This article walks through a convincing fake HR email that uses a QR code to steal credentials, shows the signs that give it away, and gives practical steps to protect yourself and your company from this growing QR-based phishing tactic.
You get an email that looks official and pats you on the back about a performance review, but it pushes you to scan a QR code to open your appraisal. That move forces you off your desktop and onto your phone, where it is harder to inspect the destination. Scammers do this on purpose to make verification more difficult.
The sender name looks familiar, but the actual email address is from a domain that has nothing to do with the employer. That mismatch is a huge red flag because real HR notices come from corporate domains. When the display name says one thing and the email address another, treat it as suspicious immediately.
The message carries a tight deadline and a high-importance flag to crank up the pressure. Deadlines are a classic manipulation that rushes people into skipping basic checks. Legitimate HR communications will still use deadlines, but they do not force you to scan a code from a random email to meet them.
The email instructs you to scan a QR code to access your file, a tactic that has a name in security circles: “quishing.” That single word captures a trend where attackers hide malicious links inside QR images so recipients tap without thinking. Once scanned, the code can take you to a fake login page that looks nearly identical to the real portal.
Another giveaway is the lack of personalization. The note starts with “Dear Techtips.” It reads like a placeholder or mass mailing rather than an employee-specific message. Real internal notices usually address you by name and include details only the company would know, such as your job title or last review date.
The message mentions a vague “secure HR access system” but never names a known platform like Workday or ADP, and it borrows corporate logos to look legit. Logos are easy to copy and do not prove authenticity. If the platform or sender is unnamed or unfamiliar, that vagueness is intentional and should raise doubts.
Scammers count on familiarity to lower your guard because QR codes show up everywhere in daily life. That normalcy tricks people into assuming safety. The problem is you cannot preview the destination of a QR code the way you hover over a link on a computer, so scanning removes a layer of inspection.
If the QR leads to a phishing page, attackers can harvest credentials and use them to access your company systems or email account. Once inside, they can pivot and send believable messages to your coworkers or contacts. The result is not just a single compromise but a pathway to larger breaches and payroll or data theft.
Slow down when an email urges immediate action, especially when it wants you to scan or click. Instead of using the path the message gives you, go to the HR portal you already know by typing the address yourself or using a saved bookmark. Verify the full sender address and, if in doubt, contact HR through a known phone number or internal directory rather than replying to the suspicious message.
Use technology and habits that reduce risk. Strong endpoint protection can flag malicious pages, automatic updates patch known vulnerabilities, and two-factor authentication stops many account takeovers even if credentials get stolen. Consider data removal services to reduce personal information available to scammers and limit what attackers can use to make spoofed messages feel real.
Train your team to treat QR codes in unsolicited emails as risky, and set a policy that sensitive HR links are delivered only through authenticated internal portals. If something about an email feels off, ask for confirmation using a contact method you already trust. Simple checks and a pause can prevent a cascade of damage.
Sign up for my FREE CyberGuy Report
