EncryptedTechnology: Texas Cyber Command (TXCC) FY 2026-27 Certification Pending Learn more →

Threat AwarenessJanuary 5, 2026· 5 min read

Phishing, Spear Phishing, and Quishing: The Evolving Threat Every Employee Must Recognize

Most employees know phishing exists. Far fewer recognize spear phishing — and almost none are trained to spot quishing, the QR code attack that bypasses traditional email filters entirely.

By EncryptedTechnology Security Team

The word "phishing" entered mainstream awareness years ago. Most employees have sat through at least one training module that explained: attackers send fraudulent emails pretending to be legitimate organizations to steal credentials or install malware. Do not click suspicious links. Check the sender's email address.

That knowledge is real — and no longer sufficient. The phishing threat has evolved into a family of related attacks that require updated training. The three most critical variants for organizations to address in 2026 are traditional phishing, spear phishing, and quishing — and most employees have received substantive training on only the first.

Traditional Phishing: Mass-Scale and Still Effective

Traditional phishing remains the highest-volume attack vector precisely because it works at scale. Attackers send the same message to thousands or millions of recipients, impersonating familiar brands — a bank, a shipping company, an IT department — and waiting for a small percentage to click. The math favors the attacker: even a 0.1% success rate across a million emails yields 1,000 compromised accounts or systems.

What has changed is the quality. AI-generated phishing emails have eliminated most of the grammatical and formatting tells that security awareness training historically taught employees to spot. Current training must focus on structural indicators — unexpected requests, urgency, links that do not match the displayed text, login pages with slightly wrong domains — rather than surface-level text quality.

Spear Phishing: When Attackers Do Their Research

Spear phishing is phishing with a named target. Rather than mass distribution, attackers research a specific individual — their role, their colleagues, their recent professional activities, their social media presence — and craft a message that appears to come from someone the target knows or trusts in a context that is relevant to their actual work.

A spear phishing email to a finance manager might reference a specific vendor by name and an invoice that matches a real project. An email to an IT administrator might reference a recent system upgrade and request credential verification. These attacks are significantly harder to identify because they lack the generic quality of mass phishing campaigns. Organizations that handle sensitive data, financial transactions, or government systems are primary spear phishing targets.

Quishing: The Attack Your Email Filter Cannot See

Quishing — QR code phishing — is the newest and least-trained-for variant, and it represents a fundamental bypass of traditional email security tools. The attack is straightforward: an email contains a QR code image rather than a clickable link. The message asks the recipient to scan the code with their phone to complete a task — verify an account, access a document, confirm a delivery.

Traditional email security tools scan URLs embedded in email text and HTML. They cannot inspect where a QR code image resolves to. The malicious URL exists only inside an image file, which security scanners treat as opaque. This means quishing emails pass through filters that would catch the same URL delivered as plain text.

The Phone Problem

Quishing has an additional advantage for attackers: when a target scans the QR code with their phone, they are redirected to the malicious site on a personal mobile device. Most personal devices lack the endpoint security controls, monitoring, and managed browser configurations that corporate laptops have. The entire attack plays out in an environment with fewer defensive layers.

Training employees to treat QR codes in emails with the same skepticism they apply to links — verifying the source before scanning, never scanning QR codes in unexpected emails, and confirming requests through known channels — is the foundational defense against quishing. This requires explicit training; most employees have no intuitive model for QR codes as a security threat.

Updating Your Training for 2026 Threats

The Texas Cyber Command (TXCC) FY 2026-27 training requirements explicitly mandate coverage of phishing, spear phishing, and QR code attacks — recognizing that these threats have become standard enough to require organizational-level training responses. For any organization, the practical takeaway is the same: if your current security awareness training does not cover quishing and AI-enhanced spear phishing, it is out of date for the current threat environment.

Ready to strengthen your team's security awareness? Contact EncryptedTechnology to learn about our training programs.

Phishing awareness training

Train your team on all three threat variants

Our threat awareness curriculum covers phishing, spear phishing, and quishing with scenario-based training built for 2026 attack patterns.