What to Do If You Scanned a QR Code in an Email
Email QR phishing, often called quishing, is designed to move you from an email inbox to a phone browser where the destination is harder to inspect. Your next step depends on what you did after scanning.
Match your action to the risk
- Scanned only: close the page, save the email, and do not return to the destination unless you can verify it.
- Entered a password: change it on the real site, sign out other sessions, and review MFA and recovery settings.
- Approved an MFA prompt: revoke active sessions and remove unknown devices immediately.
- Downloaded a file: delete it if unopened. If opened, run updates and contact IT for any work device.
- Used a work account: report it to security now, even if nothing obvious happened.
Why email QR codes are risky
Attackers use QR images because they can hide the destination from a quick glance and encourage you to continue on a different device. A message may look like a Microsoft, DocuSign, bank, payroll, shipping, or benefits notice. The QR code then opens a fake login or verification page.
Learn the mechanics in the email quishing guide and the broader definition in what is quishing.
What to report
- The original email, including sender and subject line.
- The destination URL that opened after scanning.
- Whether you entered a password, one-time code, card, or personal information.
- Whether you approved a login prompt or linked a device.
- Any files downloaded, permissions requested, or strange account activity.
For a general recovery checklist, use what to do if you scanned a suspicious QR code.
Frequently asked questions
Is scanning a QR code in an email automatically dangerous?
No. If you only scanned it and did not enter information, approve a login, download a file, or grant permissions, the risk is usually low. The risk depends on what happened after the page opened.
What if I entered my password after scanning an email QR code?
Go directly to the real service, change the password, sign out of all sessions, review recovery methods and MFA devices, and check for forwarding rules or connected apps you do not recognize.
What if this was a work email QR code?
Report it to IT or security immediately, even if you are not sure it was malicious. Include the email, sender, time, destination URL, account used, and what information you entered.
Why do phishing emails use QR codes instead of links?
QR codes can move the user from a protected email inbox to a personal phone browser. They can also hide the destination from people who do not preview the code before opening it.
Preview email QR codes before the page opens
QRsafer shows the destination and safety verdict before you open a QR code from an email, PDF, or forwarded message.
