to more enjoyable things right now. But who doesn’t like to relish the feeling of productivity after having taken care of that annoying bank issue? Scanning the code is only a matter of seconds – often with disastrous consequences. Unlike the case of Holy Mary, this contactless conception can turn into sin.

Morays Lurking for Data

Those who comply with the deceptive requests find themselves on forged websites, made up with painstaking attention to detail. After all, the header must sport the exact same shade of royal blue as the Volksbank logo that was nicked off the original website. Various techniques are employed to disguise malicious links and bypass warning messages. A common method consists in misusing content management systems like WordPress and their plugins. Hidden behind fake landing pages, they lure potential victims into their trap. There have also been reports of cybercriminals using Google’s feed proxy server “FeedBurner” for redirection purposes. Another common practice is the use of a custom domain for the redirection process as well as the phishing site itself. Danger is imminent – even if malware defence systems fail to sound the alarm. 

Once the perfect delusion has been created, cybercriminals only want one thing: personal data. Like a moray eel lurking in its cave, waiting to get hold of usernames and passwords. Too many recipients forget all precautions when their working day is drawing to a close, with a sundowner calling to them from the terrace. They miss the additional letter in the URL, and only seconds later, their data has been entered into the deceptively realistic-looking registration interface. Phishing URLs targeting Sparkasse customers often start with ‘spk-’, while ‘vr-’ is a common prefix for forged Volksbank sites. 

In occupational environments, there is a particular risk when private smartphones bypass a company’s internal security mechanisms. Quishing is ideally suited for this purpose. Once the dangerous code has been scanned, malicious content secretly infiltrates the mobile device. From there, it quickly reaches email inboxes, contact details or documents that are managed through cloud solutions. The perfect gateway. If such an attack occurs and affects critical data, the fire is likely to spread and infect company resources. A type of malware that has recently attracted particular attention is ransomware. Its threat potential is enormous. A sinister imperative, and according to the BSI (the German Federal Office for Information Security), its capacity for damage is multiplied when it affects company networks. 

Quishing samples screen

Quishing e-mails from the Volksbank & Sparkasse

Digital Reginheris

The purpose of ransomware is to encrypt user data. Once this process has been completed, the victim faces a ransom demand. The number of affected companies is shockingly high. Their IT and business processes are disrupted. What is more, the criminals often threaten to disclose or sell the data. They target companies of all shapes and sizes. According to the Cyber Readiness Report published by Hiscox in 2022, 48% of German companies pay ransom money after such an attack. The extorted amount is often in the six-figure Euro range. According to the BSI, however, eight-figure sums have been demanded in some cases. 
Many victims are shocked to find that criminals continue to make demands even after they have paid up. One might think that the perpetrators could have sprung up from a moderately exciting history documentary. Those scenarios are reminiscent of the year 845, when the Viking leader Reginheri put Paris under siege. Charles the Bald, king of West Francia, decided that resistance was futile and paid a sum of 7,000 pounds of silver for the Danish troops to withdraw. Similar to their colleagues in the cyberspace 1,200 years later, the Norsemen and shield-maidens were unable to resist the temptation to extort further payments. So they continued their attacks.

Modern criminals may not sport braided beards or wear battle axes on their shoulders, but they are serious about their demands, even when the ransom has already been paid. Whether they give in to extortion attempts or not, the consequences are usually grave for individuals, businesses and public institutions. Quishing can cause massive damage: loss of data and reputation, GDPR breaches or financial loss, to name but a few. 

How Can I Protect Myself from Quishing?

The question may not have the same cinematic potential as Viking attacks, but it holds just as much suspense: how can you protect yourself from quishing? 

“If in doubt, do not scan any QR codes” – this is a rather obvious, but nonetheless valid answer. However, problems tend to arise in cases where there do not seem to be any doubts. Cybercriminals are skilled in exploiting deeply ingrained human dispositions and needs to manipulate individuals – so-called social engineering. It only takes a splash of ignorance to complete the cocktail of catastrophe. This is what makes it so difficult to protect oneself without fail. Still, there are a few simple rules that help minimise the risk:   

  • Treat QR codes as if they were links. Whether you find them on guerrilla campaign posters, on documents or in emails, QR codes are essentially links and pose the same risks.
  • Do not enter any sensitive data. Reputable service providers will never send an email asking you to supply confidential login credentials. 
  • Always check the email address or the browser address bar if you are already accessing a dubious webpage. 
  • Check emails and website content carefully. Amusing typos are no longer a distinctive feature of cybercrime. Most texts are well-phrased. Still, the BSI mentions several characteristics that should arouse suspicion, even if only one of them applies: 
  1. Urgent need for action  
  2. Threats of serious consequences in the event of non-compliance 
  3. Request to enter sensitive data 
  4. The email contains links, QR codes or forms 
  5. Unusual requests from a known person or organisation 
  • If in doubt, double-check through an official communication channel of the service provider in question 
  • Never download or open files from email attachments or websites unless you are absolutely sure that they are genuine. 

Use two- or multi-factor authentication. Even if criminals manage to get their hands on your data, they will still be missing an additional factor to log in. 

Just like images of smokers’ lungs on cigarette packages, fear-mongering and simplified rules of conduct are only moderately successful – they are usually forgotten after just a few days. This means that information security must be integrated into the corporate philosophy. Therefore, our most important tip is to undertake continuous security awareness training and promote awareness in your company. After all, employee ignorance of these issues is still the biggest problem when it comes to the various risks relating to tabnabbing or other cyberattacks. Explore how our Cyber Training Awareness Program for Employees can bolster your organisation’s defenses against tabnabbing and various other online threats.

Other Articles on Cyber Security Awareness Training You Might Find Interesting