QR Code Phishing Emails

Why that QR code in your inbox is probably a trap — and how to check it safely

Last updated: July 2026 · By the susQR security team · Part of the quishing guide

Quick answer: An unexpected email that asks you to scan a QR code is almost always phishing. Legitimate services send links, not QR codes — attackers use QR codes because email filters can't read URLs hidden in images, and scanning moves you to your unprotected phone. Don't scan it with your camera: upload a screenshot to susQR instead, and it will reveal the destination and check it against 90+ security vendors first.

Why email quishing works so well

Email QR phishing exploded because it beats the defenses that stop ordinary phishing:

  • Link scanners can't see it. Security gateways rewrite and check text URLs — but a URL encoded in a QR code image passes straight through. In 2026, attackers went a step further and began hiding QR codes inside PDF attachments, which also dodges link-rewriting and many sandboxes (Hoxhunt, 2026). ZenSec counted 1.7 million unique malicious QR codes in email attachments across 2025 alone.
  • It jumps the security boundary. You read the email on a protected work laptop, but you scan the code with your personal phone — which has no corporate web filtering, no EDR, and a small screen that truncates suspicious URLs.
  • The lure feels routine. IT departments really do send MFA enrollment QR codes, which is exactly why fake ones work.

The 4 most common email quishing lures

  1. Fake MFA enrollment / password expiry — impersonates Microsoft 365 or Google Workspace: "Your authenticator expires today — scan to re-enroll." Roughly 67% of enterprise quishing targets Microsoft 365 and Google Workspace credentials (Cofense). The fake login page steals your password and your session token, defeating MFA.
  2. "Review this document" — a shared-file notification (DocuSign, SharePoint, Adobe) where the QR code supposedly opens the document.
  3. HR and payroll bait — benefits enrollment, bonus letters, or updated org charts timed to open-enrollment season.
  4. Voicemail and fax notifications — "You have 1 new voicemail — scan to listen," an old lure refreshed with a QR code.

Red flags in a QR code email

  • Any request to scan a QR code to log in, verify, or re-enroll — real providers do this inside their apps, not by email
  • Urgency: "expires in 24 hours," "account will be suspended"
  • The QR code is inside a PDF or image attachment rather than the email body
  • Generic greeting, mismatched sender domain, or a reply-to that differs from the display name
  • The email is the only notice — your provider's own app or portal shows nothing

How to check a QR code from an email safely

  1. Don't scan it with your phone's camera — that opens the link instantly with no checks.
  2. Take a screenshot of the email (or save the attachment image) and upload it to susQR. You'll see the decoded URL, the full redirect chain, and a verdict from 90+ security vendors before anything opens.
  3. If the email claims to be from your provider, go there directly — type the address or use the official app. If nothing needs your attention there, the email was fake.
  4. At work, report it to IT/security — quishing campaigns usually hit many mailboxes at once.

For businesses: defending against email quishing

People

  • Add QR code lures to phishing-simulation training — most programs still only test links
  • Teach the one rule that beats most campaigns: never authenticate via a QR code that arrived by email
  • Give employees a fast reporting path and a safe checking tool

Technology

  • Enable image/QR analysis in your email gateway if available; Microsoft's Q1 2026 data showed a 146% rise in QR phishing, so vendors are adding it fast
  • Enforce phishing-resistant MFA (FIDO2/passkeys) — fake login pages can't replay a hardware-bound credential
  • Use conditional access to block logins from unexpected devices and locations

Check a suspicious email QR code right now

Screenshot the email and upload it to susQR's free scanner. We decode the QR code, follow every redirect, and check the destination against 90+ security vendors — before your phone ever opens the link.

Sources

  • Microsoft Threat Intelligence: 146% rise in QR code phishing, Q1 2026
  • Hoxhunt: quishing payloads shifting into PDF attachments (2026)
  • ZenSec: 1.7 million unique malicious QR codes in email attachments (2025)
  • Cofense Phishing Intelligence: 67% of enterprise quishing targets Microsoft 365 / Google Workspace credentials
  • Check Point Research: 587% growth in QR-based phishing, 2023–2024