Lesson 3.3

QR Codes and Calendar Invites

7 minutes

At a train station car park in Thornaby, UK, fraudsters overlaid the legitimate QR payment codes with their own stickers. One woman scanned what she thought was a parking payment code. Within hours, attackers had opened fraudulent loans and credit card applications in her name totaling GBP 13,000, including a GBP 7,500 loan. The QR code had led to a site that captured enough personal and financial data to steal her identity.

The attack didn’t require any technical sophistication. It required a sticker and a printer.

QR code phishing (quishing)

QR codes have become one of the fastest-growing phishing vectors because they exploit a fundamental problem: you can’t see where they lead before you scan them. With a regular link, you can at least look at it. A QR code is a black box.

The numbers

QR code payloads in phishing emails went from 0.8% in 2021 to 12.4% in 2023 — a more than 15-fold increase. Malicious QR codes rose another 25% in 2025. Mimecast detected over 1.7 million unique malicious QR codes in a six-month period, embedded across 2.7 million emails daily.

C-suite executives are 42 times more likely to be targeted by quishing than regular employees, according to Abnormal AI’s 2024 data. The average loss per QR phishing victim: $1,225.

Physical QR code attacks

The Thornaby Station case isn’t isolated. Fake QR stickers have appeared on parking meters across the United States:

  • Austin, Texas: 29 compromised parking stations
  • Redondo Beach, California: 150 meters with fraudulent QR stickers
  • Fort Lauderdale, Florida: 7 locations affected
  • Houston, Texas: Multiple locations

The fake stickers direct users to lookalike payment domains — poybyphone.com instead of paybyphone.com, for example. On a phone screen, in a parking lot, rushing to feed the meter before a meeting — most people wouldn’t catch the difference.

QR codes in emails

In mid-2024, researchers detected 500,000 phishing emails with QR codes embedded inside PDF attachments. The QR code bypasses every layer of email security, for reasons that are worth understanding.

Why QR codes bypass security — the technical explanation

  1. No embedded URL to scan. The malicious URL is encoded within the image, not written as a clickable hyperlink. Email security tools that scan links in the email body find nothing to flag.

  2. Minimal text content. QR phishing emails are often just an image and a brief instruction (“Scan to verify your account”). Less text means fewer signals for language-based analysis.

  3. Image-based payload. Legacy email security analyzes text and URLs, not the contents of images. Decoding QR codes from image attachments requires specialized processing that many systems don’t perform.

  4. Device shift. This is the most important one. Scanning a QR code moves the attack from your managed corporate laptop — which has web filters, endpoint protection, and security monitoring — to your unmanaged personal phone, which typically has none of these protections. The QR code effectively teleports you outside your company’s security perimeter.

How to protect yourself from QR phishing

  • Read the URL preview. When you scan a QR code, your phone previews the URL before opening it. Apply the skills from Module 1 — check the domain before you tap.
  • In email: ask why it’s a QR code. Why would a legitimate sender embed a QR code instead of a regular link? The most common answer: to bypass your email security. That should tell you everything.
  • On physical items: verify through official channels. A “$500 wellness stipend” poster that nobody announced is suspicious. A parking meter QR code that looks like a sticker placed over another sticker is suspicious.
  • Watch for sticker-over-sticker. Physical QR code attacks work by placing a fraudulent sticker over a legitimate one. If a QR code looks like it’s been stuck on top of something else, don’t scan it.

Calendar invites

Calendar phishing exploits a quirk of how email clients work: many apps — especially Outlook — automatically add meeting invites to your calendar before you accept them. The invite just appears. And once it’s on your calendar, your brain treats it differently than it would treat a random email.

Why calendar invites work as an attack vector

  • Calendar events feel “official.” A meeting on your calendar feels like a commitment. It’s not junk mail — it’s a scheduled event.
  • They create obligation. “I should prepare for this meeting” triggers a sense of responsibility. You feel compelled to click the agenda link or review the pre-meeting documents.
  • Malicious links hide in descriptions. The event description can contain links to fake login pages, malware downloads, or credential-harvesting forms — and they’re less scrutinized than email links.
  • Declining feels rude. Even if you don’t recognize the meeting, there’s social pressure to at least look at the materials before declining. That moment of curiosity is what the attacker exploits.

What to watch for

  • Calendar invites from people you don’t know or companies you don’t work with
  • “Required pre-meeting documents” hosted on unfamiliar websites
  • Invites that appeared on your calendar without you ever accepting them
  • Any invite that asks you to enter credentials to access meeting materials

How to handle unexpected invites

If you don’t recognize the organizer or the meeting, decline and delete. Don’t click links in the event description first. If you think it might be legitimate, check with your team: “Does anyone know about a meeting with [company name]?”

If an invite asks you to enter your username and password to access “pre-meeting materials,” that’s a phishing attempt. No legitimate meeting requires you to authenticate through a link in a calendar invite.

The Rule: If you can't see where it goes before you scan it, verify before you trust it.