Email phishing is not new. Business owners have been warned for years not to click suspicious links, open strange attachments, or respond to urgent requests from unknown senders.
The problem is that today’s phishing scams are no longer obvious.
One of the fastest-growing threats right now is QR-code phishing, sometimes called “quishing.” Instead of sending a traditional link in the body of an email, scammers send what looks like a legitimate message with a QR code inside the email or attached PDF. The message may claim to be from Microsoft 365, DocuSign, a voicemail system, a vendor, a shipping provider, or even an internal department.
The goal is simple: get an employee to scan the QR code with their phone, land on a fake login page, and enter their Microsoft 365 credentials.
That one mistake can give an attacker access to company email, files, contacts, invoices, calendars, and sensitive business conversations.
Traditional phishing emails usually contain suspicious links that security tools can scan. QR-code phishing changes the playbook.
The malicious link is hidden inside an image. In many cases, it is placed inside a PDF attachment that looks like an invoice, shared document, payment notice, benefits update, or account verification request. Microsoft reported that QR-code phishing attack volume rose from 7.6 million in January 2026 to 18.7 million in March 2026, with PDFs accounting for most QR-code phishing delivery during that period.
That matters because many employees have been trained to look for bad links, but not necessarily bad QR codes.
It also moves the attack from the company computer to the employee’s mobile phone. Once the employee scans the code, the fake login page may open outside normal company protections. If the employee enters their Microsoft 365 username and password, the attacker may be able to access the account quickly.
These scams often look routine, which is exactly why they work.
A business owner or employee may receive an email that says:
“Your Microsoft 365 password is expiring.”
“You have a secure voicemail.”
“Please review the attached invoice.”
“Your DocuSign document is ready.”
“Scan to verify your account.”
“Your payment details need to be confirmed.”
The email may include a company logo, a clean design, and a sense of urgency. Some even use fake CAPTCHA pages to make the process feel more legitimate before sending the user to a credential-stealing login page. Microsoft has also reported a sharp rise in CAPTCHA-gated phishing, which attackers use to slow automated detection and make the scam appear more trustworthy.
The scam does not need to fool everyone. It only needs one employee to move too quickly.
For small and mid-sized businesses, email is often the front door to the entire company.
If an attacker gains access to one Microsoft 365 account, they may be able to:
Access sensitive emails and attachments
Review vendor invoices and payment history
Send phishing emails from a real employee account
Create hidden inbox rules to monitor messages
Impersonate executives or accounting staff
Request wire transfers or ACH changes
Access shared OneDrive or SharePoint files
Use the account to attack customers or vendors
This is where phishing turns into business email compromise. The FBI describes business email compromise as one of the most financially damaging online crimes because criminals impersonate trusted sources to make legitimate-looking financial requests. Examples include fake vendor payment changes, gift card requests, and wire transfer instructions.
For a business owner, this is not just an IT issue. It is a financial risk, a compliance risk, and a reputation risk.
Employees should slow down when an email asks them to scan a QR code to access a document, verify an account, reset a password, approve a payment, or retrieve a voicemail.
Warning signs include:
The message creates urgency or threatens account suspension
The QR code appears inside a PDF attachment
The sender address looks slightly different than expected
The email asks for a Microsoft 365 login after scanning
The request involves payment, invoices, banking, payroll, or executive approval
The message asks the user to bypass normal procedures
The email comes from a vendor but feels different from past communication
A simple rule works well: employees should not scan QR codes from unexpected business emails.
If a document, invoice, or account notice is legitimate, employees should access it by going directly to the known website or application instead of using the QR code.
Business owners should not rely on employee judgment alone. Training helps, but people are busy. Mistakes happen. Security needs layers.
At minimum, companies should review:
Microsoft 365 security settings
Make sure multi-factor authentication is enforced, legacy authentication is disabled, and risky sign-in alerts are monitored.
Email filtering and attachment scanning
Security tools should be configured to inspect attachments, flag suspicious QR-code campaigns, and block known malicious senders.
User training
Employees should know that QR codes in emails can be just as dangerous as links.
Payment verification procedures
Any request to change banking details, process a wire, update ACH information, or buy gift cards should require verification outside of email.
Mailbox monitoring
Hidden inbox rules, suspicious forwarding, unusual login locations, and new MFA methods should be reviewed regularly.
Incident response planning
If an account is compromised, the business needs a clear plan for locking the account, resetting credentials, reviewing mailbox rules, checking financial exposure, and notifying affected parties.
The newest phishing scams are designed to look normal. They are built around the tools business owners and employees use every day: Microsoft 365, Outlook, PDFs, invoices, voicemail alerts, and shared documents.
That is what makes them dangerous.
A QR code in an email may look harmless, but it can be the first step toward a compromised inbox, stolen credentials, fraudulent payments, and exposed business data.
Zog helps businesses strengthen their email security, Microsoft 365 environment, employee training, and cybersecurity response before one bad click turns into a much bigger problem.