Phones are just not as well defended against fraud as are conventional computing devices like laptops. Case in point: An epidemic of "quishing" (phishing through the use of QR codes) has been plaguing both individuals as well as enterprise infosec pros for the past six months. In a typical quishing attack, an employee at a large enterprise receives an email with either an embedded image or a benign file attachment that contains a QR code. The social engineering aspect of the attack involves the use of targeted branding, language, logos, and other characterizations in the email (and attachment) to convince the recipient that the message is legitimate, originates within the targeted organization, and requires immediate attention. Conventional computing hardware offers few ways, if any, to scrutinize or defend against QR codes. In a quishing attack, the attacker prompts the target to use their mobile device (inherently less well protected) to open the link the QR code points to; this usually leads to a sophisticated phishing kit capable of stealing both the credentials and the MFA token, where the attacker's automation immediately uses those credentials to log into the victim's accounts.