QR Code Phishing: How Small Businesses Can Stop Quishing Attacks

QR Code Phishing: How Small Businesses Can Stop Quishing Attacks
QR codes have become part of everyday business. Employees scan them to join meetings, view menus, pay invoices, open shared documents, complete forms, and sign into services. That familiarity is exactly why attackers are using QR codes in phishing emails.
This tactic is often called QR code phishing or quishing. Instead of placing an obvious link in an email, an attacker embeds a QR code in the message or an attachment. When an employee scans it with a phone, the code opens a website controlled by the attacker. The site may imitate a Microsoft 365 login page, ask for multi-factor authentication, collect payment details, or deliver malware.
For a small or midsize business, the risk is easy to underestimate. A message can move an employee away from a managed work computer and onto a personal phone in seconds. The employee may no longer see the email security warnings, browser protections, or endpoint monitoring the business relies on.
Why QR Code Phishing Matters Now
Microsoft reported a sharp increase in QR code phishing during the first quarter of 2026. The company observed attack volume rising from 7.6 million messages in January to 18.7 million in March, a 146% increase over the quarter. By the end of March, QR code phishing had reached its highest monthly volume in at least a year.
Attackers are also changing how they deliver these messages. Microsoft reported that PDF attachments were the dominant QR-code delivery method throughout the quarter, growing from 65% of QR-code attacks in January to 70% in March. QR codes embedded directly in email bodies also surged 336% in March.
Those numbers matter because they show a sustained security problem, not a novelty. Attackers are testing different formats to find the path employees are most likely to trust and security tools are least likely to stop.
The search-relevant buyer concerns are clear: QR code phishing, quishing attacks, Microsoft 365 phishing protection, email security for small business, and how to stop QR code phishing. These searches connect directly to business outcomes: preventing account takeover, invoice fraud, data exposure, and avoidable incident-response costs.
How a Quishing Attack Usually Works
A QR code phishing attack does not need to be technically complicated. It needs to feel routine.
- The employee receives a believable message. It may claim to be a Microsoft 365 security notice, shared document, voicemail, e-signature request, invoice, payroll update, benefits notice, or payment reminder.
- The email or attachment contains a QR code. The message tells the employee to scan the code to review a file, confirm identity, reset a password, enable MFA, or resolve an urgent issue.
- The employee switches to a phone. This breaks the normal pattern of hovering over a link and checking the destination before clicking.
- The phone opens a convincing website. The page may copy Microsoft, DocuSign, a bank, a vendor portal, or another familiar brand.
- The employee enters credentials or payment details. Some attacks also ask for an MFA code or send the victim through additional verification steps to make the interaction seem legitimate.
- The attacker uses the stolen information. A compromised Microsoft 365 account can expose email, contacts, OneDrive files, SharePoint data, Teams conversations, invoice workflows, and vendor relationships.
The QR code is not dangerous by itself. The danger is that it hides the destination and shifts the employee into a context where the warning signs are harder to see.
Why Phones Change the Security Equation
Many employees are more cautious with unfamiliar links than they were a few years ago. QR codes sidestep that habit.
On a laptop, an employee can hover over a link, inspect the domain, notice an unusual sender, and benefit from managed browser or endpoint protections. On a phone, the website address may be less visible, the screen is smaller, and the device may be personal rather than company-managed.
Scanning a code also feels like a separate action from clicking a link. That can make an email seem safer than it is, even when the QR code simply contains a malicious URL.
Microsoft has explained that QR-code phishing emails often use minimal text, trusted brands, familiar email channels, redirection, and attachments. Minimal text gives traditional text-based scanning fewer signals to evaluate. A PDF or image can also look like an ordinary business document at first glance.
Warning Signs Employees Should Recognize
Employee guidance should be simple enough to use during a busy workday.
Treat these as warning signs:
- An email asks you to scan a QR code to sign into Microsoft 365.
- A message says you must scan a code to reset your password, enable MFA, unlock an account, or prevent an account from expiring.
- An unexpected invoice, voicemail, document, or e-signature request contains a QR code.
- The message creates urgency around payroll, banking details, overdue payments, benefits, tax records, or executive requests.
- A QR code opens a login page on your phone after you were already signed in on your computer.
- The web address is misspelled, shortened, unfamiliar, or difficult to verify.
- The page asks for a password, MFA code, banking information, or payment-card details after scanning.
- The sender is unfamiliar, newly external, or slightly different from the domain you expected.
A useful employee rule is straightforward: do not scan an unexpected QR code from an email or attachment to sign in, reset a password, or approve a payment. Open the known application or website directly instead. If the request might be legitimate, verify it through a separate trusted channel.
Practical Protections for Small Businesses
No single setting stops every quishing attempt. Small businesses need a layered approach that combines email security, identity protection, employee habits, mobile-device awareness, and business process controls.
1. Tune Microsoft 365 Email Security
Microsoft Defender for Office 365 includes defenses that can help identify and neutralize phishing messages. Microsoft has described improvements that extract URLs from QR codes, analyze QR-code images during mail flow, and enrich threat assessment with QR-code metadata.
The important word is configured. A Microsoft 365 license does not automatically mean every useful protection has been reviewed for the way your business works.
Review:
- Standard or Strict preset security policies where appropriate
- Safe Links protection
- Safe Attachments protection
- Anti-phishing policy settings
- User and domain impersonation protection
- Spoof intelligence
- Quarantine policies
- Zero-hour auto purge protections
- Whether risky allow-list entries are bypassing normal filtering
Microsoft's own guidance notes that default anti-phishing protection does not enable every impersonation-protection setting automatically. Businesses should review the tenant configuration instead of assuming the defaults are sufficient.
2. Train Employees to Treat QR Codes Like Links
Security awareness programs often teach employees to inspect suspicious links but say little about QR codes. Update the training.
Employees should know:
- A QR code can contain a website link.
- A QR code in an email is not automatically safer than a clickable link.
- Password resets and MFA changes should start from a known website or application, not from a scanned code in an unexpected message.
- A personal phone may not have the same protections as a company-managed device.
- Suspicious messages should be reported, not forwarded casually to coworkers.
Training works best when it includes realistic examples from the workflows employees actually see: invoices, shared files, voicemail notices, benefits messages, vendor requests, and Microsoft 365 alerts.
3. Use Phishing-Resistant MFA for Higher-Risk Accounts
MFA is important, but not all MFA methods provide the same protection.
If an attacker sends a victim to a fake sign-in page, some MFA methods can still be intercepted or socially engineered. CISA recommends that organizations plan a move toward phishing-resistant MFA such as FIDO/WebAuthn authentication.
Prioritize stronger authentication for:
- Owners and executives
- Finance and payroll users
- Microsoft 365 administrators
- Employees who approve payments
- HR staff
- Users with broad access to files or customer data
For Microsoft 365 environments, that may include passkeys, FIDO2 security keys, Windows Hello for Business, Conditional Access authentication strengths, and separate administrator accounts with stricter policies.
4. Protect Payment and Vendor-Change Workflows
Email security and MFA reduce risk. Business process controls limit damage if a message reaches the inbox or an account is compromised.
Never approve a new bank account, wire instruction, ACH change, payroll change, or urgent payment request based only on an email, attachment, or QR code. Confirm the request through a second channel using a phone number or contact method already on file.
Do not use the phone number, reply address, or contact details supplied in the suspicious message. Those may belong to the attacker.
This control is simple, but it matters. Attackers often target the moment where an employee is trying to complete an ordinary business task quickly.
5. Review Mobile and BYOD Risk
If employees use personal phones for work, decide what that should mean in practice.
Questions to ask:
- Are employees expected to open business email on personal devices?
- Are managed mobile apps available for sensitive work?
- Can the business require screen locks, supported operating systems, and device encryption?
- Is mobile device management appropriate for company-owned phones?
- Do employees know how to report a suspicious mobile login page?
- Are sensitive workflows allowed from unmanaged devices?
The goal is not to make every employee a mobile-security expert. The goal is to avoid depending on controls that disappear as soon as someone scans a code.
6. Build a Fast Account-Compromise Response
If an employee entered credentials or MFA information after scanning a suspicious QR code, treat it as a potential account compromise.
A practical Microsoft 365 response should include:
- Report the message to IT or the security provider immediately
- Reset credentials and revoke active sessions or tokens
- Review recently added or changed MFA methods
- Check for suspicious inbox rules and forwarding settings
- Review unusual sign-ins, mailbox activity, and application consent
- Search for related phishing messages sent to other employees
- Verify whether finance, HR, customer, or vendor information was exposed
- Notify the right business stakeholders before an attacker can use the mailbox for fraud
Speed matters. An attacker who gets into a mailbox may search for invoices, payment instructions, customer records, and active vendor conversations before sending believable follow-up messages.
A QR Code Phishing Checklist
Use this checklist to identify the highest-value next steps:
- Do employees know that QR codes can hide malicious links?
- Do employees know not to scan unexpected codes for Microsoft 365 sign-in or MFA changes?
- Are Microsoft Defender for Office 365 email security policies reviewed and tuned?
- Are Safe Links, Safe Attachments, impersonation protection, and quarantine policies configured appropriately?
- Are risky allow lists reviewed?
- Are finance, executive, HR, and administrative users protected with stronger authentication?
- Do payment and banking changes require verification through a known second channel?
- Is personal-phone and BYOD use documented?
- Can employees report a suspicious email or mobile login page quickly?
- Does the business have a written Microsoft 365 account-compromise response plan?
If several answers are "not sure," the business has a practical place to start.
How CybarWorks Can Help
CybarWorks helps small and midsize businesses reduce phishing risk without turning security into a daily distraction. We can review Microsoft 365 email security, Defender policies, MFA posture, Conditional Access, mobile-device risk, payment-verification workflows, employee training needs, and account-compromise readiness.
If your business is unsure whether QR code phishing can bypass the protections you rely on, contact CybarWorks. We can help identify the highest-risk gaps, prioritize practical improvements, and turn email security into a managed process instead of a guessing game.
Works Cited
- Microsoft Security Blog, Email threat landscape: Q1 2026 trends and insights
- Microsoft Security Blog, How Microsoft Defender for Office 365 innovated to address QR code phishing attacks
- Microsoft Learn, Recommendations for Microsoft 365 security settings
- Microsoft Learn, Tune anti-phishing protection
- CISA, More than a Password


