A QR code arrives in an email. The Zoom logo is at the top. The subject line says your account has been suspended. The body tells you to scan the code to restore access before your next meeting.
This is a Zoom QR code scam — and it is designed to exploit two things simultaneously: the trust you place in Zoom as a daily work tool, and the urgency of a meeting you need to join.
Zoom's platform is impersonated at scale for a straightforward reason: nearly every remote worker, student, and hybrid team member has a Zoom account and depends on it. A threat to that access feels urgent in a way that overrides normal skepticism.
Here is how each attack pattern works.
Attack pattern 1: Fake "account suspended" email with a QR code
This is the most common vector.
You receive an email with Zoom's branding, a message that your account has been suspended or that unusual login activity was detected, and a QR code to "verify your identity and restore access." The urgency is deliberately set high — a meeting is referenced, a deadline is implied, or the email says your account will be permanently deleted if you don't act within 24 hours.
Scanning the QR code opens a page that mimics Zoom's sign-in portal almost exactly — the same layout, colors, and logo. When you enter your credentials, they go directly to the attacker, not to Zoom. If your Zoom account uses Google, Microsoft, or Okta single sign-on, the phishing page often mirrors that SSO provider's login screen instead, capturing tokens that may grant access far beyond Zoom.
The tell: Zoom never initiates account verification by QR code in an email. All real communications about your account direct you to zoom.us — a URL you should type yourself, not follow from an email or scan from a code.
Attack pattern 2: QR codes shared in Zoom meetings
This variant targets participants directly inside a live or recorded session.
An attacker — either a compromised host account or an uninvited attendee who has obtained a meeting link — shares their screen or sets a virtual background that displays a QR code. The framing varies:
- "Scan to access the shared resources for this session"
- "New Zoom security policy — scan to verify your participation"
- "Scan for the recording link after the meeting"
The code leads to a fake Zoom login page, a credential-harvesting "secure document" portal, or in some cases a page that initiates a malware download. Because the QR code appears inside what looks like a legitimate corporate meeting, participants scan without the same scrutiny they might apply to an unsolicited email.
Enterprise targets are especially vulnerable: attackers compromise one employee's account, use it to join internal meetings, and share a QR code that harvests additional SSO credentials from colleagues who trust the meeting context.
If you see an unexpected QR code in a Zoom meeting, do not scan it before verifying the URL through your organization's IT team. Real Zoom meeting materials are shared through the chat window as clickable links — not QR codes.
Attack pattern 3: Fake webinar registration codes
The third pattern targets people who are signing up for something, not managing an existing account.
Scammers create convincing promotional pages for fake webinars — professional development events, investment seminars, product launches, healthcare information sessions — and share them through social media, flyers, or email blasts. The registration page includes a QR code that supposedly confirms attendance or grants access to "pre-event materials."
The code leads to a credential-harvesting page, a fake payment portal for a "premium seat," or a malicious file download disguised as preparatory materials. The victim believes they are registering for a legitimate event. The event never exists.
This attack also appears in the other direction: QR codes on physical flyers — posted in office buildings, university campuses, or community centers — promote fake Zoom events to draw local targets who trust the institutional context.
Understanding how quishing works as a category helps explain why QR codes are used here instead of plain links: they bypass URL-scanning security tools that many email clients and messaging platforms apply automatically to clickable hyperlinks.
What to do if you scanned a Zoom QR code
If you entered your Zoom password:
- Go directly to zoom.us and change your password immediately.
- Navigate to zoom.us/profile/setting → Active Sessions → revoke all active sessions.
- Enable two-factor authentication under Security settings.
- If your account uses SSO (Google, Microsoft, Okta), notify your IT administrator — the SSO token may need to be revoked.
If you entered payment information:
- Contact your bank or card issuer now to flag the charge as potentially fraudulent.
- Request a new card number.
- Monitor your statements for follow-on charges — phishing pages often resell card data quickly.
If you only opened the page without entering anything: The risk is low. Close the browser, clear your browser cache, and report the phishing page at reportphishing@zoom.us.
For a broader action plan, see what to do after scanning a suspicious QR code.
The rule that covers all three patterns
Zoom does not ask you to scan a QR code to verify your account, restore meeting access, or perform any security action. Every legitimate Zoom notification includes a direct link to zoom.us — which you should type manually, not follow from a code or email.
If you work in an organization where Zoom is part of the enterprise stack, the same QR phishing tactics are used against Microsoft Teams. Review the Microsoft Teams QR code scam page to understand the full enterprise attack surface.
See also
- What Is Quishing?
- I Scanned a QR Code and It Asked for My Password
- Microsoft QR Code Scam
- WhatsApp QR Code Scam
- QR Code Threat Map
Download QRsafer for iOS or Android and preview the destination URL of any QR code — including one you received in a Zoom email — before your browser opens it.