How to Recognise QR Code Phishing (Quishing) Scams
What Is Quishing?
"Quishing" is phishing using a QR code instead of a link. The attacker hides a malicious website behind a square QR image. You scan it with your phone, your phone opens the website, and you are asked to sign in — only the sign-in page is fake, and your password (and often your two-factor code) is sent straight to the attacker.
It works because:
- QR codes are now everywhere, so scanning one feels normal
- Email security filters scan text and links, but most cannot read inside a QR image
- People scan with their phone, which has weaker protections than a work laptop and is harder to inspect a URL on
Where You Will See Malicious QR Codes
In emails: A "Microsoft 365 password expiring" or "voicemail received" message that asks you to scan a QR code instead of clicking a link. Often the email comes from what looks like IT or HR.
In PDF attachments: The email itself looks clean but the attached PDF is just a single QR code. This bypasses many email filters.
On printed signs in public: Fake parking meter QR codes stuck over real ones. Restaurant menu QR codes that have been swapped. "Free WiFi" QR codes in airports and cafés.
On invoices and delivery notices: A fake Australia Post or DHL "redelivery" notice with a QR code that takes you to a fake payment page.
On posters and flyers: Especially around tradeshows, conferences and busy shopping centres.
Warning Signs in an Email
A QR code in an email is suspicious if any of these are true:
- The email creates urgency ("password expires in 24 hours", "voicemail will be deleted")
- It claims to be from Microsoft, IT, HR, or a delivery company
- The reason for using a QR code instead of a link is vague ("for security", "to verify on your phone")
- The sender's email address does not match the company they claim to be from
- The email greets you generically ("Dear user", "Hello employee")
- The email arrived outside business hours
- The QR code is the only meaningful thing in the email or PDF
Warning Signs on a Printed QR Code
- The QR code is on a sticker that has been stuck over the original (look for raised edges or peeled corners)
- The QR code is in an unexpected place (a parking meter that previously did not have one)
- The QR code is not branded — no logo, no instructions, no contact details
- The QR code is in a low-trust environment (a flyer left on a windscreen, an unsolicited mailer)
How to Scan a QR Code Safely
Step 1: Look at the URL Before Opening
When you scan a QR code with your phone's camera, most phones show a preview of the URL before opening it. Read the URL carefully:
- Is the domain a real one you recognise (microsoft.com, australiapost.com.au, your bank's actual domain)?
- Or is it a misspelled lookalike (m1crosoft.com, austra1iapost.net, bank-secure-login.com)?
- Is it a long string of random characters or a URL shortener (bit.ly, tinyurl.com, t.ly)? Treat shortened links inside QR codes as high-risk.
Step 2: Never Sign In via a QR-Code Link
If a QR code takes you to a Microsoft, Google, bank or business sign-in page — stop. Close the browser. Open the official app or type the address yourself.
Real Microsoft and Google sign-ins do not start from a QR code in an email.
Step 3: Use the Official App
For deliveries, parking, banking and government services, always use the official app instead of scanning a QR code. Open the AusPost app for parcels, your bank's app for payments, the EasyPark or PayStay app for parking.
Step 4: Do Not Scan QR Codes from Strangers
Treat a QR code from someone you do not know like an attachment from someone you do not know — assume it is hostile until proven otherwise.
What to Do If You Already Scanned One
If you tapped through a malicious QR code and entered any details:
- Change your password immediately for any account you signed into
- Sign out everywhere (for Microsoft 365: go to mysignins.microsoft.com → Sign out everywhere)
- Check your two-factor authentication settings for any new devices you do not recognise — remove them
- Tell your IT team straight away (Netluma IT clients: 1300 521 162). Quishing often leads to a much wider account takeover within hours, so a quick reset matters
- Check your sent items for emails you did not send — attackers commonly use a hijacked account to send the same scam to your contacts
- Watch your bank account and payment platforms for unauthorised activity
How to Report a Quishing Attempt
- Inside Microsoft Outlook: Use the Report → Report phishing button on the toolbar
- Inside Gmail: Use the three-dot menu → Report phishing
- To Australian authorities: Forward suspicious emails to report@cyber.gov.au and report at scamwatch.gov.au
- To Netluma IT: Forward the email to helpdesk@netlumait.com.au so we can warn other clients
Practical Tips for Your Whole Team
- Add a short policy to your staff handbook: "We will never ask you to scan a QR code to sign in to a work account."
- Run a 5-minute team briefing on quishing — it is the simplest, cheapest cyber-awareness session you will ever do
- Disable QR-code scanning shortcuts on the lock screen for high-risk staff (finance, payroll)
- Make sure all staff have the Microsoft Authenticator app, and that Conditional Access policies are enforced — both reduce the damage of a stolen password
Need Help?
If you would like Netluma IT to run a phishing and quishing awareness session for your team, or to harden your Microsoft 365 settings against credential theft, get in touch.
Phone: 1300 521 162 Email: helpdesk@netlumait.com.au
Was this article helpful?
Still Need Help?
If you are still having trouble, our support team is here to help.