Guide · Invoice & Payment Fraud

QR Code Invoice Fraud: How "Quishing" Scams Target Accounts Payable (2026)

July 2026 AP Clerks Bookkeepers Small Business 8 min read

Fraud awareness training teaches AP staff to hover over links before clicking and to scan invoice text for lookalike domains. Neither of those habits catches a QR code. A "quishing" invoice replaces the bank detail or the payment link with a scannable square — and the destination stays hidden until someone points a phone at it, usually a personal phone, off the network your email security actually protects. This guide explains how QR code invoice fraud works, why it slips past the filters that catch ordinary phishing, and what still stops it.

Traditional invoice fraud QR code invoice fraud
Fraudulent bank details typed in plain text Bank details hidden inside a scannable image — no text to compare against your vendor file
Fraudulent link visible and hoverable in the email Destination stays hidden until the code is scanned
Email filters can check the link against known bad domains Filters see only an image — there's no URL in the message to check
Click happens on the same work computer email arrived on Scan usually happens on a personal phone, often off the company network entirely
Defense: hover before you click Defense: verify any banking change through a number you already have, never the code
18.7M
QR phishing attacks recorded in March 2026 alone — a 146% jump from January Source: threat intelligence data, 2026
500K+
phishing emails with QR codes hidden in PDFs, detected by Barracuda in a single 3-month window — most disguised as invoices or memos Source: Barracuda Threat Spotlight
2%
of all scanned QR codes are malicious — invisible until scanned, unlike a link you can hover over first Source: Keepnet Labs, 2026

What Is QR Code Invoice Fraud?

QR code invoice fraud — often called "quishing," short for QR code phishing — is the practice of embedding a malicious QR code in an invoice, payment notice, or banking-update request instead of a plain-text bank detail or clickable link. The code opens a fraudulent payment portal or a fake login page when scanned, either redirecting a payment or harvesting the credentials needed to redirect one later.

The FBI's Internet Crime Complaint Center first warned about tampered QR codes redirecting victims to malicious sites and diverting payments back in January 2022, and the tactic has only grown more targeted since. By 2026, it had become common enough that the IRS added QR codes to its annual "Dirty Dozen" list of tax scams, warning that fraudulent messages increasingly use QR codes to direct people to fake verification pages instead of a plain link.

How a QR code invoice scam unfolds
🧾
A legitimate-looking invoice or payment notice arrives
By email as a PDF, or occasionally by physical mail
🔲
A QR code replaces the bank detail or link
"Scan to pay" or "scan to update your banking details"
📱
The recipient scans it on a personal phone
Often off the company network, outside email security tools entirely
🌐
The code opens a fraudulent portal or login page
Built to capture payment credentials or redirect the wire
⚠️
Text-based email security never had anything to catch
No link, no attachment content, nothing to scan in the message itself
🧾
Fake "scan to pay" invoice

A PDF invoice replaces the bank detail entirely with a QR code, leaving no account or routing number in the text for your AP process to check against your vendor file.

📥
QR code in a spoofed AP portal email

"Your invoice is ready in the vendor portal — scan to view" leads to a fake login page built to harvest accounts-payable credentials for a later attack.

✉️
Vendor banking "update" via QR

"We've changed banks — scan to see our new account" is designed to bypass the phone verification a solid AP process normally requires for banking changes.

📬
Physical mailed invoice with a QR code

A printed invoice or notice arrives by mail with a QR code for "faster payment," exploiting the trust a physical document carries that a suspicious email wouldn't.

🖨️
Sticker over a real payment code

If your business displays a QR code for customer or vendor self-service payment — at a counter or on a table tent — a physical sticker swap can silently redirect it.

🔗
QR masking a typosquat domain

The scanned URL leads to a lookalike domain that's impossible to preview before scanning — unlike a text link, where a careful eye might catch the misspelling.

Why QR Codes Bypass Email Security

Most email security tools work by scanning the visible text of a message — checking any link against lists of known malicious domains, or flagging suspicious attachments. A QR code defeats both approaches at once: the destination is encoded inside an image, not present anywhere as text, and the scan usually happens on a device the email security tool never sees.

Standard email defense Why it doesn't apply to QR codes What still works
Link scanning against known bad domains There's no text URL in the message — the address only exists inside the image Treat any QR code as an unverified link and check the destination independently
Hovering to preview a link A QR code can't be hovered — the destination is invisible until it's scanned Never scan a code to complete a payment; verify the request by phone first
Company device security tools Scans typically happen on a personal phone, entirely outside corporate protection Company policy: no payment actions initiated from a personal-device QR scan
Attachment scanning Many tools scan attachments for known malware, not for images containing a QR code Compare routing numbers against your vendor file regardless of how the invoice arrived
🔍 Fraud Analyst Perspective

What makes quishing effective isn't sophistication — it's that it exploits a genuine gap between where email security operates and where the scan actually happens. An invoice with a QR code can pass every automated check a company has and still be fraudulent, because none of those checks were ever built to interpret an image. The fix isn't a better filter. It's treating "scan to pay" the same way you'd treat "click here to pay" — with the same suspicion, verified the same way.

6 QR Code Invoice Fraud Patterns

These are the specific ways QR codes are being used against accounts payable processes. Each defeats a different part of a standard invoice review.

1
QR code replacing bank details on an invoice
Critical

An otherwise normal-looking invoice arrives with no routing or account number printed anywhere — just a QR code labeled "scan to pay." Without a visible bank detail, there's nothing in the text for AP staff or automated tools to compare against the vendor file.

What's missing
No account number, no routing number, no bank name anywhere in the document — everything payment-related lives only inside the code.
Defense → Treat any invoice with no visible bank details as incomplete. Request the banking information in writing and verify it by phone against your vendor file before paying.
2
"Banking update" QR code impersonating a real vendor
Critical

An email claiming to be from a known vendor states they've switched banks and includes a QR code to "view the new account details." This is designed specifically to route around the callback verification a well-run AP process would normally require for a banking change.

Why it's dangerous
Banking-change requests are already the highest-risk category of invoice fraud — a QR code adds a layer that hides the new account details from any text-based review.
Defense → Never accept a banking change from a QR code, email, or the invoice itself. Call the vendor at a number already in your records — not one supplied by the request — before changing anything.
3
QR-linked fake AP portal login
Critical

An email designed to look like a vendor payment portal or e-signature request includes a QR code: "Scan to view your invoice." The code opens a convincing fake login page that harvests the AP employee's credentials — not to steal money immediately, but to gain access for a larger attack later.

The real goal
Credential theft, not immediate payment redirection — the payoff often comes weeks later through a compromised account.
Defense → Access vendor portals by typing in a known, saved URL — never through a scanned code. If a login page opens from a QR scan, close it without entering anything.
4
Physical mailed invoice with a QR code
High

A printed invoice or past-due notice arrives by mail — a channel that already carries more built-in trust than email — with a QR code for "faster payment." The physical format itself is part of the social engineering; people are less trained to be suspicious of paper.

Why paper adds trust
Employees are trained to scrutinize suspicious emails far more than a letter that arrived through the mail with a company logo on it.
Defense → Apply the same verification standard to mailed invoices as emailed ones. A QR code on paper is no more trustworthy than one in an inbox.
5
QR code hidden inside a PDF to evade filters
High

Rather than putting the QR code directly in the email body, the code sits inside a PDF attachment styled to look like an invoice, HR memo, or signature request. Security researchers have tracked this specific shift — QR codes moving from email bodies into PDF attachments — as a deliberate evasion tactic, since most email filters weren't built to inspect images inside attachments.

Documented scale
Barracuda researchers detected over 500,000 phishing emails using QR codes embedded in PDF attachments in a single three-month period.
Defense → Be equally cautious of QR codes inside PDF attachments as codes in the email body. "Invoice attached, scan to review" is a common lure phrase — treat it as a prompt to verify, not to scan.
6
Sticker swap over a legitimate payment code
Medium

Less common for B2B invoicing, but relevant to any business that displays its own QR code for customer or vendor self-service payment — at a register, on a table tent, or on a printed flyer. A physical sticker placed over the real code silently redirects the payment while looking identical.

Where the FBI has documented this
The FBI's IC3 has specifically warned about cybercriminals tampering with printed QR codes used for legitimate payment purposes to redirect funds.
Defense → Physically inspect any QR code your business displays for payment on a regular basis, and check for signs of a sticker or overlay before trusting it.
Received an invoice with a "scan to pay" QR code? Check the vendor and routing details through PaySentinel before acting on it.
Check it now →

What Still Works: Defenses Against QR Code Invoice Fraud

The same logic that defeats other forms of social engineering applies here: defenses that don't depend on recognizing fraudulent content, but on a process the attacker can't route around.

The one thing a QR code can't fake

A phone number you already have, not one the invoice gives you.

A fraudulent QR code can point anywhere. It cannot change what number is already sitting in your vendor file. Calling that number — never one supplied by the invoice, the email, or the code itself — remains the simplest defense that quishing has no way around.

What a fraud check catches that a glance won't

Signal How PaySentinel checks it Type
Routing/account mismatchA changed bank detail hidden behind a QR code Compared against your vendor's known banking history and public routing number records Mechanical
Linked destinationThe URL a QR code or payment link actually points to Checked against known vendor domains and typosquat patterns Mechanical
Urgency & "scan to update" languageWording built to rush a decision Flagged against invoice-fraud language patterns drawn from real fraud investigations AI-assisted
Vendor memoryWhether this banking detail matches what you've seen before Compared against previously submitted details for this vendor across your history Mechanical

What the Data Shows

QR code phishing doesn't yet have the kind of single, named corporate case studies that business email compromise has produced — the FBI and security researchers report it primarily as aggregate trend data. That data shows a tactic scaling quickly.

146%
Q1 2026
Quarterly surge in QR phishing volume
QR code phishing volume climbed from roughly 7.6 million recorded attacks in January 2026 to 18.7 million in March — a 146% increase in a single quarter, according to threat intelligence data reported in June 2026. The growth reflects how quickly attackers have adopted the tactic once its effectiveness against text-based filters became apparent.
500K+
3-month window
QR codes moving into PDF attachments
Barracuda's threat intelligence team detected more than half a million phishing emails with QR codes embedded specifically inside PDF attachments over a three-month analysis window — most disguised as invoices, internal memos, or e-signature requests. Researchers characterized this as a deliberate shift away from putting QR codes directly in email bodies, since attachment content is inspected less thoroughly by most filters.
Federal
Warnings
FBI and IRS have both issued formal advisories
The FBI's Internet Crime Complaint Center issued a public service announcement in January 2022 specifically warning that cybercriminals were tampering with QR codes to redirect payments and steal financial information — one of the earliest formal federal warnings on the tactic. By 2026, the IRS had added QR code scams to its annual "Dirty Dozen" list of tax fraud tactics, citing their use in fake verification and refund-claim schemes targeting businesses and individuals alike.

Frequently Asked Questions

What is QR code invoice fraud?

QR code invoice fraud, also called quishing, is when scammers embed a QR code in an invoice, payment notice, or banking-update email instead of a plain-text bank detail or clickable link. Scanning the code leads to a fraudulent payment portal or a fake login page designed to steal credentials or redirect a payment to an attacker-controlled account.

How does a QR code bypass email security filters?

Most email security tools scan the visible text of a message for known malicious links or domains. A QR code is an image — the destination URL is encoded inside the graphic, not present as text — so link-scanning filters have nothing to check. The scan itself typically happens on a personal mobile phone, which is often outside the company's network and security tools entirely.

Barracuda's threat intelligence team specifically documented attackers shifting QR codes into PDF attachments for this reason, detecting over half a million such emails in a three-month period. Barracuda Threat Spotlight →

Are QR codes on invoices always fraudulent?

No. QR codes have legitimate business uses. But a QR code that replaces a bank detail, or that asks you to "scan to pay" or "scan to update your account," should be treated with the same caution as an unfamiliar link — verify the destination and the request through an independent channel before acting, regardless of how official the invoice looks.

What should I do if I already scanned a suspicious QR code?

Do not enter any login credentials or payment information on the page it opened. If you did enter information, change the affected passwords immediately and contact your bank if any financial or banking credentials were involved.

Report the incident to your IT or security team, and if a payment was made, contact your bank right away to request a reversal and file a report with the FBI's Internet Crime Complaint Center. FBI IC3 QR code advisory →

How can a small business protect its AP process from quishing?

Require that any banking detail change or payment request delivered via QR code be verified by calling the vendor at a number already on file — never a number or link supplied by the invoice itself. Compare routing and account numbers against your vendor records regardless of how the invoice arrived, and treat "scan to pay" or "scan to update" language as a prompt for extra scrutiny, not convenience.

From the guide to the tool

A QR code hides the destination until it's scanned — but it doesn't hide the routing number, the vendor history, or the domain once PaySentinel extracts and checks them. It's a structured second opinion on the signals a QR code is specifically designed to keep you from seeing before you pay.

Check a suspicious invoice before you pay it

Paste in the vendor, routing number, or a suspicious link — PaySentinel checks for the signals quishing is built to hide and returns a risk score in under a minute. Free to start.

Run a free analysis →