Scam Watch: QR Code Phishing Hits Australian Businesses

QR codes are everywhere now. Menus, payments, event tickets, parking meters. We’ve trained ourselves to scan first and think later.

Attackers have noticed.

“Quishing” - QR code phishing - is increasingly hitting Australian businesses. And your email security probably isn’t catching it.

How Quishing Works

Traditional phishing emails contain malicious links. Email security tools scan those links and block known bad ones. It’s an ongoing arms race, but it works reasonably well.

QR codes bypass that scanning.

The attacker sends an email that looks legitimate - a fake invoice, a package delivery notification, a Microsoft 365 login alert. Instead of a clickable link, there’s a QR code. “Scan to verify your account” or “Scan for tracking details.”

When you scan the QR code with your phone, it opens a malicious website. Your phone doesn’t have the same email security scanning. The site captures your credentials or installs malware.

The email itself might pass security checks because there’s no malicious URL to scan - just an image of a QR code.

Why It’s Effective

QR codes are trusted. After years of COVID check-ins and contactless menus, we’ve been conditioned to scan QR codes without thinking.

It bypasses security tools. Most email security scans text and links. A QR code is just an image. Some newer tools can decode and scan QR codes, but many don’t.

It moves the attack to mobile. Phones typically have weaker security controls than work computers. They’re also personal devices that might not be managed.

The context seems legitimate. Parking fines, delivery notifications, shared documents - these are things people actually receive and might scan without suspicion.

Real Examples We’re Seeing

Fake Microsoft authentication: Email claims your Microsoft 365 session has expired. QR code supposedly links to re-authentication. The code leads to a credential harvesting page that looks exactly like the Microsoft login.

Parking fine scams: Official-looking notice appears on your windscreen with a QR code to pay the fine. The code leads to a fake payment page that steals card details.

Invoice and delivery notifications: “Your package is waiting. Scan for delivery options.” The code leads to malware download or credential phishing.

Physical QR code tampering: Attackers place stickers with malicious QR codes over legitimate ones - on parking meters, at payment terminals, even on restaurant table signs.

Protecting Your Business

Technical controls:

  • Upgrade email security. Some modern email security tools can now decode and scan QR codes in attachments and embedded images. Check if yours does.

  • Mobile device management. MDM can restrict what apps can open links, require VPN for web browsing, or block access to known malicious sites.

  • DNS filtering. If the malicious URL is in a blocklist, it gets stopped even if the user scans the code. Cloudflare Gateway, Cisco Umbrella, and similar tools help here.

Process controls:

  • Verify before scanning. Establish a policy: if a QR code arrives via email asking for authentication or payment, verify through another channel before scanning.

  • Use URL preview. Most phone cameras show the URL before opening it. Teach staff to check the domain before proceeding.

  • Report suspicious QR codes. Just like suspicious emails, QR codes should be reported to IT or security.

Training:

  • Include quishing in awareness training. It’s a specific threat that people need to know about.

  • Run QR code phishing simulations. Yes, these exist now. Test whether your team falls for quishing.

  • Explain the “why.” People are more likely to be cautious if they understand how QR codes bypass normal protections.

What to Tell Your Team

Keep it simple:

  1. QR codes in emails are suspicious. Legitimate organisations rarely ask you to scan QR codes for authentication.

  2. Preview the URL before visiting. If it doesn’t match the expected domain, don’t proceed.

  3. When in doubt, navigate directly. Instead of scanning, go to the website directly through your browser.

  4. Physical QR codes can be tampered with. Look for signs of stickers placed over original codes.

  5. Report unusual QR codes. If something feels off, tell IT.

If Someone Falls for It

If a staff member scans a malicious QR code and enters credentials:

  1. Reset the password immediately. Don’t wait.

  2. Check for MFA. If they entered MFA codes too, assume the account is fully compromised.

  3. Review account activity. Check for email rules, forwarding, unusual access.

  4. Force sign-out of all sessions. Invalidate any tokens the attacker might have obtained.

  5. Scan the device. The mobile phone should be checked for any installed malware.

  6. Learn from it. What made this attack convincing? Use it for training.

The Bigger Picture

Quishing is part of a broader trend: attackers adapting to bypass defences. As email security improves, attackers find new vectors. QR codes work today; tomorrow it’ll be something else.

The lesson isn’t specific to QR codes. It’s about:

  • Layered defence. No single control stops everything. Multiple layers catch what individual controls miss.

  • Continuous training. Threats evolve. Training must evolve with them.

  • Healthy scepticism. Anything asking for credentials or payments should trigger caution, regardless of how it arrives.

QR codes are convenient. That convenience comes with risk. Your job is to help your team recognise that risk without making them paranoid about every menu at every cafe.

Balance, as always, is the challenge.

Stay alert. The attackers certainly are.