Fake QR code phishing — scan to verify account — bank/Microsoft/PayPal QR code to scan to verify identity + enter credentials at secure portal + QR leads to phishing page harvesting passwords + quishing bypasses email URL scanners

QR code phishing ("quishing") — an increasingly prevalent attack vector that bypasses traditional email security tools which scan URLs but cannot follow QR codes. The attacker embeds a QR code in an email impersonating a bank, Microsoft, PayPal, Apple, a utility company, or an employer's HR department. The email claims the recipient must scan the QR code to verify their account, prevent suspension, reactivate access, or update payment/payroll information. The QR code resolves to a convincing phishing page that harvests credentials, payment card details, bank account numbers, or Social Security numbers. Because email security gateways typically inspect text links but not encoded QR codes, quishing emails have much higher delivery rates than traditional phishing. Key facts: (1) No legitimate bank or financial institution asks customers to scan a QR code from an unsolicited email to log in — they use 2FA via their official app; (2) Authenticator app QR codes are different: they are used in dedicated authenticator apps (Google Authenticator, Authy), not scanned by your phone camera to open a webpage; (3) CISA, FBI, and FTC all issued quishing warnings in 2023–2024 after a surge in campaigns; (4) Employer payroll/direct deposit updates should be completed through officially communicated internal HR portals, not QR codes in unsolicited emails. Always navigate to sensitive accounts directly by typing the URL — never by scanning a QR code from an email.