We are seeing a new phishing scam that targets employees using fake HR calendar invitations and QR codes. The goal is to trick users into scanning a malicious QR code that leads to a fake website designed to steal login credentials or install malware.
Because these messages look like legitimate HR updates and even reference real‑sounding policy changes, they can be easy to fall for. Please review the information below and share it with your team.
What the Scam Looks Like
Victims receive a calendar invite or email that appears to come from an internal address or a trusted partner. The message:
- Uses a subject line related to HR or policy updates (e.g., “Updated Employee Handbook” or “Meeting Invitation”).
- Claims to attach an updated employee handbook that becomes effective on a specific date (for example, December 16, 2025).
- Lists “key changes” that sound legitimate, such as:
- Paid Jury Duty
- Paid Bereavement Leave
- Changes to Paid Vacation / Commencement dates for earning vacation
- Mentions an acknowledgment page that must be signed and returned “at your earliest convenience.”
- Then instructs you to scan a QR code to view the document:
“To view the document, scan the QR code ‘below’ for easy access.”
- Is “signed” by HR, for example:
“If you have any questions, please do not hesitate to contact the HR Department.
Thank you, Impress computers HR Team – December 16, 2025”
In some cases, the message is wrapped in a green “NOTICE: This sender is safe” banner or similar text, trying to create a false sense of security.
Why This Is Dangerous
The QR code does not lead to a legitimate handbook.
Instead, it typically sends you to a malicious website that may:
- Imitate a Microsoft 365, Google Workspace, or company login page to steal your username and password.
- Attempt to install malware or remote‑access tools on your device.
- Harvest personal or company data.
Once attackers have your credentials, they can:
- Access company email and files.
- Impersonate you to other staff, clients, or vendors.
- Launch additional scams, wire fraud, and data‑theft attacks.
Red Flags to Watch For
Even when a message looks professional, watch for these warning signs:
- Unexpected HR update or calendar invite
- You were not expecting a new handbook or policy change.
- HR normally announces changes in a different way (intranet, HR portal, direct email, etc.).
- Pressure to act quickly or “sign and return”
- Language pushing for urgent review and signature without prior notice.
- QR code required to view a document
- Legitimate HR teams rarely require you to scan a QR code from an email or calendar invite to view critical documents.
- Official handbooks are typically shared via the company intranet, secure HR portal, or a clearly identified internal email link.
- Mismatch between sender and message
- The invite may come from a generic or external‑looking address (e.g., a booking or service account) but claim to be HR.
- The domain might look slightly off or unfamiliar.
- Too much detailed HR content presented out of the blue
- The scam message may reference real‑sounding sections like:
- Equal Employment Opportunity
- Non‑Harassment / Sexual Harassment
- Drug and Alcohol‑Free Workplace
- Workplace Violence
- Prohibited Conduct
- This is done to make the message look like a legitimate handbook summary.
- The scam message may reference real‑sounding sections like:
What You Should Do If You Receive a Message Like This
- Do NOT scan the QR code.
- Treat all unexpected QR codes the same way you treat suspicious links.
- Do NOT click any links or open unknown attachments.
- Avoid interacting with the message until it is verified.
- Verify through official channels.
- Contact your HR department or IT helpdesk using a known phone number or official email address (not by replying to the suspicious message).
- Ask: “Did you send an updated handbook with a QR code?”
- Report the message.
- Use your company’s “Report Phishing” button if available.
- Forward the message to your IT/security team following your internal process.
- If you already scanned the QR code or entered credentials:
- Immediately change your password for the affected account(s).
- Enable multi‑factor authentication (MFA) if it is not already enabled.
- Contact IT/security right away so they can check for unauthorized access and reset sessions.
How We Will Send Legitimate HR Handbooks and Policy Updates
To help you distinguish real communications from scams, please note:
- We will not require you to scan a QR code from a random email or calendar invite to access core HR documents.
- Official handbook updates and policies will be:
- Announced via our standard HR communication channels, and/or
- Posted on our official intranet/HR portal, and/or
- Sent directly from clearly identified company HR/IT addresses.
- If a signature or acknowledgment is required, it will be handled through our official HR system or a clearly designated, known process.
If you are ever unsure about a message, assume it may be malicious until verified.
Best Practices for Staying Safe from QR Phishing (“Quishing”)
- Think before you scan. Only scan QR codes from trusted, verified sources.
- Preview the URL (most mobile devices show the URL before opening it). If the address looks strange, misspelled, or unrelated to the company, cancel.
- Use company‑approved apps and portals to access HR, payroll, and benefits information—avoid shortcuts from emails and texts.
- Keep your devices updated with the latest security patches and antivirus protection.
- Enable multi‑factor authentication (MFA) on all business accounts where possible.
Questions or Concerns?
If you receive a suspicious HR‑related email or calendar invite, especially one asking you to scan a QR code to view a handbook or policy update:
- Do not interact with it.
- Contact our IT/Helpdesk or HR department directly using known contact details.
Your caution is a critical part of keeping our organization and client data secure.
