Last updated: July 2026 · By the susQR security team · Part of the quishing guide
Quick answer: An unexpected email that asks you to scan a QR code is almost always phishing. Legitimate services send links, not QR codes — attackers use QR codes because email filters can't read URLs hidden in images, and scanning moves you to your unprotected phone. Don't scan it with your camera: upload a screenshot to susQR instead, and it will reveal the destination and check it against 90+ security vendors first.
Why email quishing works so well
Email QR phishing exploded because it beats the defenses that stop ordinary phishing:
- Link scanners can't see it. Security gateways rewrite and check text URLs — but a URL encoded in a QR code image passes straight through. In 2026, attackers went a step further and began hiding QR codes inside PDF attachments, which also dodges link-rewriting and many sandboxes (Hoxhunt, 2026). ZenSec counted 1.7 million unique malicious QR codes in email attachments across 2025 alone.
- It jumps the security boundary. You read the email on a protected work laptop, but you scan the code with your personal phone — which has no corporate web filtering, no EDR, and a small screen that truncates suspicious URLs.
- The lure feels routine. IT departments really do send MFA enrollment QR codes, which is exactly why fake ones work.
The 4 most common email quishing lures
- Fake MFA enrollment / password expiry — impersonates Microsoft 365 or Google Workspace: "Your authenticator expires today — scan to re-enroll." Roughly 67% of enterprise quishing targets Microsoft 365 and Google Workspace credentials (Cofense). The fake login page steals your password and your session token, defeating MFA.
- "Review this document" — a shared-file notification (DocuSign, SharePoint, Adobe) where the QR code supposedly opens the document.
- HR and payroll bait — benefits enrollment, bonus letters, or updated org charts timed to open-enrollment season.
- Voicemail and fax notifications — "You have 1 new voicemail — scan to listen," an old lure refreshed with a QR code.
Red flags in a QR code email
- Any request to scan a QR code to log in, verify, or re-enroll — real providers do this inside their apps, not by email
- Urgency: "expires in 24 hours," "account will be suspended"
- The QR code is inside a PDF or image attachment rather than the email body
- Generic greeting, mismatched sender domain, or a reply-to that differs from the display name
- The email is the only notice — your provider's own app or portal shows nothing
How to check a QR code from an email safely
- Don't scan it with your phone's camera — that opens the link instantly with no checks.
- Take a screenshot of the email (or save the attachment image) and upload it to susQR. You'll see the decoded URL, the full redirect chain, and a verdict from 90+ security vendors before anything opens.
- If the email claims to be from your provider, go there directly — type the address or use the official app. If nothing needs your attention there, the email was fake.
- At work, report it to IT/security — quishing campaigns usually hit many mailboxes at once.
For businesses: defending against email quishing
People
- Add QR code lures to phishing-simulation training — most programs still only test links
- Teach the one rule that beats most campaigns: never authenticate via a QR code that arrived by email
- Give employees a fast reporting path and a safe checking tool
Technology
- Enable image/QR analysis in your email gateway if available; Microsoft's Q1 2026 data showed a 146% rise in QR phishing, so vendors are adding it fast
- Enforce phishing-resistant MFA (FIDO2/passkeys) — fake login pages can't replay a hardware-bound credential
- Use conditional access to block logins from unexpected devices and locations
Check a suspicious email QR code right now
Screenshot the email and upload it to susQR's free scanner. We decode the QR code, follow every redirect, and check the destination against 90+ security vendors — before your phone ever opens the link.
Sources
- Microsoft Threat Intelligence: 146% rise in QR code phishing, Q1 2026
- Hoxhunt: quishing payloads shifting into PDF attachments (2026)
- ZenSec: 1.7 million unique malicious QR codes in email attachments (2025)
- Cofense Phishing Intelligence: 67% of enterprise quishing targets Microsoft 365 / Google Workspace credentials
- Check Point Research: 587% growth in QR-based phishing, 2023–2024