QR Code Scams: What They Are and How to Protect Your Business

Article Summary: A QR code scam, sometimes called quishing, hides a malicious web link inside a QR code. Because the link is buried in an image instead of written as text, it slips past the email filters that normally catch bad links, and scanning the code usually moves the victim onto a personal phone that sits outside the company’s security. Microsoft reported a 146% rise in QR code phishing during the first quarter of 2026.

QR codes are part of normal business now.

You scan them to see a menu, pay for parking, connect to Wi-Fi, or open a shared document.

 Attackers know that, and they have started hiding malicious links inside QR codes to get past the security tools that would normally catch a bad link in an email.

The technique has a name, quishing, and it works because a QR code is just an image.

Your email filter reads text, so a link encoded into a QR code can pass straight through. When you scan it, you usually do so on your phone, which sits outside most of the protection your work computer has.

This post covers what a QR code scam is, why it gets past your security, what the common ones look like, and the habits that protect your business.

What is a QR code scam?

A QR code scam is a phishing attack that uses a QR code in place of a written link.

Instead of a clickable URL your email security can inspect, the attacker encodes the web address into a square image.

You scan it with your phone camera, your phone opens the link, and you land on a page built to steal your login or your payment details.

The page on the other end is the same kind of fake you would see in any phishing attack, a login screen made to look like Microsoft 365 or a payment form that copies your bank. The QR code is only the delivery method that gets you there.

Why QR code scams get past your security

Two things make these scams effective.

First, the malicious link is hidden inside an image.

Most email security tools scan the text of a message for known bad links. A QR code is a picture, so the link inside it is not text the filter can read.

The UK’s National Cyber Security Centre points out that not all phishing-detection tools scan images, which is the reason criminals started using QR codes to disguise their links in the first place.

Second, scanning a code moves you onto your phone.

Your work computer probably has web filtering, endpoint protection, and DNS controls that block known bad sites.

Your personal phone usually has none of that. So the moment you scan, you step outside the protection your business pays for, often without realizing it happened.

How common are QR code scams?

The volume is climbing fast. In its report on email threats for the first quarter of 2026, Microsoft said it detected around 8.3 billion email-based phishing threats in those three months.

QR code phishing rose 146% across the quarter, from 7.6 million attacks in January to 18.7 million in March.

By the end of the quarter it had reached its highest monthly volume in at least a year.

Microsoft also found that most of these attacks arrived as PDF attachments, growing from 65% of QR code attacks in January to 70% in March.

The QR code sits inside a PDF, the PDF is attached to an email, and the whole thing looks like an ordinary document until someone scans it.

What QR code scams look like

These are the QR code scams that come up most often.

  • A “security” email. You get a message that looks like it is from Microsoft or your IT team, telling you to scan a code to re-enroll your multi-factor authentication or keep your account active. The code leads to a fake login page.
  • A shared document. An email says a colleague or client has shared a file, and you need to scan the code to view it. The page asks you to sign in first.
  • A fake invoice. A PDF invoice includes a QR code “to pay faster.” The code routes your payment to the attacker.
  • A delivery notice. A text or email about a missed package asks you to scan a code to reschedule. The US Federal Trade Commission has warned about this exact scam.
  • A sticker in the real world. Attackers print QR code stickers and place them over legitimate ones on parking meters, posters, and payment terminals. You think you are paying for parking, and instead you are handing your card details to a stranger.

How to protect your business from QR code scams

Protecting yourself against Quishing comes down to a few habits:

  • Be suspicious of QR codes in emails. A code that arrives by email, especially one that asks you to log in or pay, deserves the same caution as a strange link. The NCSC’s advice is to be wary of scanning QR codes inside emails, even though codes in places like restaurants are usually fine.
  • Check the web address before you act. When you scan a code, your phone shows the link before it opens. Read it. If the address is not the official site you expected, close it.
  • Go direct instead of scanning. If an email says your Microsoft account needs attention, open your browser and type the address yourself, or use a bookmark. Don’t rely on the code to take you to the right place.
  • Watch for urgency. Messages that threaten account closure or a fine “within 24 hours” are trying to rush you past your own judgment. That pressure is itself a warning sign.
  • Use phishing-resistant MFA. If a scam does capture a password, phishing-resistant multi-factor authentication (a passkey, a hardware key, or number-matching in an authenticator app) makes that password much harder to use.
  • Check physical codes for tampering. Before scanning a code on a parking meter or payment terminal, look for a sticker placed over the original.
  • Tell your team. Most people have never been warned about QR code scams. Send your staff a short message with a real example so they know what to watch for.

What to do if someone already scanned one

If you or someone on your team scanned a QR code and entered details on the page that opened:

  1. Change the password for that account right away, along with any other account that used the same password.
  2. Confirm multi-factor authentication is turned on for the account.
  3. Tell whoever manages your IT, so they can check for unusual sign-ins.
  4. If card or banking details were entered, call the bank and watch the account closely.

Acting quickly limits what an attacker can do with the details they captured.

Frequently Asked Questions

Are QR codes safe to use?

Most QR codes are safe. A code on a restaurant table or an official payment terminal is usually fine. The risk comes from codes sent in unexpected emails or texts, and from stickers placed over real codes in public. Treat those with caution.

What is quishing?

Quishing is phishing that uses a QR code instead of a written link. The word combines “QR” and “phishing.” The goal is the same as any phishing attack: to get you onto a fake page that captures your login or payment information.

Can antivirus or email filters stop QR code scams?

Not always. Many email security tools scan the text of a message for bad links, and a QR code hides its link inside an image, so it can slip through. Some products now scan images for codes, but you should not assume the scam will be caught before it reaches you.

Why is a QR code in an email more dangerous than a normal link?

A written link can be inspected by your email security and opened on a managed work computer. A QR code hides the link from those tools and pushes you to scan with your phone, which usually has far less protection than your work device.

What should I do if I scanned a scam QR code but didn’t enter anything?

If you closed the page without typing anything, the risk is low. Close it, don’t go back, and let your IT contact know so they can keep an eye out. If you did enter a password or payment details, follow the recovery steps above.

Featured Image Credit