QR Code Scams on Email
Fraudulent emails embed QR codes that lead to phishing pages or malware, exploiting the fact that codes hide their destination and bypass link filters.
Part of: QR-Code Scams (Quishing)
Last reviewed: 1 June 2026
Embedding a QR code in an email is a clever way to smuggle a malicious link past suspicion. The image reveals no address, so a recipient cannot hover to inspect it, and scanning it usually shifts the action to a phone, away from the desktop security tools watching the inbox.
Email is a neutral medium; the danger lies in the destination the code conceals. Scammers use QR codes in emails dressed as security alerts, invoices, or document-sharing notices precisely because the hidden link evades the scrutiny a visible URL would attract.
How this scam works on Email
The email — posing as IT, a bank, a delivery service, or a document-sharing tool — instructs you to scan the embedded QR code to 'verify your account', 'view a document', or 'confirm a payment'.
Scanning with your phone opens a phishing page that mimics a login or payment screen, capturing your credentials or card details, or it triggers a malicious download. Because the action moves to a separate device, the email security that might block a link never sees the destination.
The novelty and convenience of scanning, combined with an official pretext, are used to bypass the caution a recipient would apply to a typed link.
Common red flags
- An email asks you to scan a QR code to log in, pay, or view a document
- The code's destination is hidden and cannot be inspected by hovering
- The email pretends to be from IT, a bank, or a delivery service
- You are urged to scan quickly to avoid account loss or a missed payment
- The sender address does not match the official domain
- Scanning opens a login or payment page asking for credentials
How to protect yourself
- Do not scan QR codes embedded in unsolicited emails
- Reach accounts by typing the official web address yourself, not via a code
- Preview a code's URL before opening it if your scanner allows
- Never enter credentials or card details on a page reached from an emailed code
- Check the sender's full address against the official domain
- Report the email via your provider's phishing tool and delete it
How to report it
- Use your email provider's 'Report phishing' function on the message
- Report the impersonation to the organisation being spoofed via its official site
- File a report with your national fraud or cybercrime reporting centre
Frequently asked questions
Why are QR codes in emails risky?
A QR code hides its destination, so you cannot inspect the link before scanning, and the action usually moves to your phone where email security cannot see it. Avoid scanning codes from unsolicited emails and reach accounts by typing the address yourself.