Is a QR code in an email from my bank or payroll provider safe to scan?
QR codes in unsolicited emails from financial institutions are a growing phishing technique. Banks and payroll providers rarely need you to scan a QR code by email — verify first.
Last reviewed: 1 June 2026
Explanation
QR code phishing, sometimes called quishing, exploits the fact that email security tools scan text links but often cannot inspect QR code images. A fraudulent email mimics your bank, payroll provider, or HR system and asks you to scan a QR code to verify your account, update your banking details, or claim a payment. The code redirects to a fake login page that captures your credentials. Your real bank sends you to your app or known website — it does not typically embed QR codes for account management in routine emails. If you receive an unexpected email with a QR code from a financial entity, navigate directly to the institution's website or app without scanning the code to verify whether any action is genuinely required.
Common red flags
- Unexpected email from a financial institution containing a QR code
- Email claims urgent action is needed or your account will be frozen
- QR code destination URL uses a different domain from the institution
- Sender email address differs subtly from the official domain
What to do now
- Do not scan the QR code
- Log in to your bank or payroll portal directly to check for any genuine alerts
- Forward the phishing email to your institution's abuse address
- Report to your national cyber crime reporting service
Frequently asked questions
Do banks ever legitimately send QR codes by email?
Some banks use QR codes for specific verified in-app actions, but they will direct you to open your existing app — not to scan an email QR code to access your account from scratch.