JunkMail
Back to blog

The QR Code Scam: Chloé's Story and the Email That Looked So Normal

Phishing isn't just hiding in links anymore. Discover Chloé's story and how a simple QR code almost cost her her data.

By Leadership Team1/25/2026

Monday morning, 9:30 AM. Chloé is at her computer, in the midst of the usual hustle. The phone is ringing, notifications are piling up, and the to-do list seems to grow with each passing minute. While sorting through her emails, she spots one that stands out. The sender appears to be her company's "IT Support," and the subject line is unequivocal: "Action Required: Please confirm your session to avoid account suspension."

The email is flawless. The logo, the colors, the font... it's all familiar. The message explains that due to a new security policy, all employees must re-authenticate. To do this, there's no clickable link—we've been told so many times to be wary of them—but a QR code. "Oh, that's new," Chloé thinks. "It's modern, must be the new official procedure. An image is probably safer than a link."

Pressed for time, she grabs her phone and scans the code. Her browser opens to a login page that is a perfect replica of her company portal. The little padlock is there, the address looks correct at first glance. Without further ado, she types in her username, her password, and hits enter. The page refreshes, redirecting her to the usual intranet. Job done.

Or so she thinks. Chloé has just unwittingly handed the keys to her digital kingdom to hackers. She has been a victim of Quishing.

The Sleight of Hand Behind the QR Code

Chloé's story could be anyone's. It perfectly illustrates why this new scam is so formidable.

1. The Modern Trojan Horse Our email's bodyguard is trained to sniff out suspicious links in the text of an email. But here, there's no link, just an image. To the security software, it's just a black and white square, as harmless as a cat picture. The trap was thus able to slip through the net and land in a supposedly well-protected inbox.

2. The Accomplice in Your Pocket The attack began on Chloé's computer, which is protected by corporate security shields. But the final blow was dealt by her personal phone. By scanning the code, she used her own device, which operates on a different network, outside the company's security fortress. It's a brilliant sleight of hand between two worlds, one secure, the other not.

3. Trust, the Enemy of Caution At restaurants, paying for parking, boarding a train... we have been conditioned to see QR codes as convenient and harmless shortcuts. Hackers know this. They exploit this almost blind trust, adding a healthy dose of stress ("Your account will be suspended!") to make us act fast, too fast.

How Not to Be the Next Chloé

The good news: thwarting this trap is simpler than it seems. You just need to activate a superpower we all have: curiosity.

  • The "Why me, why this way?" Game. Take a second to step back. Why would your IT department or your bank use a QR code for such a sensitive action? It's extremely rare. When in doubt, ignore the email, open a new tab, and log in to the service as you normally would.

  • Play Detective. Before your phone opens the page, it often displays a small preview of the URL. Take the time to read it. microsft-support.com is not microsoft.com. secure-login.net is not your company's website. A single letter can reveal the whole scam.

  • The Secret Weapon: The Email Alias. What if Chloé had used aliases? An alias is like a name badge for each service. For Microsoft, she would use chloe.microsoft@myalias.com. If she receives the malicious email at her chloe.shopping@myalias.com address, the deception is obvious. Why would Microsoft email her at her shopping address? It's an instant consistency check that hackers can't beat.

What to do if you've scanned the code? If you're reading this and Chloé's story sounds familiar, don't panic.

  1. Immediately change your password on the official website of the service in question.
  2. Enable multi-factor authentication (MFA) if you haven't already.
  3. Report the email as "Phishing" or "Spam" in your email client.

The Takeaway

Chloé's misadventure teaches us one thing: the best scams are the ones that blend into our daily lives. Quishing is clever, but its success relies entirely on our haste. In our race for efficiency, security is the first thing we sacrifice.

The next time you see a QR code in an email, think of Chloé. Take a deep breath, and give yourself those three seconds of doubt that make all the difference. It's your best defense.