QR code phishing (Quishing) attacks are escalating, yet existing black-box detection methods suffer from poor interpretability, opacity, and irreproducibility. Method: This paper proposes the first explainable classification framework for Quishing detection based on intrinsic QR code structural features. We construct a high-quality dataset of 400,000 samples and design a lightweight algorithm to extract 24-dimensional layout-structural features—such as module arrangement, alignment pattern distribution, and finder/separator geometry—feeding them into interpretable machine learning models. The approach avoids end-to-end deep learning, ensuring full transparency, auditability of decision biases, and practical deployability. Contribution/Results: Evaluated on mobile devices, our method achieves 83.18% classification accuracy—significantly outperforming state-of-the-art black-box baselines—while providing human-understandable rationales for each prediction. It establishes a new paradigm for Quishing defense that jointly satisfies operational utility and algorithmic transparency.

Globally, individuals and organizations employ Quick Response (QR) codes for swift and convenient communication. Leveraging this, cybercriminals embed falsify and misleading information in QR codes to launch various phishing attacks which termed as Quishing. Many former studies have introduced defensive approaches to preclude Quishing such as by classifying the embedded content of QR codes and then label the QR codes accordingly, whereas other studies classify them using visual features (i.e., deep features, histogram density analysis features). However, these approaches mainly rely on black-box techniques which do not clearly provide interpretability and transparency to fully comprehend and reproduce the intrinsic decision process; therefore, having certain obvious limitations includes the approaches' trust, accountability, issues in bias detection, and many more. We proposed QRïS, the pioneer method to classify QR codes through the comprehensive structural analysis of a QR code which helps to identify phishing QR codes beforehand. Our classification method is clearly transparent which makes it reproducible, scalable, and easy to comprehend. First, we generated QR codes dataset (i.e. 400,000 samples) using recently published URLs datasets [1], [2]. Then, unlike black-box models, we developed a simple algorithm to extract 24 structural features from layout patterns present in QR codes. Later, we train the machine learning models on the harvested features and obtained accuracy of up to 83.18%. To further evaluate the effectiveness of our approach, we perform the comparative analysis of proposed method with relevant contemporary studies. Lastly, for real-world deployment and validation, we developed a mobile app which assures the feasibility of the proposed solution in real-world scenarios which eventually strengthen the applicability of the study.