QR code phishing — quishing — is now the fastest-growing attack vector against corporate employees, precisely because the standard email security stack doesn't see it coming. The code arrives as an image; email scanners don't decode it; the employee scans with their phone; the malicious page loads on a device outside corporate security controls. Every organization that runs phishing awareness training needs a dedicated QR code module.
This guide gives you that module. Five sections, ready to use.
Module 1: How quishing works (plain language)
A QR code is a picture of a URL. When an employee scans it, their phone visits that URL — the same as if they had tapped a hyperlink. Attackers use this because email security systems are excellent at spotting malicious URLs in text, but most of them don't decode QR code images. So the attacker takes a phishing URL, converts it to a QR code, puts the image in an email, and sends it through. The email lands in the inbox without a warning flag. The employee scans it with their phone. Their phone opens the phishing page. The corporate network never saw any of it.
Key message for employees: A QR code in an email is a hyperlink in disguise. Treat it with exactly the same skepticism.
Module 2: The four scenarios employees encounter most
Scenario 1 — Phishing email with a QR code. The email appears to be from Microsoft, DocuSign, a bank, or a known vendor. It says something urgent: your account is locked, a document needs your signature, your password is expiring, there's suspicious activity. The QR code is the action item. The destination is a credential-harvesting page that looks exactly like the real thing. What to do: go to the official platform directly — account.microsoft.com, docusign.com, your bank's app — don't scan the code first.
Scenario 2 — Physical QR code in a shared workspace. A sticker or printed card appears near a printer, on a break-room bulletin board, at a meeting room sign-in station, or on a conference table. It says "scan to report an IT issue," "scan for the Wi-Fi password," or "scan to join the meeting." The code was placed by someone who was in the building — it could be an employee, a contractor, a visitor. What to do: if the code wasn't there before, or if the context feels unexpected, report it to IT before scanning.
Scenario 3 — QR code from a supplier or vendor. An invoice, proposal, or onboarding email from an external vendor includes a QR code for "accessing the vendor portal" or "submitting payment." Vendor impersonation with QR codes is a primary business email compromise (BEC) vector. What to do: verify the destination URL matches the vendor's known domain, and for any payment-related link, confirm banking details by phone before processing.
Scenario 4 — QR code on a delivered package or mailer. An unexpected package or printed mailer arrives and includes a QR code to "verify delivery," "rate the experience," or "claim a reward." The code may have arrived at a work address. What to do: if you weren't expecting the package or the QR code's context doesn't make sense, don't scan it.
Module 3: The five-step pre-scan checklist
Post this on office printers, in training slides, and in the IT helpdesk knowledge base.
- Did you expect this QR code? If it arrived unsolicited — by email, physical mail, or on an unfamiliar sign — apply extra scrutiny before scanning.
- Does the context make sense? A code on a restaurant menu should go to the restaurant's site. A code in a vendor email should go to the vendor's domain. If the context doesn't match what you'd expect, pause.
- Can you see a URL preview? On iPhone and most Android devices, holding your camera over a QR code shows a URL preview before you tap. Look at it. Does the domain match the brand?
- Is the domain spelled correctly? Phishing pages often use typosquatting: micros0ft.com, docusign-secure.com, amazon-verify.net. If anything looks off in the domain, don't tap.
- Is a scanning app flagging it? QRsafer checks the destination URL against threat intelligence and returns a Safe, Risky, or Dangerous verdict before your browser opens the page. If you're uncertain, scan with QRsafer before the camera app.
Module 4: What to do if you scanned something suspicious at work
Response speed matters. Here is the protocol:
Immediately (within minutes):
- If you entered any credentials, close the page and do not log in again.
- Disconnect the device from corporate Wi-Fi and switch to cellular data only.
- Do not power off the device — IT may need the browser history.
Within 15 minutes:
- Contact your IT helpdesk or security team using the official reporting channel (not the device you just scanned with, if possible).
- Report the QR code source: email subject line and sender, physical location and description, or package details.
What IT security will do:
- Force a password reset on any accounts accessed on that device.
- Review authentication logs for the affected accounts.
- Determine whether any data was exposed or any session was compromised.
What you should NOT do:
- Don't try to diagnose or remediate the device yourself.
- Don't delete the email or discard the physical material — it's evidence.
- Don't wait to see if anything happens.
Module 5: Self-assessment quiz
Use these as a group discussion or end-of-training knowledge check.
Question 1. You receive an email from what appears to be Microsoft. It says your Microsoft 365 account will be locked in 24 hours unless you scan the QR code to verify your identity. What do you do?
- Correct answer: Do not scan the QR code. Go to account.microsoft.com directly from your browser and check your account status. If nothing is wrong, report the email to IT as a phishing attempt.
Question 2. You walk into the office and notice a new sign near the printer that says "New print queue — scan to reconnect your device." You don't remember seeing an IT announcement about this. What do you do?
- Correct answer: Do not scan. Notify IT via your normal helpdesk channel and ask whether the sign is legitimate. If IT didn't place it, report it immediately.
Question 3. A vendor emails your accounts payable team an invoice with a QR code that says "Scan to access the secure payment portal." The email looks authentic. What do you do?
- Correct answer: Before processing any payment, verify the URL destination matches the vendor's known domain. Call the vendor using a phone number from official records — not the invoice — to confirm the payment details. Do not process based on the QR code alone.
Question 4. You scanned a QR code at a trade show booth. The landing page asked for your work email and you entered it before you noticed the URL looked odd. What do you do?
- Correct answer: Report it to IT security immediately. Provide the URL, the location, and the approximate time. IT will assess whether the domain is known-malicious and monitor your email account for any phishing activity targeting your address.
One-page quick reference card
Print and post at employee workstations or include in your onboarding packet.
QR CODE SAFETY — QUICK REFERENCE
BEFORE YOU SCAN:
✓ Did you expect this QR code?
✓ Does the context make sense?
✓ Does the URL preview match the brand?
✓ Is the domain spelled correctly?
✓ Does QRsafer say it's safe?
RED FLAGS — DON'T SCAN:
✗ Arrived unsolicited in email
✗ No URL preview shown
✗ Urgency ("act now," "expires today")
✗ Domain doesn't match the sender
IF YOU SCANNED SOMETHING SUSPICIOUS:
1. Disconnect from corporate Wi-Fi
2. Do NOT power off the device
3. Contact IT immediately
4. Do NOT delete the email or discard the item
REPORT TO: [your IT helpdesk address / phone]
Ready to make this framework easier to execute? Equip every employee with QRsafer — it checks the destination of any QR code against threat intelligence before the browser opens the page, adding a last-checkpoint safety net on the mobile devices where most scans happen.
For the organizational strategy that complements this training, see the guide on how to protect employees from QR code scams and the QR code policy template for businesses.
