QR codes are everywhere—on posters, packaging, menus, and increasingly, in our inboxes. They’re convenient: point your phone, tap, and you’re taken straight to a website or login page.

That same convenience is exactly why attackers are using QR codes as a new way to steal passwords and compromise accounts.

Recently, we handled an incident that shows just how effective – and dangerous – QR-code phishing can be.

A Real-World Incident: One Scan, One Fake Login, Real Risk

An employee at a client organization received an email that looked legitimate. It claimed they needed to log in to view an important document and included a QR code to “securely” access it.

Here’s what happened next:

  1. The employee scanned the QR code using their phone.
  2. The QR code opened a login page that looked familiar and trustworthy.
  3. The employee entered their work email and password on that page.

Unbeknownst to them, the login page was fake and controlled by attackers. By scanning the QR code and signing in, they had just handed over valid credentials.

Within minutes, our security systems detected:

  • High-risk sign-ins against the employee’s account from an unexpected location (a different state).
  • Successful sign-in attempts to Office 365 / Exchange Online, using the stolen username and password.
  • A session where multi-factor authentication (MFA) appeared to be already satisfied, meaning the attacker could potentially access the mailbox without a fresh MFA prompt.

Our security team immediately:

  • Revoked all active sessions for the account.
  • Reset the user’s password.
  • Reset and re-registered MFA for that user.
  • Reviewed mailbox rules and forwarding settings to ensure no hidden backdoors were created.

The incident was contained, but only after a serious risk had been introduced—all from scanning one QR code.

Why QR-Code Phishing Works So Well

QR-code attacks are effective for several reasons:

1. They Bypass Normal “Link Checking” Habits

Employees are used to being cautious with links in email—hovering over them or looking at the URL. But a QR code doesn’t show its destination clearly. You scan first and only see where it goes after you’ve already engaged.

2. They Push Users to Mobile Devices

QR codes are typically scanned with a phone, not a work computer. That matters because:

  • Phones are often personal devices, not fully managed by IT.
  • Mobile browsers show less URL detail, making it easier to hide fake addresses.
  • Security tools that scan links and attachments on corporate PCs often don’t cover personal phones.

3. They Can Look “More Secure” Than Links

A QR code in an email can be framed as a “secure” or “modern” way to log in or verify identity. That false sense of security can override a user’s normal caution.

The Extra Risk from Unmanaged Phones

In this incident, the QR code was scanned using a phone that was not enrolled in any mobile device management (MDM) system such as Intune.

This creates several problems:

  • IT cannot enforce strict security policies (e.g., approved apps, encryption, OS version).
  • There may be limited or no visibility into what happens on that device.
  • Conditional access policies (e.g., “only allow sign-ins from compliant devices”) may not apply.

In other words, moving the login process from a secured, monitored corporate device to an unmanaged personal phone gave the attacker a major advantage.

Key Lessons for Employees

This incident highlights several important lessons that apply to everyone:

1. Do Not Scan QR Codes from Unexpected Emails

Treat QR codes in email the same way you would treat a suspicious link—or even more cautiously.

  • If you receive a QR code by email or message, assume it is high risk by default.
  • Especially be wary if it asks you to log in, reset a password, or verify your identity.

2. Do Not Trust Login Pages Opened from QR Codes

Even if a login page looks like Microsoft 365, Google, or your corporate portal, appearance can be faked.

  • Always check the web address (URL) carefully.
  • If something looks slightly off—spelling, layout, or domain name—do not enter your password.
  • When in doubt, navigate manually in your browser (e.g., type in office.com) instead of trusting the page a QR code opens.

3. Be Extra Careful on Your Phone

Mobile devices are convenient, but they are also a favorite target:

  • Avoid logging into corporate services from personal or unmanaged phones when possible.
  • If your organization offers a company-managed or enrolled mobile device, use that for work accounts.
  • Remember: mobile screens make it harder to inspect URLs and security indicators.

4. Contact IT or Security When Something Feels Off

Security is a team effort. If you see:

  • An email with a QR code that seems unusual or urgent
  • A login page that just “doesn’t feel right”
  • Unexpected prompts to sign in or approve MFA

Stop and reach out to your IT or security team before taking action. It is always better to ask a quick question than to recover from a compromised account.

Best Practices to Stay Safe from QR-Code Phishing

Here are practical steps every employee can follow:

  • Do not scan QR codes from unsolicited or unexpected emails or messages.
  • Never enter your work credentials on a page opened from a QR code without verifying the source.
  • Use only approved, managed devices for accessing corporate email and applications when possible.
  • Report suspicious emails—especially those containing QR codes—to your IT or security team immediately.
  • If you think you may have entered your credentials on a suspicious page, contact IT at once so they can reset your password, review recent sign-ins, and protect your account.

Final Thoughts: A Moment of Caution Goes a Long Way

QR codes are not inherently unsafe—but in the hands of attackers, they become a powerful tool for bypassing familiar defenses and tricking users into lowering their guard.

In the incident above, quick detection and response prevented a more serious compromise. But the risk arose from a single action: scanning a QR code and logging in without verifying the source.

Your vigilance is one of the most important layers of security your organization has.

Think before you scan.
If you are ever unsure, stop and ask your IT or security team first.