What We Do
How We Do
Get Started

The Rise of QR Code Phishing Attacks and Best Practices for Interacting with QR Codes

BY eSentire

November 17, 2023 | 5 MINS READ


Managed Risk Programs

Want to learn more on how to achieve Cyber Resilience?


Since the onset of the COVID-19 pandemic, most businesses across a wide range of industries have begun using Quick Response (QR) codes to provide a contactless experience for their customers. The QR code is a square pixelated barcode that can be read by digital devices such as your smartphone camera.

These codes are often used for many legitimate purposes, such as helping you navigate to a website, set up multi-factor authentication (MFA) for a software application, access Wi-Fi, and more. For example, restaurants used QR codes in place of physical menus, and retail stores used them to share detailed product information with their customers.

Unfortunately, due to the abstract design of QR codes, it’s nearly impossible to tell where the code will direct you to. Unlike traditional phishing attacks where you may be able to identify a suspicious URL by hovering over the hyperlink to see if the destination URL matches the text URL provided to you, QR codes hide the URL, making it difficult for you to detect.

This has presented many threat actors with ample opportunities to exploit QR codes to embed malicious URLs containing malware or phishing websites to collect your sensitive data.

In fact, our Threat Response Unit (TRU) recently investigated an Adversary-in-the-Middle (AiTM) phishing attack in which the threat actor(s) impersonated one of our customers’ HR personnel and used a QR code to entice the employee into scanning it with their phone.

Why are QR Code-based Phishing Attacks Dangerous?

Recently, we have seen a significant rise in the use of QR code phishing attacks, known as “Qishing” or “Quishing.” Instead of providing a direct text link for users to click, threat actors use QR codes in phishing emails to bypass link filtering and security controls.

The subject matter of the QR phishing emails often changes, but the common thread is asking users to scan a QR code with their phone. Scanning the QR code brings users to a malicious website that often mimics a genuine platform like Microsoft Office 365 and asks them to log in. Once the users enter their credentials, they are shared directly with the threat actor.

Attackers benefit from the QR phishing attack tactic because phones and other mobile devices are often less secure, given that security teams don’t have visibility into the camera or browser activity.

Examples of Exploited QR Codes Observed in the Wild

Example 1: The adversary sends an email that looks to come from Microsoft and tries to get you to scan the QR code to complete your MFA setup

An example of a fake Microsoft 365 email that uses QR code phishing to drive users to a malicious site and collect their sensitive data.

Example 2: The email appears as though it has a valid DocuSign contract

An example of a fake DocuSign email which uses QR code phishing to drive users to malicious websites and collect their sensitive data.

Example 3: The threat actor lures you with an email about salary and employee benefits and provides explicit directions to use your smartphone camera to scan the QR code

An example of a fake email about salary and employee benefits which uses QR code phishing to drive users to a malicious website and collect their sensitive data.

Best Practices for Opening QR Codes

At their core, QR codes are the same as any other link to a web page, so it’s best to apply the same scrutiny you would when clicking a link. Ask yourself:

How to Preview a QR Code Link

Your phone can help you preview where the QR code links to, however, these can sometimes be truncated.

Open your camera app and hover over the QR code. A link preview should be displayed on the screen, as seen in the image below.

An example of how you can preview a QR code link on an iPhone to verify its safety and avoid falling for a QR code phishing attack.

Report Phishing Emails

If your employees receive an email suspected of phishing, they must know to report the emails as soon as possible to prevent others from falling victim to QR Code phishing attacks.

More importantly, you must establish a safe cyber culture at your organization and encourage your employees to report phishing attacks, especially if they fall for the scam. The goal here is so your security team can isolate the affected device ASAP to prevent lateral spread.

At eSentire, we have rolled out a “Report a Phish” button organization-wide within our Microsoft Outlook applications so our employees can report phishing emails immediately. Once a user clicks the button, a dialogue box opens with two important questions:

An example of eSentire Report a Phish button available organization-wide within Microsoft Outlook applications so your employees can report QR code phishing emails immediately.

After the user answers the questions and submits the form by clicking “Report Email,” they’re presented with the following information. At this point, they can review and click “Close and Delete” to complete the reporting process.

An example of eSentire PhishForward feature available organization-wide within Microsoft Outlook applications so your employees can report QR code phishing emails immediately.

Implement a Phishing and Security Awareness Training Program to Build User Resilience Against Cyberattacks

Threat actors are constantly evolving their tactics, techniques, and procedures (TTPs) to develop novel attack methods. So, you shouldn’t expect a one-time training exercise to be sufficient in raising security awareness with your employees.

The key is implementing a training program that can be iterated upon, especially since employees don’t always understand where they go wrong, limiting their ability to ward off real threats. Therefore, you need a comprehensive phishing and security awareness training program that tests the capabilities of your team to understand phishing threats and the escalation procedure, and more importantly, trains them continuously.

Our Managed Phishing and Security Awareness Training (PSAT) program helps you identify risk and test user resilience to enable behavioral change with your employees and generate measurable results across your organization. Here’s how our PSAT program works:

An image showing how eSentire’s end-to-end Managed Phishing Training and Security Awareness training program works to maximize user resilience to phishing attacks, including QR code phishing attacks.

Our end-to-end service alleviates the resources required to keep your employees resilient against the most sophisticated social engineering tactics (e.g., phishing, SEO poisoning, business email compromises, and more).

To learn more about how our PSAT program can help you drive behavioural change with your employees and protect your organization, connect with an eSentire cybersecurity specialist.


eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.

Read the Latest from eSentire