QR Code Invoice Fraud: How "Quishing" Scams Target Accounts Payable (2026)
Fraud awareness training teaches AP staff to hover over links before clicking and to scan invoice text for lookalike domains. Neither of those habits catches a QR code. A "quishing" invoice replaces the bank detail or the payment link with a scannable square — and the destination stays hidden until someone points a phone at it, usually a personal phone, off the network your email security actually protects. This guide explains how QR code invoice fraud works, why it slips past the filters that catch ordinary phishing, and what still stops it.
| Traditional invoice fraud | QR code invoice fraud |
|---|---|
| Fraudulent bank details typed in plain text | Bank details hidden inside a scannable image — no text to compare against your vendor file |
| Fraudulent link visible and hoverable in the email | Destination stays hidden until the code is scanned |
| Email filters can check the link against known bad domains | Filters see only an image — there's no URL in the message to check |
| Click happens on the same work computer email arrived on | Scan usually happens on a personal phone, often off the company network entirely |
| Defense: hover before you click | Defense: verify any banking change through a number you already have, never the code |
What Is QR Code Invoice Fraud?
QR code invoice fraud — often called "quishing," short for QR code phishing — is the practice of embedding a malicious QR code in an invoice, payment notice, or banking-update request instead of a plain-text bank detail or clickable link. The code opens a fraudulent payment portal or a fake login page when scanned, either redirecting a payment or harvesting the credentials needed to redirect one later.
The FBI's Internet Crime Complaint Center first warned about tampered QR codes redirecting victims to malicious sites and diverting payments back in January 2022, and the tactic has only grown more targeted since. By 2026, it had become common enough that the IRS added QR codes to its annual "Dirty Dozen" list of tax scams, warning that fraudulent messages increasingly use QR codes to direct people to fake verification pages instead of a plain link.
A PDF invoice replaces the bank detail entirely with a QR code, leaving no account or routing number in the text for your AP process to check against your vendor file.
"Your invoice is ready in the vendor portal — scan to view" leads to a fake login page built to harvest accounts-payable credentials for a later attack.
"We've changed banks — scan to see our new account" is designed to bypass the phone verification a solid AP process normally requires for banking changes.
A printed invoice or notice arrives by mail with a QR code for "faster payment," exploiting the trust a physical document carries that a suspicious email wouldn't.
If your business displays a QR code for customer or vendor self-service payment — at a counter or on a table tent — a physical sticker swap can silently redirect it.
The scanned URL leads to a lookalike domain that's impossible to preview before scanning — unlike a text link, where a careful eye might catch the misspelling.
Why QR Codes Bypass Email Security
Most email security tools work by scanning the visible text of a message — checking any link against lists of known malicious domains, or flagging suspicious attachments. A QR code defeats both approaches at once: the destination is encoded inside an image, not present anywhere as text, and the scan usually happens on a device the email security tool never sees.
| Standard email defense | Why it doesn't apply to QR codes | What still works |
|---|---|---|
| Link scanning against known bad domains | There's no text URL in the message — the address only exists inside the image | Treat any QR code as an unverified link and check the destination independently |
| Hovering to preview a link | A QR code can't be hovered — the destination is invisible until it's scanned | Never scan a code to complete a payment; verify the request by phone first |
| Company device security tools | Scans typically happen on a personal phone, entirely outside corporate protection | Company policy: no payment actions initiated from a personal-device QR scan |
| Attachment scanning | Many tools scan attachments for known malware, not for images containing a QR code | Compare routing numbers against your vendor file regardless of how the invoice arrived |
What makes quishing effective isn't sophistication — it's that it exploits a genuine gap between where email security operates and where the scan actually happens. An invoice with a QR code can pass every automated check a company has and still be fraudulent, because none of those checks were ever built to interpret an image. The fix isn't a better filter. It's treating "scan to pay" the same way you'd treat "click here to pay" — with the same suspicion, verified the same way.
6 QR Code Invoice Fraud Patterns
These are the specific ways QR codes are being used against accounts payable processes. Each defeats a different part of a standard invoice review.
An otherwise normal-looking invoice arrives with no routing or account number printed anywhere — just a QR code labeled "scan to pay." Without a visible bank detail, there's nothing in the text for AP staff or automated tools to compare against the vendor file.
An email claiming to be from a known vendor states they've switched banks and includes a QR code to "view the new account details." This is designed specifically to route around the callback verification a well-run AP process would normally require for a banking change.
An email designed to look like a vendor payment portal or e-signature request includes a QR code: "Scan to view your invoice." The code opens a convincing fake login page that harvests the AP employee's credentials — not to steal money immediately, but to gain access for a larger attack later.
A printed invoice or past-due notice arrives by mail — a channel that already carries more built-in trust than email — with a QR code for "faster payment." The physical format itself is part of the social engineering; people are less trained to be suspicious of paper.
Rather than putting the QR code directly in the email body, the code sits inside a PDF attachment styled to look like an invoice, HR memo, or signature request. Security researchers have tracked this specific shift — QR codes moving from email bodies into PDF attachments — as a deliberate evasion tactic, since most email filters weren't built to inspect images inside attachments.
Less common for B2B invoicing, but relevant to any business that displays its own QR code for customer or vendor self-service payment — at a register, on a table tent, or on a printed flyer. A physical sticker placed over the real code silently redirects the payment while looking identical.
What Still Works: Defenses Against QR Code Invoice Fraud
The same logic that defeats other forms of social engineering applies here: defenses that don't depend on recognizing fraudulent content, but on a process the attacker can't route around.
- Treat any QR code on an invoice as an unverified link — apply the exact same caution you'd apply to a suspicious hyperlink, regardless of how official the document looks.
- Never authorize a banking change based on a QR code — call the vendor at a number already in your records, never one provided by the request itself.
- Compare routing and account numbers against your vendor file — regardless of how the invoice arrived, mail, email, or PDF attachment.
- Restrict who can change vendor banking details — and require independent, dual sign-off before any change takes effect.
- Treat "scan to pay" or "scan to update" language as a red flag — not a convenience feature. Legitimate vendors can provide bank details in writing.
- Don't authorize payment actions from a personal-device QR scan — company policy should route any such request back through a verified channel first.
- Run a structured fraud check before paying — PaySentinel evaluates the vendor and routing details independent of how the invoice arrived or what it claims.
A phone number you already have, not one the invoice gives you.
A fraudulent QR code can point anywhere. It cannot change what number is already sitting in your vendor file. Calling that number — never one supplied by the invoice, the email, or the code itself — remains the simplest defense that quishing has no way around.
What a fraud check catches that a glance won't
| Signal | How PaySentinel checks it | Type |
|---|---|---|
| Routing/account mismatchA changed bank detail hidden behind a QR code | Compared against your vendor's known banking history and public routing number records | Mechanical |
| Linked destinationThe URL a QR code or payment link actually points to | Checked against known vendor domains and typosquat patterns | Mechanical |
| Urgency & "scan to update" languageWording built to rush a decision | Flagged against invoice-fraud language patterns drawn from real fraud investigations | AI-assisted |
| Vendor memoryWhether this banking detail matches what you've seen before | Compared against previously submitted details for this vendor across your history | Mechanical |
What the Data Shows
QR code phishing doesn't yet have the kind of single, named corporate case studies that business email compromise has produced — the FBI and security researchers report it primarily as aggregate trend data. That data shows a tactic scaling quickly.
Frequently Asked Questions
QR code invoice fraud, also called quishing, is when scammers embed a QR code in an invoice, payment notice, or banking-update email instead of a plain-text bank detail or clickable link. Scanning the code leads to a fraudulent payment portal or a fake login page designed to steal credentials or redirect a payment to an attacker-controlled account.
Most email security tools scan the visible text of a message for known malicious links or domains. A QR code is an image — the destination URL is encoded inside the graphic, not present as text — so link-scanning filters have nothing to check. The scan itself typically happens on a personal mobile phone, which is often outside the company's network and security tools entirely.
Barracuda's threat intelligence team specifically documented attackers shifting QR codes into PDF attachments for this reason, detecting over half a million such emails in a three-month period. Barracuda Threat Spotlight →
No. QR codes have legitimate business uses. But a QR code that replaces a bank detail, or that asks you to "scan to pay" or "scan to update your account," should be treated with the same caution as an unfamiliar link — verify the destination and the request through an independent channel before acting, regardless of how official the invoice looks.
Do not enter any login credentials or payment information on the page it opened. If you did enter information, change the affected passwords immediately and contact your bank if any financial or banking credentials were involved.
Report the incident to your IT or security team, and if a payment was made, contact your bank right away to request a reversal and file a report with the FBI's Internet Crime Complaint Center. FBI IC3 QR code advisory →
Require that any banking detail change or payment request delivered via QR code be verified by calling the vendor at a number already on file — never a number or link supplied by the invoice itself. Compare routing and account numbers against your vendor records regardless of how the invoice arrived, and treat "scan to pay" or "scan to update" language as a prompt for extra scrutiny, not convenience.
A QR code hides the destination until it's scanned — but it doesn't hide the routing number, the vendor history, or the domain once PaySentinel extracts and checks them. It's a structured second opinion on the signals a QR code is specifically designed to keep you from seeing before you pay.
Check a suspicious invoice before you pay it
Paste in the vendor, routing number, or a suspicious link — PaySentinel checks for the signals quishing is built to hide and returns a risk score in under a minute. Free to start.
Run a free analysis →