QR Code Phishing on Business Invoices: A 2026 Defense Plan

TL;DR: QR code phishing (also called quishing) is showing up on invoices because it slides right past a lot of email filters and lands on a phone, where people click first and think later. If you want to stop invoice fraud in 2026, you need boring controls: verify vendor payment changes, lock down email and mobile devices, use phishing-resistant MFA, and train Accounts Payable to treat QR codes like strange USB drives. Simple. Not glamorous. Works.

I see this exact problem three times a week. Somebody in Accounts Payable gets an invoice with a QR code that says “Pay here” or “View remittance details.” They scan it, the phone opens a page that looks legit enough, and then one of two things happens:

• They type in Microsoft 365 credentials and hand them to criminals (hello, business email compromise).
• They “confirm” bank details and reroute an ACH or wire (hello, invoice fraud).

Back in my day, scams came by fax or a phone call from “Windows Support” with a thick accent and a thin script. Now it’s a little square barcode that people trust like it came down from the mountain with the Ten Commandments. It didn’t.

This plan is written for Palm Beach County businesses, especially around West Palm Beach, Palm Beach Gardens, Lake Worth, Boynton Beach, and Wellington. If your company pays vendors, you’re a target. If you pay vendors quickly, you’re a bigger target.

Why QR Code Phishing (Quishing) Works on Invoices

Quishing prevention starts with understanding the trick. A QR code is just a shortcut to a link. And links are where bad decisions go to breed.

It bypasses the “usual” email defenses

Email security tools are pretty good at spotting obvious malicious links in messages. But when the link is hidden inside a QR code image, some tools do not treat it the same way. The user scans the code with a phone, and now the whole interaction happens outside your desktop browser protections and sometimes outside your corporate monitoring.

It exploits speed and routine in Accounts Payable

Accounts Payable is built for throughput. Invoices come in, you match them, you pay them, you move on. Criminals love routines. They do not need to hack the building when they can hack the habit.

It plays nice with vendor impersonation and BEC

Once an attacker steals a mailbox session or convinces someone to “verify” a payment portal, they can pull classic business email compromise tricks: forwarding rules, fake reply chains, and last-minute “updated banking details.” Same old con, new wrapper.

If you want some bedtime reading (or a reason to stop scanning random squares), here’s Malwarebytes’ overview of QR code phishing (quishing). It’s not science fiction. It’s Tuesday.

QR Code Phishing Red Flags on Business Invoices

Look, I’m not going to sugarcoat this: if your staff treats invoices like junk mail they can pay from their phone while standing in line for coffee, you’re going to have a bad time.

Invoice red flags that scream “quishing”

• Payment-only QR codes with no alternative method (no mailing address, no portal you already use).
• Language like “urgent,” “final notice,” or “avoid service interruption” when the vendor has never talked like that.
• Bank detail changes bundled with a QR code: “Scan to confirm new ACH info.”
• QR code goes to a short link or weird domain that doesn’t match the vendor’s real site.
• Invoice email comes from a lookalike domain (one letter off, extra hyphen, different TLD).

Behavior red flags (yes, I’m talking about you)

• Scanning QR codes on personal phones for company payments.
• Approving payment changes based on email alone.
• Using the phone number listed on the suspicious invoice to “verify” it. That’s like asking a stranger if their fake ID looks real.

Accounts Payable Security: Vendor Payment Verification That Actually Works

Here’s what NOT to do: do not accept vendor banking changes from email, QR codes, or “new portal links” without a verification step that the attacker cannot control.

Set a vendor payment change policy (and enforce it)

If you don’t have a written policy, you don’t have a policy. You have vibes.

• Call-back verification: Verify any ACH/wire change using a known-good phone number from your vendor master record, contract, or prior statements. Not the invoice. Not the email signature.
• Two-person rule: One person receives and enters changes, another person approves. Yes, it slows things down. That’s the point.
• Hold period: For new bank details, delay the first payment if possible, or require extra verification for the first transaction.
• Log everything: Who requested the change, who verified, what number was called, and when it was approved.

Use out-of-band verification for high-dollar payments

For large wires or new vendors, do a second channel confirmation: a phone call plus a separate confirmation through a known vendor portal you already use. If your team says “that’s too much work,” ask them how much work it is to explain a missing $48,000 wire to the owner.

Lock down vendor master data

Your accounting system is not a suggestion box. Restrict who can edit vendor banking fields. Review permissions quarterly. And if everyone in the department has admin rights, congratulations, you’ve invented the world’s easiest fraud machine.

Email Security Controls That Reduce Invoice Fraud and BEC

QR codes are a delivery method. The bigger disease is still email compromise and spoofing. If criminals can get into a mailbox, they can watch invoices, learn your cadence, and strike when it hurts most.

Baseline controls you should already have in 2026

• MFA everywhere for email and accounting systems. Not “later.” Now.
• Conditional access where possible: block sign-ins from countries you do not do business with, require compliant devices, and flag risky logins.
• Disable legacy authentication if your environment still allows it.
• DMARC, SPF, DKIM configured properly to reduce spoofing. Not perfect, but better than crossing your fingers.

Microsoft has a solid plain-English page on phishing basics here: Microsoft guidance on protecting yourself from phishing. Read it, then make your team read it, then remind them that “I was busy” is not a security strategy.

Phishing-resistant MFA (because codes get phished)

SMS codes and push approvals are better than nothing, but they still get abused with prompt bombing and social engineering. For key roles (Accounts Payable, executives, anyone who can move money), use phishing-resistant methods like FIDO2 security keys or certificate-based authentication where your setup supports it. Boring but works.

Secure QR Scanning on Mobile Devices (Without Pretending People Won’t Use Phones)

Back in my day, we worried about kids downloading ringtones to a Motorola Razr. Now we worry about someone scanning a QR code that drains the bank account. Progress.

Rules for secure QR scanning

• Do not scan QR codes from invoices to log into Microsoft 365 or any account. Ever. If the QR code claims it’s for login, it’s almost certainly a trap.
• Preview the URL before opening. Most phone camera scanners show the link. If it’s a weird domain, short link, or misspelling, stop.
• Open links in a managed browser on company devices when possible, with safe browsing protections enabled.
• Never enter credentials after scanning a QR code unless you manually navigated to a known-good site first.

Mobile device protections that matter

• Use MDM (mobile device management) for company phones: enforce screen lock, OS updates, and app controls.
• Separate work accounts from personal apps where possible.
• Keep Windows 10 and Windows 11 PCs updated, and keep Android/iOS devices updated too. Old software is where attackers go bargain shopping.

If you need help tightening this up in a real office (not a fantasy policy document), that’s exactly what our cybersecurity services for Palm Beach County businesses are for.

Phishing Awareness Training for Quishing Prevention (Without the Corporate Nonsense)

Most training fails because it’s either too vague (“be careful”) or too theatrical (“you are a cyber warrior”). You’re not a cyber warrior. You’re trying to pay a landscaping invoice and get back to your life.

What to teach AP staff and front office teams

• QR codes are links. Treat them like links.
• Payment changes require verification. No exceptions for “rush.”
• Stop and escalate when something is off: new bank, new portal, new tone, new urgency.
• Report fast. Early reporting can prevent a second victim and sometimes helps recover funds.

Run simple drills

Once a quarter, do a short drill: show 5 invoice examples (2 legit, 3 fake) and have staff explain what they would do. No shaming. Just practice. People don’t rise to the occasion, they fall to their training. Same as parallel parking.

Incident Response: What to Do If Someone Scanned the QR Code

Here’s what actually happens when you ignore this: the attacker logs in, sets a forwarding rule, and waits. Or they try to move money quickly. Time matters.

If credentials were entered

• Reset the password immediately and revoke active sessions.
• Check mailbox rules, forwarding, and delegated access.
• Review sign-in logs for unusual locations and devices.
• Run endpoint scans on the PC used for email and any device involved. If you need a cleanup, start with professional virus removal and malware cleanup.

If money was sent (ACH or wire)

• Contact your bank immediately and request a recall or fraud process. Do not wait for a meeting.
• Preserve the invoice email, QR code image, and any messages. Do not “clean up” evidence.
• Lock vendor master edits until you confirm what changed.

If data is lost or systems get messy

If you don’t have a backup, you don’t have data. You’re just borrowing it. Make sure you have tested backups and that you can restore them. Our managed business backups are built for exactly this kind of “oh no” moment. And if you’re already past that point, we can talk about data recovery options, but I’d rather set you up so you never need it.

Palm Beach County Cybersecurity: A Practical 2026 Checklist

Here’s your boring-but-works defense plan. Print it. Tape it near Accounts Payable. Yes, like it’s 1999 and we’re still labeling floppy disks.

Process controls (anti-fraud)

• Written vendor change policy with call-back verification
• Two-person approval for bank changes and high-dollar payments
• Vendor master permissions locked down
• Payment holds or extra verification for first payment after changes

Technical controls (anti-compromise)

• MFA for all users, phishing-resistant MFA for money-movers
• Conditional access and device compliance where possible
• Email authentication (SPF/DKIM/DMARC) and anti-phishing policies
• Managed patching for Windows 10 and Windows 11 PCs, plus mobile OS updates

People controls (anti-mistake)

• Short, role-based phishing awareness training
• Quarterly invoice fraud drills using real examples
• Clear reporting path: who to call, what to freeze, what to preserve

If you want help implementing this without buying overpriced nonsense, Fix My PC Store can assess your workflow, email setup, and device security and give you a plan that fits how your business actually runs. We serve businesses across Palm Beach County, including West Palm Beach and surrounding areas.