Slack QR Code Scam: What It Is and What to Do

How attackers use Slack QR codes to steal credentials

Slack is used by over 20 million people daily across tech companies, media organizations, and corporate teams — which makes it a high-value impersonation target. There are three main attack patterns:

1. "Your workspace has been suspended" email. You receive a professional-looking email claiming your Slack workspace has been suspended, deactivated, or flagged for unusual activity. The email urges you to scan a QR code to "restore access" or "verify your account." The QR code leads to a convincing fake Slack login page that harvests your email address and password the moment you type them.
2. Slack DM from a compromised account. A colleague's Slack account gets hacked. The attacker then sends QR codes via DM to that person's contacts — coworkers, managers, clients — claiming the QR code links to a shared document, a meeting room, or a security update. Because the message comes from a familiar name and account, most people scan without a second thought.
3. Fake Slack Connect invitation. Slack Connect lets users collaborate across different organizations. Attackers send fraudulent "invitation to join a Slack Connect workspace" emails with a QR code to "accept the invitation." The destination is a phishing page that mimics Slack's sign-in interface rather than the real Slack Connect onboarding flow.

All three methods exploit the same vulnerability: Slack is a trusted, work-critical platform, so users are conditioned to act quickly on Slack-related alerts. This is a textbook example of quishing — using a QR code to bypass link-screening tools and deliver a phishing destination.

The rule that protects you from every variant

Slack never asks you to scan a QR code to verify your account, restore access, or rejoin a workspace. Every legitimate Slack action — signing in, accepting an invitation, re-authenticating — happens inside the Slack app itself or at slack.com. There is no official Slack flow that requires you to point your camera at a QR code.

If a QR code appears in an email or message and the instruction involves Slack, it is a scam. Full stop.

The same principle applies to similar workplace platforms. For comparison, see how attackers run Zoom QR code scams using nearly identical fake "account suspended" emails.

What to do if you scanned a Slack QR code

Act quickly — Slack credentials give attackers immediate access to private messages, shared files, and internal tools.

1. If you entered your Slack password: Go directly to slack.com (not any link from the message) and change your password immediately. Then navigate to your Slack account settings and revoke all active sessions — this logs out the attacker even if they are already signed in.
2. Enable two-factor authentication: In Slack settings, turn on two-step verification. This prevents reuse of stolen credentials even if the attacker still has your old password.
3. Notify your workspace admin or IT team: If this was a work Slack account, your admin can audit sign-in logs, check for unauthorized app installations, and revoke any OAuth tokens the attacker may have approved.
4. Change your email password: If the Slack account is linked to your work email, change that password too. Attackers often try to use Slack credentials to trigger password resets on connected services.
5. Check for password reuse: If you use the same password on other sites, change it everywhere. Use a unique password for each account going forward.
6. Report the scam: Forward the phishing email to phishing@slack.com. File a report at reportfraud.ftc.gov.

If the QR code prompted you to enter a password, see the full guide on what to do when a QR code asks for your password.

Frequently asked questions