← Back to Blog
Trending January 21, 2026 5 min read

QR Code Scams in Emails: The Rise of Quishing

Cybercriminals have found a clever way to bypass email security: embedding malicious links in QR codes. Here's why "quishing" is the fastest-growing email threat.

You've probably scanned hundreds of QR codes — at restaurants, for payments, at events. We've been trained to trust them. And that's exactly what scammers are counting on.

What is Quishing?

Quishing (QR + phishing) is a type of attack where criminals embed malicious URLs in QR codes within emails. When you scan the code with your phone, you're taken to a phishing site designed to steal your credentials or install malware.

Why it works: Traditional email security scans links in the email body. But QR codes are just images — the malicious URL is hidden inside and often goes undetected.

Why Quishing is Exploding in 2026

  • Bypasses security filters — Email scanners can't easily read URLs inside images
  • Moves the attack to mobile — Your phone has fewer security protections than your computer
  • Exploits trust — We're conditioned to scan QR codes without thinking
  • Creates urgency — "Scan to verify your account" seems legitimate

Common Quishing Scenarios

1. Fake Microsoft/Google Login

"Your authentication is expiring. Scan the QR code below to verify your identity and maintain access to your account."

The QR code leads to a convincing fake login page that captures your credentials.

2. Package Delivery Scam

"We couldn't deliver your package. Scan to reschedule delivery or it will be returned."

Links to a page asking for personal information or a small "redelivery fee" payment.

3. HR/IT Department Requests

"New company policy requires multi-factor authentication. Scan to set up your authenticator app."

Particularly effective in corporate environments where employees expect IT communications.

4. Parking/Traffic Tickets

"You have an unpaid parking violation. Scan to pay now and avoid additional penalties."

Creates urgency and seems official, leading to fake payment pages.

How to Protect Yourself

Before Scanning Any QR Code in an Email

  1. Stop and think — Would this company really send a QR code?
  2. Verify the sender — Check the email address carefully
  3. Go direct — Type the company's URL directly instead of scanning
  4. Use a QR scanner with preview — Many phone cameras now show the URL before opening
Pro tip: If you must scan a QR code, use your phone's native camera app. Most modern phones will show you the URL before opening it. Never scan with third-party apps that auto-open links.

Red Flags in QR Code Emails

  • Unexpected QR codes from services you use
  • Urgency to scan "immediately" or face consequences
  • QR code is the only way to take action (no regular link provided)
  • Request to enter sensitive information after scanning
  • Generic greeting ("Dear Customer") instead of your name

What Companies Are Doing Wrong

Unfortunately, some legitimate companies do send QR codes in emails for things like:

  • Event tickets and boarding passes
  • Two-factor authentication setup
  • App download links
  • Payment confirmations

This makes it harder to distinguish legitimate emails from scams. If you're a business, consider avoiding QR codes in emails altogether — it trains customers to trust a dangerous behavior.

What To Do If You've Scanned a Suspicious QR Code

  1. Don't enter any information — Close the page immediately
  2. Check the URL — Does it match the real company's domain?
  3. If you entered credentials — Change your password immediately
  4. Enable 2FA — Add an extra layer of protection
  5. Monitor your accounts — Watch for suspicious activity

Let Us Help

If you receive an email with a QR code and you're not sure if it's legitimate, forward the entire email to us:

We'll analyze the sender authentication, check the email for known phishing patterns, and give you a clear verdict.