I Scanned a QR Code and Emails Were Sent from My Account — What to Do Right Now

Q: Can scanning a QR code really cause emails to be sent from my account?

Not directly — a QR code cannot send emails by itself. What happens is this: the QR code leads to a fake login page that looks identical to Gmail, Outlook, or Apple Mail. When you enter your credentials on that fake page, the attacker captures them instantly and logs into your real account. From there they can send emails to your contacts, set up forwarding rules to steal your incoming mail, and use password-reset emails to break into your other accounts. The QR code was just the delivery method for stealing your login.

Q: How do I find and delete the forwarding rule an attacker may have added?

In Gmail: click the gear icon → See all settings → Filters and Blocked Addresses (check for filters that forward or delete mail) → Forwarding and POP/IMAP (check for any forwarding address you did not add). Delete anything suspicious. In Outlook on the web: Settings → View all Outlook settings → Mail → Rules (delete any unfamiliar rules) → Forwarding (turn off any forwarding address you did not set). In Apple Mail / iCloud: go to iCloud.com → Mail → gear icon → Preferences → Rules. Also check any email apps connected to your account under your account security page — an attacker may have authorized a third-party app to read your mail.

Q: Should I tell the people who received fake emails from my account?

Yes, as soon as your account is secured. Send a brief note to your contacts explaining that your email was compromised, that any messages they received from your address recently may not be from you, and that they should not click any links in those messages. Check your Sent folder for the exact messages that went out so you can describe them accurately. If the fake emails contained phishing links, your contacts need to know so they can avoid clicking and can check whether they already did.

Discovering that emails went out from your account without your knowledge is alarming. If it happened after scanning a QR code, your email credentials were almost certainly stolen via a fake login page. Act in the next five minutes — the steps below will lock the attacker out and limit the damage.

Do these five things right now — in this order

Sign out of all active sessions. Open your email provider in a new tab, go to security settings, and terminate every active session. This kicks the attacker out even if they are already logged in.
Change your email password immediately. Navigate directly to the provider by typing the address yourself — do not use any link. Choose a password you have never used before.
Enable two-factor authentication. Even with your new password, the attacker cannot log back in without your phone.
Check and delete any forwarding rules or filters. Attackers routinely add a forwarding rule to receive a copy of everything you receive — including bank alerts and password-reset emails — even after you change your password.
Review your Sent folder and Drafts for unauthorized messages. Note exactly what went out so you can warn your contacts.

Where to find and remove forwarding rules — by provider

Forwarding rules are the most dangerous thing an attacker can add to your account because they keep working silently after you change your password. Check all three locations even if you only use one provider.

Gmail

Click the gear icon → See all settings
Go to the Filters and Blocked Addresses tab — delete any filter that forwards, archives, or deletes mail you did not create
Go to the Forwarding and POP/IMAP tab — remove any forwarding address you did not set
Visit myaccount.google.com → Security → Your devices and remove any unrecognized device
Visit myaccount.google.com → Security → Third-party apps and revoke any app you do not recognize

Outlook / Microsoft 365

Go to outlook.live.com → Settings → View all Outlook settings → Mail → Rules — delete any rule you did not create
Go to Mail → Forwarding — disable any forwarding address you did not set
Visit account.microsoft.com → Security → Sign-in activity — review and block any unfamiliar sign-in
Visit account.microsoft.com → Privacy → Apps and services — revoke access from any unrecognized third-party app

Apple Mail / iCloud

Go to icloud.com → Mail → gear icon → Preferences → Rules — delete any rule you did not create
Visit appleid.apple.com → Sign-In and Security → Active Sessions — sign out any device you do not recognize
Review appleid.apple.com → Sign-In and Security → Apps Using Apple ID — revoke access from unrecognized apps

How the QR code led to your email being hijacked

QR codes hide their destination URL until after you scan them. Attackers use this to bypass spam filters, which catch malicious links in plain text but cannot inspect a QR image. The code in your case most likely pointed to a fake login page — a pixel-perfect copy of Gmail, Outlook, or Apple Mail — designed to capture whatever you typed.

The moment you entered your credentials, an automated script running on the attacker's server used them to log into your real account. From there, the attacker could send phishing emails to everyone in your contacts — who are far more likely to click a link from a trusted address — and set up forwarding rules to silently receive copies of all your incoming mail, including bank statements, password-reset emails, and two-factor authentication codes.

This chain — QR code → fake login page → credential theft → account takeover — happens within minutes. Attackers process stolen logins with automated tools, so even a brief window between scanning and noticing the problem is enough for significant damage.

Protect your other accounts — not just email

Your email account is the master key to your digital life. An attacker with access to it can trigger password resets on every account that sends reset links to your address — banking, shopping, social media, and more.

Change your email password first, then immediately change passwords on your bank, PayPal, Amazon, and any other high-value account — do not wait until you know whether those were accessed.
Check whether the same password was used elsewhere. If so, change it everywhere. A password manager makes this practical.
Review financial account activity for any transactions you do not recognize and call your bank's fraud line if anything looks wrong.
Enable two-factor authentication on every account that offers it — prioritize email, banking, and payment apps. Use an authenticator app rather than SMS when the option is available.

Notify your contacts as soon as your account is secured

Once you have locked the attacker out, send a message to your contacts — from your now-secured account — letting them know that any emails they received from your address recently may not have been from you. Ask them not to click any links in those messages and to let you know if they already did.

Check your Sent folder for the exact messages that went out so you can describe them accurately. Phishing emails sent from your account are more effective than ordinary spam because recipients trust the sender — a prompt warning to your contacts can prevent further victims.

Frequently asked questions

Can scanning a QR code really cause emails to be sent from my account?

Not directly — a QR code cannot send emails by itself. The QR code led you to a fake login page that looked like your email provider. When you entered your credentials there, the attacker captured them and logged into your real account. The unauthorized emails came from the attacker using your account, not from the QR code itself.

How do I find and delete the forwarding rule an attacker may have added?

In Gmail: gear icon → See all settings → Filters and Blocked Addresses (delete unfamiliar filters) → Forwarding and POP/IMAP (remove any forwarding address you did not set). In Outlook: Settings → Mail → Rules (delete unknown rules) → Forwarding (disable anything you did not set). In iCloud Mail: icloud.com → Mail → gear icon → Preferences → Rules. Also revoke access from any third-party apps you do not recognize in your account's security settings.

Should I tell the people who received fake emails from my account?

Yes — as soon as your account is secured. Send a brief, clear note: your email was compromised, recent messages from your address may not be from you, and recipients should not click any links in those messages. Check your Sent folder first so you can describe exactly what went out. A quick warning can prevent your contacts from being victimized by the same attacker.

Stop QR phishing before it reaches a fake login page

QRsafer checks every QR code's destination URL before your browser opens it and flags phishing pages, suspicious domains, and known scam sites — so a fake login page never gets a chance to steal your credentials. Download the app and scan safely.

Download for iOS Download for Android