Fake Payment Emails Use QR Codes to Steal Your Information.
Scammers Are Hiding Phishing Links Inside QR Codes
tl;dr
Scammers are sending fake “payment advice” emails that include QR codes leading to phishing websites. Scanning these codes can expose your credit card details, personal information, or even infect your device with malware. Always access accounts through official apps or by typing the website address manually.
An Alternative Email Phishing Trick
Online criminals continually adapt their methods to bypass spam filters and lure unsuspecting victims. One of their tricks involves embedding QR codes into scam emails. These codes can direct victims to phishing websites designed to steal personal and financial information.
A Typical Example
In one common version of this scam, victims receive an email with a subject line such as “Urgent Payment Advice” or “ACH Deposit Notice.”
The message claims that someone has made an ACH (Automated Clearing House) direct deposit into your bank account. ACH transfers are a legitimate and widely used method for electronic payments, such as:
Payroll deposits
Government benefits
Tax refunds
Vendor or customer payments
The email includes a PDF attachment that supposedly contains details of the deposit.
The QR Code Trap
When you open the attached PDF, you’re greeted with a message urging you to scan a QR code to “view your payment receipt.”
But the QR code doesn’t lead to your bank or any genuine payment portal. Instead, it opens a phishing website that:
Mimics a legitimate financial or payment platform
Asks you to “verify” your identity by entering personal details
Requests credit card information or banking credentials
Once entered, this data goes straight to scammers, who can use it to:
Make unauthorised purchases or transfers
Open accounts in your name
Commit identity theft and financial fraud
Variations on the Theme
Some QR code scams go a step further. Instead of asking for your details, the malicious website may:
Prompt you to download malware that can steal data from your device
Trick you into subscribing to bogus security tools or “premium services” that charge hidden fees
These variants are particularly dangerous because they can infect your system or quietly drain your money without you realising it.
Staying Safe from QR Code Phishing
While QR codes can be convenient, they can also conceal dangerous links. To stay safe:
Never scan QR codes in unsolicited emails, text messages, or online ads.
Check the link before opening. Many mobile devices show a preview of the destination URL.
Avoid entering personal or financial details after scanning a code unless you’re absolutely sure the site is legitimate.
Access important sites manually by typing the address into your browser or using an official app.
Use security software that can detect phishing and malicious sites.
The Bottom Line
QR codes are easy for scammers to weaponise because they hide malicious links behind a simple image. Treat them with the same caution you would any unfamiliar link.
If a message claims to offer urgent payment information, always verify it directly through your bank or financial provider’s official channels rather than through a QR code or link in an email.
Screenshots of a QR Code Scam, Email and Phishing Site
