Employee QR Code Security Training Guide
← Back to blog

Employee QR Code Security Training Guide

A ready-to-use training framework for HR and security-awareness professionals. Five modules, a pre-scan checklist, an incident response protocol, a self-assessment quiz, and a one-page quick-reference card employees can actually use.

2026-05-28 · QRsafer Team

QR code phishing — quishing — is now the fastest-growing attack vector against corporate employees, precisely because the standard email security stack doesn't see it coming. The code arrives as an image; email scanners don't decode it; the employee scans with their phone; the malicious page loads on a device outside corporate security controls. Every organization that runs phishing awareness training needs a dedicated QR code module.

This guide gives you that module. Five sections, ready to use.


Module 1: How quishing works (plain language)

A QR code is a picture of a URL. When an employee scans it, their phone visits that URL — the same as if they had tapped a hyperlink. Attackers use this because email security systems are excellent at spotting malicious URLs in text, but most of them don't decode QR code images. So the attacker takes a phishing URL, converts it to a QR code, puts the image in an email, and sends it through. The email lands in the inbox without a warning flag. The employee scans it with their phone. Their phone opens the phishing page. The corporate network never saw any of it.

Key message for employees: A QR code in an email is a hyperlink in disguise. Treat it with exactly the same skepticism.


Module 2: The four scenarios employees encounter most

Scenario 1 — Phishing email with a QR code. The email appears to be from Microsoft, DocuSign, a bank, or a known vendor. It says something urgent: your account is locked, a document needs your signature, your password is expiring, there's suspicious activity. The QR code is the action item. The destination is a credential-harvesting page that looks exactly like the real thing. What to do: go to the official platform directly — account.microsoft.com, docusign.com, your bank's app — don't scan the code first.

Scenario 2 — Physical QR code in a shared workspace. A sticker or printed card appears near a printer, on a break-room bulletin board, at a meeting room sign-in station, or on a conference table. It says "scan to report an IT issue," "scan for the Wi-Fi password," or "scan to join the meeting." The code was placed by someone who was in the building — it could be an employee, a contractor, a visitor. What to do: if the code wasn't there before, or if the context feels unexpected, report it to IT before scanning.

Scenario 3 — QR code from a supplier or vendor. An invoice, proposal, or onboarding email from an external vendor includes a QR code for "accessing the vendor portal" or "submitting payment." Vendor impersonation with QR codes is a primary business email compromise (BEC) vector. What to do: verify the destination URL matches the vendor's known domain, and for any payment-related link, confirm banking details by phone before processing.

Scenario 4 — QR code on a delivered package or mailer. An unexpected package or printed mailer arrives and includes a QR code to "verify delivery," "rate the experience," or "claim a reward." The code may have arrived at a work address. What to do: if you weren't expecting the package or the QR code's context doesn't make sense, don't scan it.


Module 3: The five-step pre-scan checklist

Post this on office printers, in training slides, and in the IT helpdesk knowledge base.

  1. Did you expect this QR code? If it arrived unsolicited — by email, physical mail, or on an unfamiliar sign — apply extra scrutiny before scanning.
  2. Does the context make sense? A code on a restaurant menu should go to the restaurant's site. A code in a vendor email should go to the vendor's domain. If the context doesn't match what you'd expect, pause.
  3. Can you see a URL preview? On iPhone and most Android devices, holding your camera over a QR code shows a URL preview before you tap. Look at it. Does the domain match the brand?
  4. Is the domain spelled correctly? Phishing pages often use typosquatting: micros0ft.com, docusign-secure.com, amazon-verify.net. If anything looks off in the domain, don't tap.
  5. Is a scanning app flagging it? QRsafer checks the destination URL against threat intelligence and returns a Safe, Risky, or Dangerous verdict before your browser opens the page. If you're uncertain, scan with QRsafer before the camera app.

Module 4: What to do if you scanned something suspicious at work

Response speed matters. Here is the protocol:

Immediately (within minutes):

  • If you entered any credentials, close the page and do not log in again.
  • Disconnect the device from corporate Wi-Fi and switch to cellular data only.
  • Do not power off the device — IT may need the browser history.

Within 15 minutes:

  • Contact your IT helpdesk or security team using the official reporting channel (not the device you just scanned with, if possible).
  • Report the QR code source: email subject line and sender, physical location and description, or package details.

What IT security will do:

  • Force a password reset on any accounts accessed on that device.
  • Review authentication logs for the affected accounts.
  • Determine whether any data was exposed or any session was compromised.

What you should NOT do:

  • Don't try to diagnose or remediate the device yourself.
  • Don't delete the email or discard the physical material — it's evidence.
  • Don't wait to see if anything happens.

Module 5: Self-assessment quiz

Use these as a group discussion or end-of-training knowledge check.

Question 1. You receive an email from what appears to be Microsoft. It says your Microsoft 365 account will be locked in 24 hours unless you scan the QR code to verify your identity. What do you do?

  • Correct answer: Do not scan the QR code. Go to account.microsoft.com directly from your browser and check your account status. If nothing is wrong, report the email to IT as a phishing attempt.

Question 2. You walk into the office and notice a new sign near the printer that says "New print queue — scan to reconnect your device." You don't remember seeing an IT announcement about this. What do you do?

  • Correct answer: Do not scan. Notify IT via your normal helpdesk channel and ask whether the sign is legitimate. If IT didn't place it, report it immediately.

Question 3. A vendor emails your accounts payable team an invoice with a QR code that says "Scan to access the secure payment portal." The email looks authentic. What do you do?

  • Correct answer: Before processing any payment, verify the URL destination matches the vendor's known domain. Call the vendor using a phone number from official records — not the invoice — to confirm the payment details. Do not process based on the QR code alone.

Question 4. You scanned a QR code at a trade show booth. The landing page asked for your work email and you entered it before you noticed the URL looked odd. What do you do?

  • Correct answer: Report it to IT security immediately. Provide the URL, the location, and the approximate time. IT will assess whether the domain is known-malicious and monitor your email account for any phishing activity targeting your address.

One-page quick reference card

Print and post at employee workstations or include in your onboarding packet.

QR CODE SAFETY — QUICK REFERENCE

BEFORE YOU SCAN:
✓ Did you expect this QR code?
✓ Does the context make sense?
✓ Does the URL preview match the brand?
✓ Is the domain spelled correctly?
✓ Does QRsafer say it's safe?

RED FLAGS — DON'T SCAN:
✗ Arrived unsolicited in email
✗ No URL preview shown
✗ Urgency ("act now," "expires today")
✗ Domain doesn't match the sender

IF YOU SCANNED SOMETHING SUSPICIOUS:
1. Disconnect from corporate Wi-Fi
2. Do NOT power off the device
3. Contact IT immediately
4. Do NOT delete the email or discard the item

REPORT TO: [your IT helpdesk address / phone]

Ready to make this framework easier to execute? Equip every employee with QRsafer — it checks the destination of any QR code against threat intelligence before the browser opens the page, adding a last-checkpoint safety net on the mobile devices where most scans happen.

For the organizational strategy that complements this training, see the guide on how to protect employees from QR code scams and the QR code policy template for businesses.

FAQ

How long should a QR code security training session take?

A well-structured session can be delivered in 20–30 minutes for most employee populations. Use the five modules as a guide: spend about 5 minutes on how quishing works, 10 minutes on the four scenarios with real examples, 5 minutes walking through the pre-scan checklist, and 5 minutes on the incident-reporting procedure. The self-assessment quiz can run as a group activity or a brief knowledge check at the end.

What is the single most important thing to teach employees about QR codes?

The pre-scan pause: before tapping, glance at the URL preview your phone shows. If the destination domain does not match the brand or context — or if there's no URL preview at all — do not proceed. This one habit prevents the vast majority of QR code phishing attempts because most attacks rely on employees tapping without looking.

How do you train employees who aren't technical?

Scenario-based learning works far better than technical explanations for non-technical staff. Show them a realistic example — a fake 'your account is locked' email with a QR code, or a sticker code on an office printer — and walk through exactly what the attacker wants and what the employee should do instead. Concrete stories stick; attack vectors don't.

Should employees use a dedicated QR code scanner app at work?

Yes, especially for BYOD or hybrid environments where corporate MDM doesn't control what the browser opens on personal devices. A dedicated scanner like QRsafer displays the destination URL before the browser navigates to it and flags known malicious domains, giving employees an extra checkpoint that the device's built-in camera scanner doesn't provide.